ISPs and Federal Privacy Law: Everything You Need to Know About the Electronic Communications Privacy Act (ECPA)‏ Mark Eckenwiler Computer Crime and Intellectual Property Section U.S. Department of Justice

The Computer Crime and Intellectual Property Section Founded in 1991 as Computer Crime Unit Current staff of 22 attorneys Mission of CCIPS Combat computer crime and IP crimes Develop enforcement policy Train agents and prosecutors Contribute to public awareness of the issues Promote international cooperation Propose and comment on federal legislation

Founded in 1991 as Computer Crime Unit

Current staff of 22 attorneys

Mission of CCIPS

Combat computer crime and IP crimes

Develop enforcement policy

Train agents and prosecutors

Contribute to public awareness of the issues

Promote international cooperation

Propose and comment on federal legislation

Why You Might Care About ECPA Comprehensive privacy framework for communications providers Regulates conduct between different users provider and customer government and provider Civil and criminal penalties for violations Note: state laws may impose additional restrictions/obligations

Comprehensive privacy framework for communications providers

Regulates conduct between

different users

provider and customer

government and provider

Civil and criminal penalties for violations

Note: state laws may impose additional restrictions/obligations

Why ECPA Matters to Law Enforcement As people take their lives online, crime follows; no different from the real world Online records are often the key to investigating and prosecuting criminal activity “ cyber” crimes (network intrusions)‏ traditional crimes (threats, fraud, etc.)‏ ECPA says how and when government can (and cannot) obtain those records

As people take their lives online, crime follows; no different from the real world

Online records are often the key to investigating and prosecuting criminal activity

“ cyber” crimes (network intrusions)‏

traditional crimes (threats, fraud, etc.)‏

ECPA says how and when government can (and cannot) obtain those records

Substantive Provisions of ECPA Or, Everything you know is wrong

ECPA & The Courts: A Love Affair “ famous (if not infamous) for its lack of clarity” Steve Jackson Games v. United States Secret Service, 36 F.3d 457, 462 (5th Cir. 1994)‏ “ fraught with trip wires” Forsyth v. Barr , 19 F.3d 1527, 1543 (5th Cir. 1994)‏ “ a fog of inclusions and exclusions” Briggs v. American Air Filter , 630 F.2d 414, 415 (5th Cir. 1980)‏

“ famous (if not infamous) for its lack of clarity”

Steve Jackson Games v. United States Secret Service, 36 F.3d 457, 462 (5th Cir. 1994)‏

“ fraught with trip wires”

Forsyth v. Barr , 19 F.3d 1527, 1543 (5th Cir. 1994)‏

“ a fog of inclusions and exclusions”

Briggs v. American Air Filter , 630 F.2d 414, 415 (5th Cir. 1980)‏

The Matrix

Real-Time Acquisition of Communications (Interception)‏ The default rule under § 2511(1): do not eavesdrop on others’ communications use or disclose illegally intercepted contents Applies to oral/wire/electronic comms. Violations may lead to criminal penalties (5-year felony) [§ 2511(4)] exception for first offense, wireless comms. civil damages of $10,000 per violation suppression

The default rule under § 2511(1): do not

eavesdrop on others’ communications

use or disclose illegally intercepted contents

Applies to oral/wire/electronic comms.

Violations may lead to

criminal penalties (5-year felony) [§ 2511(4)]

exception for first offense, wireless comms.

civil damages of $10,000 per violation

suppression

Relevance to Computer Networks Makes it illegal to install an unauthorized packet sniffer In several recent federal prosecutions, defendants have pled guilty to interception violations e.g. , Cloverdale minors

Makes it illegal to install an unauthorized packet sniffer

In several recent federal prosecutions, defendants have pled guilty to interception violations

e.g. , Cloverdale minors

Exceptions to the General Prohibition Publicly accessible system [§ 2511(2)(g)(i)] open chat room/IRC channel Consent of a party System provider privileges Court-authorized intercepts

Publicly accessible system [§ 2511(2)(g)(i)]

open chat room/IRC channel

Consent of a party

System provider privileges

Court-authorized intercepts

Consent of a Party May be implied through login banner terms of service Implied consent may give an ISP authority to pass information to law enforcement and other officials

May be implied through

login banner

terms of service

Implied consent may give an ISP authority to pass information to law enforcement and other officials

System Operator Privileges Provider may monitor private real-time communications to protect its rights or property [§ 2511(2)(a)(i)] e.g. , logging every keystroke typed by a suspected intruder phone companies more restricted than ISPs Under same subsection, a provider may also intercept communications if inherently necessary to providing the service

Provider may monitor private real-time communications to protect its rights or property [§ 2511(2)(a)(i)]

e.g. , logging every keystroke typed by a suspected intruder

phone companies more restricted than ISPs

Under same subsection, a provider may also intercept communications if inherently necessary to providing the service

Court-Authorized Monitoring Requires a kind of “super-warrant” a/k/a “Title III order” (or T-3)‏ § 2518 Good for 30 days maximum Necessity, minimization requirements Ten-day reporting Sealing

