Add to collection(s) Add to saved
  1. History
  2. US History
  3. The Cold War And Beyond (After 1945)
  4. Patriot Act

ECPA Primer

advertisement 
Online Criminal Investigations:
The USA Patriot Act,
ECPA, and Beyond
Mark Eckenwiler
Computer Crime and Intellectual Property Section
U.S. Department of Justice
1
The Computer Crime and
Intellectual Property Section
Founded in 1991 as Computer Crime Unit
 Current staff of 30 attorneys
 Mission of CCIPS

–
–
–
–
–
Combat computer crime and IP crimes
Develop enforcement policy
Train agents and prosecutors
Promote international cooperation
Propose and comment on federal legislation
2
Overview
The origins of ECPA (The Electronic
Communications Privacy Act of 1986)
 Substance of the statute

– real-time monitoring
– stored information

How USA Patriot changed (or didn’t
change) things
3
Why You Might Care
About ECPA
Comprehensive privacy framework for
communications providers
 Regulates conduct between

– different users
– provider and customer
– government and provider
Civil and criminal penalties for violations
 Note: state laws may impose additional
restrictions/obligations

4
Why ECPA Matters to
Law Enforcement
As people take their lives online, crime
follows; no different from the real world
 Online records are often the key to
investigating and prosecuting criminal
activity

– “cyber” crimes (network intrusions)
– traditional crimes (threats, fraud, etc.)

ECPA says how and when government can
(and cannot) obtain those records
5
Scope of the 1968 Wiretap Act

Protected two kinds of communications
– “oral” and “wire”
– criminal penalties and civil remedies
– extensive procedural rules for court orders to
conduct eavesdropping

By mid-1980s, emerging technologies
created areas of uncertainty in statute as to
– wireless telephones
– non-voice transmissions (e.g., e-mail)
6
Concerns Addressed in ECPA
(Enacted in 1986)
Added protection for “electronic” (nonvoice!) communications to Title III
 In addition, created a new companion
chapter to regulate privacy of

– stored communications
– non-content information about subscribers (e.g.,
transactional information)

Also: new pen register/trap & trace statutes
– for prospective collection of telephone calling
records
7
Changes 1986-2000

A variety of tweaks & technical
amendments
– cordless phones
– CALEA
8
Sweeping New Surveillance
Powers Under USA Patriot Act:
A List
9
Changes 2001 (USA Patriot)
Structure of ECPA/Title III/Pen-Trap
remains the same
 No major expansion of authority
 Many changes simply codify existing
practice or harmonize parallel provisions of
statute
 In the following slides, a postfixed asterisk
(*) indicates USA Patriot changes to prior
law

10
Substantive Provisions
of ECPA
Or,
Everything you know is wrong
11
Title III/ECPA & The Courts:
A Love Affair

“famous (if not infamous) for its lack of
clarity”
– Steve Jackson Games v. United States Secret
Service, 36 F.3d 457, 462 (5th Cir. 1994)

“fraught with trip wires”
– Forsyth v. Barr, 19 F.3d 1527, 1543 (5th Cir.
1994)

“a fog of inclusions and exclusions”
– Briggs v. American Air Filter, 630 F.2d 414,
415 (5th Cir. 1980)
12
The Major Categories
Real-time interception (content)
 Real-time traffic data (non-content)
 Stored data (content)
 Subscriber records (non-content)

13
The Matrix
Acquisition in
Real Time
Historical
Information
Contents of
Communications
Other Records
(Subscriber and
Transactional
Data)
14
Interception of Communications

The default rule under § 2511(1): do not
– eavesdrop
– use or disclose intercepted contents

Applies to oral/wire/electronic comms.
15
Penalties

Criminal penalties (five-year felony)
[§ 2511(4)]
» exception for first offense, wireless comms.

