Marc J. Zwillinger
Elizabeth Banker
Zwillinger Genetski LLP
April 7, 2011
1




Understanding Universities obligations
related to Law Enforcement and Civil
Demands
Developments in privacy related litigation
Lawful Access issues on the horizon for
Universities
Other issues for Universities related to
security and privacy
2





Federal, state and local law enforcement
issued subpoenas, court orders and warrants
National Security Requests issued under
National Security Letter authority, FISA or the
FAA
Civil subpoenas issued under DMCA
subpoena provision
Civil subpoenas issued in private litigation
Requests without legal process:
◦ Deceased students
◦ Complaints
3




Family Educational Rights and Privacy Act of
1974, 20 U.S.C. § 1232g; 34 CFR Part 99.
Prohibits disclosure of certain student records
without student or parental consent.
Universities may disclose educational records in
response to a subpoena or court order with prior
notice to the student or parents.
No notice is necessary if:
 Grand jury subpoena with court order to not provide notice
 Court order and told not to provide notice
 AG terrorism court order (ex parte)

Emergencies
4

ECPA has two primary parts:
◦ The Wiretap Act (also know as Title III) governs realtime access to the contents of electronic
communications
 Codified at 18 U.S.C. § 2510 et seq.
◦ The Stored Communications Act (“SCA”) is the
portion of ECPA that specifically governs stored
records and communications
 Codified at 18 U.S.C. § 2701et seq.
◦ Other parts of ECPA:
 Pen Register Trap and Trace Statute, 18 U.S.C. § 3121
5


Governs real-time intercept of electronic and
wire communications
Federal law prohibits intercept of
communications unless an exception applies:
◦ Consent (one party)
◦ Title III Wiretap Order issued by law enforcement
◦ Protection of Rights and Property of Providers

State wiretaps laws are similar, except:
◦ Twelve states require two-party/all-party consent
for a valid exception to the prohibition on intercept
6

Special Issues for Universities
◦ Students or School officials recording classes
◦ Email scanning for prohibited content/conduct
◦ Archiving chat, IM, or other conversations
conducted through interactive webpages

How to deal with two-party/all-party consent
requirements?
◦ Implied consent
◦ Affirmative consent
7

Covered entities defined in SCA are “Electronic
Communications Services” (ECS) and “Remote Computing
Services” (RCS)
◦ ECS defined as “any service which provides to users thereof the
ability to send or receive wire or electronic communications”
◦ RCS defined as “the provision to the public of computer
storage or processing services by means of an electronic
communications system”
 What does “to the public” mean?
 What public services do you offer – just broadband access, or more?


Restrictions on voluntary disclosure of information (for
ECS and RCS) turn on whether University offers services
“to the public”
Restrictions on compelled disclosures do not.
8
Statutory Definition
Plain Language
1) “contents of a communication while in
electronic storage”
1) contents of
messages or emails
2) “contents of a communication which is
carried or maintained on that service on
behalf of, and received by means of
electronic transmission from a subscriber
or customer of the service”
2) contents in stored
files
3) “a record or other information pertaining
to a subscriber to or customer of such
service not including contents under A or
B”
3) any non-identity,
non-content record
kept about a
subscriber
4) “name, address, telephone records,
session times and duration, length of
service, start date, types of service
utilized, telephone number or other
subscriber # or identity, network address,
means and source of payment”
4) basic identity
information about
the subscriber
9

Can be obtained through trial, grand jury or
administrative subpoena under § 2703(c)(2)
 name & address
 local and long distance billing records
 telephone number or other account identifier (such
as username or “screen name”)
 length & type of service provided
 Session times and duration
 Temporarily assigned network address (IP Address)
 Means and source of payment (cc# or bank acct)

Limited to specifically listed records
10

Scope:
◦ Not content, not basic subscriber
 § 2703(c)(1)(B)
◦ Everything in between
 identities of connections or email correspondence
 Subscriber info not specified in 2703 (c)(1)(c) (e.g., DOB,
gender, DL #, etc)
 Connection information

Obtainable with § 2703(d) court order
◦ Issued based on showing of “specific and articulable facts”
of relevance to “criminal investigation”
◦ Intermediate standard between subpoena (relevance) and
search warrant (probable cause)

Delayed Notice available under § 2705
11



“Electronic storage” defined as
1) temporary, intermediate storage incidental to
transmission (§2510(17)(A)); and
2) storage of such communication by an electronic
communication service for purposes of backup
protection of such communication
Beginning: DOJ view that a warrant was only required for
unopened, received email in user’s inbox for 180 days or
less. A court order or subpoena used for sent, read, or
emails over 180 days old
After Theofel v. Farey-Jones (9th Cir.): Read and saved
email was considered a “back up” and required a search
warrant if 180 days or less old
12


Sixth Circuit Court of Appeals held in U.S. v.
Warshak that the Fourth Amendment protects
email content from disclosure to law enforcement
absent a search warrant
Court found that individuals have a “reasonable
expectation of privacy” in their email content
◦ Court left open possibility that provider or employer
terms could eliminate the R.E.P.

