CSC 486/586 Legal Considerations in Obtaining Electronic Evidence in Online Investigations 1 Statutory Restrictions on Obtaining Electronic Evidence Through electronic surveillance; From ISPs & other service providers; That includes material intended for publication 2 The Statutes • ECPA: Electronic Communications Privacy Act of 1986 -- dictates how LE obtains information from electronic communications providers – Title III (Wiretaps) – Stored Electronic Communications • Privacy Protection Act – – Restricts methods LE can use to obtain info intended for publication 3 Wiretap Act, 18 USC 2511 • Prohibits “interception” of “oral,” “wire,” or “electronic communications” with a “mechanical device” • “Interception” means real-time acquisition • Govt can get “T-III order” for oral or wire communications only for a very specific list of felonies - Statutory suppression for violations 4 Obtaining a Title III Wiretap Order for Electronic Evidence • ECPA applies wiretap act to electronic communications intercepted in real-time (“keystroke monitoring”) • Federal prosecutor can get court order for electronic wiretapping on any felony; no statutory suppression remedy • Order must be issued where “interception” occurs 5 Exceptions to warrant requirement • If wiretapping (and don’t have court order), committing a federal felony (5 years imprisonment) unless fall within one of 4 exceptions – – – – 6 Provider protection exception Consent exception Inadvertently obtained information Computer trespass exception Provider Protection Exception • Interception authorized to protect provider (18 U.S.C. 2511(2)(a)(i)) • Authorizes interception or disclosure “while engaged in any activity which is a necessary incident to the rendition of service or the protection of the rights or property of the provider of the service.” • Provider can give results of past monitoring to law enforcement 7 Wiretaps-Consent exception • Consent of party – Banner – Terms of service agreement • Consent of system operator -- No! • Dangerous to rely on implied consent forever – When need a T-III decided on a case-by-case basis 8 Inadvertently Obtained • ECS provider may also disclose a communication to law enforcement if communication was inadvertently obtained and appears to pertain to the commission of a crime. – 18 U.S.C. 2511(3)(b) 9 The Computer Trespasser Exception • Solution: new exception to Title III at 18 U.S.C. 2511(2)(i) (Subject to 4-year sunset provision) – “Computer trespasser” defined (18 U.S.C. 2510(21)) • Person who accesses “without authorization” • Definition continues: “and thus has no reasonable expectation of privacy…” – Excludes users who have “an existing contractual relationship” • Congress worried about violations of terms of service • There is an opportunity to gain consent from such users • Without it, possible constitutional problems 10 Limits of the New Exception • Interception under this exception requires: – – – – Consent of the owner Under color of law Relevant to an investigation Cannot acquire communications other than to/from the trespasser • May combine this authority with other exceptions, such as consent 11 Stored Communications and Transactional Records 12 Stored Electronic Communications Act • Dictates how and when LE may obtain information from Internet Service Providers, Telcos, other computing service providers – Enacted in 1986 as part of “ECPA” – Codified at 18 USC 2701 et seq – Modified (slightly) by Patriot Act 13 Government Access to Customer Communications and Records • These provisions apply only to info held on provider’s system, not to standalone PC • Content of communications vs. non-content – content • unopened e-mail vs. opened e-mail – non-content • transactional records vs. subscriber information • Basic rule: content receives more protection 14 Stored Electronic Communications Act - Overview • Covers 3 categories of information • Held by ECS or RCS -– Content – Basic subscriber information – Transactional Records (everything else) • Substantive provisions – a. When services may disclose – b. When services must disclose • Remedies 15 Remedies • Civil damages exclusively (2707, 08) • No suppression remedy for nonconstitutional violation – but decision in McVeigh (gay Navy officer with AOL account) granted suppression remedy, voided administrative action (discharge) 17 Stored Electronic Communications: Key Terms A ECS B A 18 RCS • “Electronic Communication Service Provider” • “Remote Communications Service Provider” Provisions of the Stored Electronic Communications Act • 18 USC 2701: Prohibits: – Accessing without or in excess of authorization; – A facility through which electronic communication services are provided; – And thereby obtain, alter, or prevent access to a wire or electronic communication; – While in electronic storage • Misdemeanor 19 When ECS or RCS May Disclose (2702) • If public, prohibited from voluntarily disclosing the content of stored electronic communications • Exceptions: – consent – necessary to protect property of service provider – to law enforcement if contents inadvertently obtained, pertains to the commission of a crime • If not public, not so constrained, as to any of the three classes of information 20 Requiring Disclosure of Information from ECS or RCS 2703: Three categories: • Content • Basic subscriber information • Transactional Records (everything else) 21 Stored Wire and Electronic Communications Act - Content • E-mail and voice mail in electronic storage – Which is: “Any temporary, intermediate storage of a wire or electronic communication” incidental to transmission, or intended to be a backup • Once opened, no longer protected • Protects customers and subscribers: the real party of interest 22 Obtaining Content of E-mails For ECS, if unopened and in storage for less than 180 