Civil damages of $10,000 per violation*
plus attorney’s fees
– USA Patriot added new language specifically
imposing liability on government agents

Statutory suppression
16
Relevance to Computer Networks
Makes it illegal to install an unauthorized
packet sniffer
 In numerous federal prosecutions,
defendants have pled guilty to Title III
violations for such conduct

17
Exceptions to the
General Prohibition

Publicly accessible system [§ 2511(2)(g)(i)]
– open IRC channel/chat room
Consent of a party
 System provider privileges
 “Computer trespasser” monitoring*
 Court-authorized intercepts

18
Consent of a Party
Parallels the Fourth Amendment exception
 May be implied through

– login banner
– terms of service

Such implied consent may give an ISP
authority to pass information to law
enforcement and other officials
19
System Operator Privileges

Provider may monitor private real-time
communications to protect its rights or
property [§ 2511(2)(a)(i)]
– e.g., logging every keystroke typed by a
suspected intruder
– phone companies more restricted than ISPs

Under same subsection, a provider may also
“intercept” communications if inherently
necessary to providing the service
20
“Computer Trespasser”
Monitoring (USA Patriot)*

Problem to be solved: what rules allow
government monitoring of a network
intruder?
– consent of system owner as a party?
– “rights or property” monitoring?
– consent of the intruder via login banner?
Because none of these is entirely
satisfactory, new exception added
 Note: amendment sunsets on 12/31/05

21
“Computer Trespasser” Defined

New 18 U.S.C. 2510(21):
– person who accesses “without authorization”
– definition continues: “and thus has no
reasonable expectation of privacy…”

Excludes users who have “an existing
contractual relationship” with provider
– Congress worried about TOS violations as
grounds for warrantless surveillance
– there is an opportunity to gain consent from
such users
– without it, possible constitutional problems
22
Limits of the New “Computer
Trespasser” Exception

Interception under this exception has
several prerequisites
–
–
–
–
consent of the owner
under color of law
relevant to an official investigation, and
cannot acquire communications other than
those to/from the trespasser
23
Court-Authorized Monitoring

Requires a kind of “super-warrant”
– § 2518
Good for 30 days maximum
 Necessity, minimization requirements
 Only available for specified offenses
 Ten-day reporting
 Sealing

24
Types of Electronic
Communications Intercepts
Cloned pagers
 “Keystroking”

– common in network intrusion cases

“Cloning” an e-mail account
25
The Matrix
Acquisition in
Real Time
Contents of
Communications
Historical
Information
Title III order or consent,
generally
Other Records
(Subscriber and
Transactional
Data)
26
The Matrix
Acquisition in
Real Time
Contents of
Communications
Historical
Information
Title III order or consent,
generally
Other Records
(Subscriber and
Transactional
Data)
27
Real-Time Collection of
Non-Content Records
Governed by the pen register/trap and trace
statute (originally enacted in 1986)
 Like the Wiretap Act, begins with a general
prohibition

– criminal penalties for violations

Exceptions for
– provider self-protection
– consent of customer (think “Caller ID”)
– court order
28
How Things (Didn’t) Change
As a Result of USA Patriot

Pre-USA Patriot, language was focused on
telephone records
– the term “pen register” means a device which
records or decodes electronic or other impulses
which identify the numbers dialed or otherwise
transmitted on the telephone line to which such
device is attached (18 U.S.C. 3127(3))
New statute: Technology-neutral language
 Amendments codify years of practice,
orders routinely issued by courts

29
Pen Register/Trap and Trace

Old statute very telephone-oriented
– “numbers dialed”
– “telephone line”

Updated statute is technology neutral
– confirms that the same rules apply to, e.g., Internet
communications
Retains historical (and constitutional)
distinction between content & non-content
 Codifies longstanding practice under prior
statute (e.g., Kopp)

30
What Can A Pen/Trap Device
Collect?

Plainly included
– telephone source/destination numbers
– most e-mail header information
– source and destination IP address and port
» Kopp case (2000)