Decisions about how to implement
◦ Restrict to district
◦ Implement nationwide
13


Public provider prohibited from voluntarily
disclosing any subscriber records (§ 2702)
Exceptions
◦ Consent of originator or addressee/intended recipient
◦ To an addressee or intended recipient
◦ to law enforcement if contents inadvertently obtained &
pertain to commission of a crime
◦ to person employed or authorized or whose facilities are
used to forward such communication
◦ As necessary to protect provider rights and property
◦ To NCMEC in child pornography report
◦ To government if provider in good faith believes an
emergency exists threatening death or serious physical
injury
14


Public provider prohibited from voluntarily
disclosing any contents of communications (§
2702)
Exceptions
◦ Consent of originator or addressee/intended recipient
◦ To an addressee or intended recipient
◦ To person employed or authorized or whose facilities are
used to forward such communication
◦ As necessary to protect rights and property

No prohibition on disclosing records to civil litigant
(§ 2702 (c)(6))
◦ Subpoena is generally sufficient
15



FERPA allows disclosure of educational records when legal process is issued.
◦ If not prohibited by law, notice must be given to the student or parents
◦ When is notice forbidden? A court order prohibits notice (e.g., an order
for delayed notice under Section 2705) or statute under which the legal
process was issued prohibits notice (e.g. NSLs).
◦ When in doubt? Advise law enforcement of plan to provide notice
FERPA allows disclosure of information in response to a civil subpoena with
notice, but ECPA prohibits disclosure of email content to private litigants
◦ Disclosure could be allowed if account holder consents
FERPA & ECPA both allow disclosure of records and email content when there
is an emergency that puts the physical safety of a person at risk
◦ ECPA only allows emergency disclosures to law enforcement.
◦ Be sure to document the nature of the emergency, how the requested
information will help LE and the requesting individual and agency.
◦ Also helpful: Emergency disclosure form, Emergency disclosure policy
16






Deceased Users and stored content
Freedom of Information Act requests
Complaints and requests to identify users
without legal process
Internal, on-campus investigations
State schools and status as a “governmental
entity”
National security process and non-disclosure
requirements
17
 ECPA
Litigation
 ECPA Reform
 CALEA Updates
 Data Retention Mandates
18




Plaintiffs lawyers are now suing for improper
disclosure of records based on claims that
the legal process used was illegitmate
Entities sued: Yahoo!, Myspace, Windstream,
Comcast
Theory – recipient must insist on proper
service of process to make legal process valid
– i.e, no out-of-state faxes.
Prediction – not going to be successful, but
may not be worth the risk
19


Initially proposed by the Digital Due Process
Coalition (DDP), which includes: CDT, Amazon,
Google, Facebook, AOL, Microsoft, AT&T
SalesForce, Loopt, and others
Need for ECPA reform:
◦ Definitions are archaic and hard to apply to Web 2.0
◦ Different law enforcement agencies use it and have
different interpretations
◦ Different jurisdictions have different interpretations
◦ Volume makes it impossible to operate with anything
less than bright lines rules
◦ Litigation develops over areas of friction
◦ Many, many issues do not seem to be answered by
ECPA
20
1. Technology and platform neutrality
2. All content should be protected under the 4th
Amendment standard – regardless of how old it
is or whether it has been “opened” or not
3. Data should receive same protection whether
it is in transit or in storage
4. Recognize sensitivity of data that deserves 4th
Amendment protection
21
1.
All content should be protected under the 4th
Amendment standard and probable cause should
be required – regardless of how old it is or
whether it has been “opened” or not
2.
Location data, whether historical or prospective
should be produced only pursuant to a Warrant
3.
The standard for pen registers/trap and trace
devices should be heightened
4.
Information requests made pursuant to a
subpoena should be particularized to an individual
or group of individuals, otherwise a 2703(d) Order
or greater should be required
22



At least 4 hearings held in 2010 before
House Judiciary Committee and at least
one in the Senate.
Hill meetings and DOJ meetings have been
occurring with increased frequency
DOJ has proposal for reform of NSL
provisions (18 USC 2709) which may get
linked to these efforts
◦ Proposal would clear up uncertainty regarding
ability of FBI to get access to electronic
communication transactional records
23


Communications Assistance to Law
Enforcement Act (“CALEA”) originally passed
in 1994
Mandates that covered providers build
capability to intercept communications if
presented with a wiretap order
◦ Currently covers telecommunications and
broadband


FBI “Going Dark” Initiative seeks to expand
coverage
Potential Model- Section 12 of UK’s RIPA
24



Lamar Smith (R), House Judiciary Chairman,
has had several bills in past and currently
working on a new bill
Hearing held in January 2011
Potential scope of data retention obligation:
◦ 6 months to 2 years of retention
◦ IP address assignment logs, IP log-in records,
communications transactional records, upload IP
information

EU Data Retention Directive implementation
◦ Problematic and still controversial in EU, but
provides potential model
25




Child pornography reporting requirements
applicable to ECS and RCS under 18 U.S.C.
§2258A.
Content complaints and Section 230
Security Breach notice requirements
Required security to protect sensitive
personal information
◦ E.g. Social Security Numbers
26
??
??
??
??
??
??
??
??
??
??
27
marc@zwillgen.com
elizabeth@zwillgen.com