days, search warrant (2703(a)) – Warrant operates like a subpoena – Patriot Act gave nation-wide effect to warrants • Must be issued by court having jurisdiction over the offense • No notice to customer necessary 23 Obtaining Electronic Content Not In “Electronic Storage” • What’s not in “electronic storage”? – opened e-mail – files (text, database, programs, etc.) • As to this category, statute protects only materials stored with a provider “to the public” – excludes, e.g., private corporate networks – if provider isn’t public, investigator can use a normal subpoena to compel disclosure 24 Obtaining Content (cont.) • For ECS if more than 180 days or for RCS – Warrant – Subpoena with notice • May delay notice 90 days (2705) if show -– destruction or tampering w/ evidence – intimidation of potential witnesses – otherwise seriously jeopardizing an investigation • May extend delay an additional 90-days 25 Obtaining the Contents of Voice Mail • Pre-Patriot Act: If unopened, obtainable only with a Title III order – § 2703 inapplicable by its own terms • Patriot Act included contents of voice mail into 2703(b) 26 Basic Subscriber Information • Can be obtained through subpoena • Gives you only: name, address, telephone toll billing records, telephone number, type of service provided, and length of service rendered • Patriot Act added connection records, session times, and temp assigned IP addresses • Do not subpoena “all customer records” 27 Transactional Records • Not content, not basic subscriber information • Everything in between – – – – – 28 financial information (e.g., credit card) audit trails/logs web sites visited identities of e-mail correspondents cell site data from cellular/PCS carriers Transactional Records • Obtain through – Warrant – Consent of customer – Articulable facts order (can get non-disclosure order): “specific and articulable facts showing that there are reasonable grounds to believe that [the specified records] are relevant and material to an ongoing criminal investigation.” (2703(d) order) 29 Summary: Legal Process & ECPA • Warrant – required for unopened e-mail • Court order under § 2703(d) – opened e-mail or files (with prior notice) – transactional records • Subpoena – opened e-mail or files (with prior notice) – basic subscriber info 30 Overview of 2703 processes for public ESPs 31 Subject matter Legal process Unopened (“fresh”) email <= 180 days Other email; RCS material Non-basic info. (“txn records”) Basic subscriber info Search warrant subpoena/2703(d) + notice (or S.W.) 2703(d) (or S.W.) subpoena (or 2703(d) or S.W.) Process • Can talk to ECS/RCS in advance about what you want, what they may have • May request provider for 90 days, to “take all necessary steps to preserve records and other evidence in its possession pending the issuance of a court order or other process.” 2703(f) – Only for information already in their possession, not future information 32 Cable Problems • 47 USC § 551. Protection of subscriber privacy • Restricts dissemination by cable provider of “personally identifiable information” collected by cable operator – “Personally identifiable information”? – Restriction applies to PII collected as part of providing “other services” • “Other services” include “wire or radio communications” provided using facilities of cable operator 33 Cable Problems -- Cont’d 47 USC § 551(h) Disclosure of information to governmental entity pursuant to court order • A governmental entity may obtain personally identifiable information concerning a cable subscriber pursuant to a court order only if, in the court proceeding relevant to such court order-(1) such entity offers clear and convincing evidence that the subject of the information is reasonably suspected of engaging in criminal activity and that the information sought would be material evidence in the case; and (2) the subject of the information is afforded the opportunity to appear and contest such entity's claim. 34 Patriot Act Cable Fix • Added 47 USC 551(c)(2)(D) – ECPA governs access to cable Internet service – Provisions of Sec. 551 still govern access to traditional cable services 35 The Privacy Protection Act 36 Privacy Protection Act • 42 USC 2000AA • Response to Zucher v. Stanford Daily 37 Privacy Protection Act • Protects material intended for dissemination to the public: – Work product (e.g., book in progress) • Prepared for communication and intended for dissemination to the public (included impressions, conclusions, opinions, theories) – Documentary materials (materials used to produce “work product”) • Defined as media which holds info used “in connection with” work product materials • Includes e.g. photo/film/tape/disk. 38 Privacy Protection Act • Must use a subpoena to obtain work product, documentary materials in the possession of a person reasonably believed to have a purpose to disseminate it. 39 Exceptions Allowing Use of Search Warrant/Seizure • Contraband or fruits or instrumentalities of a crime • Exigent circumstances • Probable cause that person possessing such material has committed or is committing a criminal offense – Except if mere possession offense • Except classified material or child pornography 40 The PPA in an Electronic Environment • Anyone with a modem can be a publisher • Problems of commingling, connections • If need to seize protected materials, obtain DAAG approval--through CCIPS • Subject to civil penalties, not suppression • Guest v. Leis -- can seize PPA materials “incidental to lawful search” • Be reasonable: The 300,000 lessons of Steve Jackson Games 41 WHERE TO GET MORE INFORMATION • CCIPS phone number: 202-514-1026 • Computer Crime Section’s page on the World Wide Web: http://www.usdoj.gov/criminal/cybercrime or http://www.cybercrime.gov 42 Questions??? Use the discussion board, as usual… 43 44