Plainly excluded:
– subject line of e-mails
– content of a downloaded file
31
The Device Formerly Known
As “Carnivore”
USA Patriot mandates additional judicial
oversight
 Where law enforcement uses its own device
on a public provider’s computer network
pursuant to a pen/trap order (3123(a)(3)),
agents must file detailed report with the
authorizing court

– e.g., date and time of installation and removal;
information collected
32
New Penalties for
Government Misconduct

New section 2712 creates explicit civil and
administrative sanctions for violations of
–
–
–
–
wiretap statute
ECPA (stored records)
pen/trap statute
FISA (Foreign Intelligence Surveillance Act)
Minimum $10,000 civil damages
 Mandatory 2-level administrative review for
intentional violations by federal officers

33
The Matrix
Acquisition in
Real Time
Contents of
Communications
Title III order or consent,
generally
Other Records
(Subscriber and
Transactional
Data)
Pen register/trap and trace
order or consent
Historical
Information
34
Stored Communications
and Subscriber Records
18 U.S.C., Chapter 121
35
Objectives of Chapter 121

Regulate privacy of communications held
by electronic middlemen
– Congress sought to set the bar higher than
subpoena in some case
– put e-mail on a par with postal letter

Not applicable to materials in the
possession of the sender/recipient
36
Dichotomies ‘R’ Us

Permissive disclosure vs. mandatory
– “may” vs. “must”

Content of communications vs. non-content
– content
» unopened e-mail vs. opened e-mail
– non-content
» transactional records vs. subscriber information

Basic rule: content receives more protection
37
Criminal Violations

18 USC § 2701 prohibition
– Illegal to access without or in excess of
authorization
– a facility through which electronic
communication services are provided
– and thereby obtain, alter, or prevent access to a
wire or electronic communication;
– while in electronic storage

Misdemeanor, absent aggravating factors
38
Other Enforcement Mechanisms

Civil remedies
– $1,000 per violation
– attorney’s fees
– punitive damages
39
Subscriber Content
and the System Provider

Any provider may freely read stored
email/files of its customers
– Bohach v. City of Reno, 932 F. Supp. 1232 (D.
Nev. 1996) (pager messages)

A non-public provider may also freely
disclose that information
– for example, an employer
40
Public Providers and
Permissive Disclosure
General rule: a public provider (e.g., an ISP)
may not freely disclose customer content to
others [18 U.S.C. § 2702]
 Exceptions:

– consent
– necessary to protect rights or property of
service provider
– to law enforcement if contents inadvertently
obtained, pertains to the commission of a crime
– imminent threat of death/serious injury*
41
Permissive Disclosure and NonContent Subscriber Information
Rule is short and sweet
 Provider may disclose non-content records
to anyone except a governmental entity
 New exceptions*

– to protect provider’s rights/property
– threat of death/serious bodily injury

Pre-existing exceptions
– appropriate legal process
– consent of subscriber
42
Mandatory Disclosures: Legal
Process Used by the Government

Keep in mind the same dichotomy
– content vs. non-content
All governed by § 2703
 Types of process

– search warrant
– subpoena (grand jury, administrative, etc.)
43
Government Access to Private
Communications (Content)

For unopened email/voicemail < 180 days
old stored on a provider’s system,
government must obtain a search warrant
[18 U.S.C. §2703(a)]
– warrant operates like a subpoena

Congressional analogy: treat undelivered
email like postal mail (see S. Ct. cases)
44
Government Access to Private
Communications (Content)

For opened e-mail/voicemail (or other
stored files), government may send provider
a subpoena and notify subscriber [18 U.S.C.
§ 2703(b)]
– only applicable to public providers

May delay notice 90 days (§ 2705(a)) if
– destruction or tampering w/ evidence
– intimidation of potential witnesses
– otherwise seriously jeopardizing an
investigation
45
The Matrix
Contents of
Communications
Acquisition in
Real Time
Historical
Information
Title III order or consent,
generally
Warrant (for unopened
messages) or consent
Subpoena with notice
(for files, opened
messages) or consent
Other Records
(Subscriber and
Transactional
Data)
Pen register/trap and trace
order or consent
46
The Two Categories of
Non-Content Information

Subscriber information
– §2703(c)(2)

Transactional records
– § 2703(c)(1)
47
Basic Subscriber Information
Can be obtained through subpoena
 Provider must give government

–
–
–
–
–

name & address of subscriber
local and LD telephone toll billing records
telephone number or other account identifier
type of service provided
length of service rendered
USA Patriot clarifies that this includes
– method/means of payment (e.g., credit card number)
– “temporary address” info (e.g., dynamic IP assigment
records)
48
Transactional Records
Not content, not basic subscriber info
 Everything in between

– audit trails/logs
– addresses of past e-mail correspondents

Obtain through
– warrant
– section 2703(d) court order

Note: prior to CALEA (10/94), a subpoena
was sufficient
49
Section 2703(d) Orders

“Articulable facts” order
– “specific and articulable facts showing that
there are reasonable grounds to believe that [the
specified records] are relevant and material to
an ongoing criminal investigation”
Not as high a standard as probable cause
 But, like warrant (& unlike subpoena),
requires judicial oversight & factfinding
 Can get non-disclosure order with it

50
The Matrix
Contents of
Communications
Acquisition in
Real Time
Historical
Information
Title III order or
consent, generally
Warrant (for unopened
messages) or consent
Subpoena with notice (for
files, opened messages) or
consent; may delay notice
Other Records
(Subscriber and
Transactional
Data)
Pen register/trap and
trace order or consent
Subpoena (for basic
subscriber info only)
2703(d) “specific and
articulable facts” court
order (for all other noncontent records)
51
Summary:
Legal Process & ECPA

Warrant
– required for unopened e-mail
– can be used (but not required) for other info

Court order under § 2703(d)
– opened e-mail, unopened e-mail >180 days old,
or files (with prior notice)
– transactional records

Subpoena
– opened e-mail or files (with prior notice)
– basic subscriber info
52
§ 2703(f) Requests to Preserve
Government can ask for anything (content
or non-content) to be preserved
 Prospective?
 Government must still satisfy the usual
standards if it wants to receive the preserved
data

53
Summary of Notable Changes
Pen register/trap and trace statute updated
 Enhanced disclosure by providers to protect
life & limb
 “Computer trespasser” monitoring
exception added
 Scope of “basic subscriber info” clarified
 Expanded liability for government misuse

54
Summary
USA PATRIOT Act is not a sweeping
expansion of surveillance authority
 Instead, makes narrowly tailored changes to
harmonize or clarify statute
 Leaves intact the existing framework of
privacy statutes

55
For More Information

Computer Crime Section’s home page:
www.cybercrime.gov
– legal & policy treatises on intrusions, ECPA,
USA Patriot, computer search & seizure
– mailing list for news updates
– requests for speakers
56
Related documents
Lawful Access Issues and Challenges for
Lawful Access Issues and Challenges for
When we are considering computerized databases, there are
When we are considering computerized databases, there are
To Whom It May Concern
To Whom It May Concern
CSC486 legal
CSC486 legal
Safeguards to classroom videotaping: - Rethinking-Precollege-Math
Safeguards to classroom videotaping: - Rethinking-Precollege-Math
A Pilot Trial of Paclitaxel-Herceptin Adjuvant Therapy for Early Stage
A Pilot Trial of Paclitaxel-Herceptin Adjuvant Therapy for Early Stage
Parent Consent for Formal Evaluation Proposal
Parent Consent for Formal Evaluation Proposal
Courts, Congress and Technology
Courts, Congress and Technology
patient instruction leaflet for blood and sample results
patient instruction leaflet for blood and sample results
Download
advertisement