Requires a kind of “super-warrant”

a/k/a “Title III order” (or T-3)‏

§ 2518

Good for 30 days maximum

Necessity, minimization requirements

Ten-day reporting

Sealing

Types of Wiretap Orders You May Encounter Keystroking common in network intrusion cases Cloning an e-mail account

Keystroking

common in network intrusion cases

Cloning an e-mail account

The Matrix

Real-Time Transactional Records The pen register/trap and trace statute (same as for telephones) applies Law enforcement may obtain a court order to gather prospective non-content information about a user, such as addresses on in/outbound e-mail inbound FTP connections where remote user is logging in from (dialup? remote IP address?)‏

The pen register/trap and trace statute (same as for telephones) applies

Law enforcement may obtain a court order to gather prospective non-content information about a user, such as

addresses on in/outbound e-mail

inbound FTP connections

where remote user is logging in from (dialup? remote IP address?)‏

The Matrix

Stored Communications and Historical Records

Dichotomies ‘R’ Us Permissive disclosure vs. mandatory “ may” vs. “must” Content of communications vs. non-content content unopened e-mail vs. opened e-mail non-content transactional records vs. subscriber information Basic rule: content receives more protection

Permissive disclosure vs. mandatory

“ may” vs. “must”

Content of communications vs. non-content

content

unopened e-mail vs. opened e-mail

non-content

transactional records vs. subscriber information

Basic rule: content receives more protection

Penalties for Stored Records & Communications Violations Civil remedies [18 U.S.C. § 2707] $1,000 minimum per violation attorneys’ fees Criminal remedies [§ 2701] only for accessing stored communications without authorization ( e.g. , one user snooping in another’s inbox)‏ inapplicable to the provider [§ 2701(c)(3)]

Civil remedies [18 U.S.C. § 2707]

$1,000 minimum per violation

attorneys’ fees

Criminal remedies [§ 2701]

only for accessing stored communications without authorization ( e.g. , one user snooping in another’s inbox)‏

inapplicable to the provider [§ 2701(c)(3)]

Subscriber Content and the System Provider Any provider may freely read stored e-mail or files of its customers Bohach v. City of Reno , 932 F. Supp. 1232 (D. Nev. 1996) (pager messages)‏ While ECPA imposes no prohibition, contractual agreement with customer may limit right of access

Any provider may freely read stored e-mail or files of its customers

Bohach v. City of Reno , 932 F. Supp. 1232 (D. Nev. 1996) (pager messages)‏

While ECPA imposes no prohibition, contractual agreement with customer may limit right of access

Public Providers and Permissive Disclosure General rule: a public provider ( e.g. , an ISP) may not freely disclose customer content to others [18 U.S.C. § 2702] Exceptions include subscriber consent necessary to protect rights or property of service provider to law enforcement if contents inadvertently obtained, pertains to the commission of a crime

General rule: a public provider ( e.g. , an ISP) may not freely disclose customer content to others [18 U.S.C. § 2702]

Exceptions include

subscriber consent

necessary to protect rights or property of service provider

to law enforcement if contents inadvertently obtained, pertains to the commission of a crime

Government Access to Stored Communications Content For unretrieved e-mail < 181 days old stored on a provider’s system, government must obtain a search warrant [18 U.S.C. § 2703(a)] Warrant operates like a subpoena

For unretrieved e-mail < 181 days old stored on a provider’s system, government must obtain a search warrant [18 U.S.C. § 2703(a)]

Warrant operates like a subpoena

Government Access to Stored Communications Content For opened e-mail (or other stored files), government may send provider a subpoena and notify subscriber in advance [18 U.S.C. § 2703(b)] government may delay notice 90 days in certain cases (§ 2705(a))‏ no notice to subscriber required if not a provider “to the public”

For opened e-mail (or other stored files), government may send provider a subpoena and notify subscriber in advance [18 U.S.C. § 2703(b)]

government may delay notice 90 days in certain cases (§ 2705(a))‏

no notice to subscriber required if not a provider “to the public”

The Matrix

Permissive Disclosure and Non-Content Subscriber Information Rule is short and sweet Provider may disclose non-content records to anyone except a governmental entity Government needs appropriate legal process or consent of subscriber

Rule is short and sweet

Provider may disclose non-content records to anyone except a governmental entity

Government needs

appropriate legal process

or consent of subscriber

The Two Categories of Non-Content Information Basic subscriber information §2703(c)(1)(C)‏ Transactional records § 2703(c)(1)(B)‏

Basic subscriber information

§2703(c)(1)(C)‏

Transactional records

§ 2703(c)(1)(B)‏

Basic Subscriber Information Can be obtained through subpoena Provider must give government name of subscriber address local and LD telephone toll billing records telephone number or other account identifier type of service provided length of service rendered

Can be obtained through subpoena

Provider must give government

name of subscriber

address

local and LD telephone toll billing records

telephone number or other account identifier

type of service provided

length of service rendered

Transactional Records Not content, not basic subscriber info Everything in between past audit trails/logs addresses of past e-mail correspondents Government may compel via a “section 2703(d) court order”

Not content, not basic subscriber info

Everything in between

past audit trails/logs

addresses of past e-mail correspondents

Government may compel via a “section 2703(d) court order”

Section 2703(d) Court Orders a/k/a “articulable facts” order “ specific and articulable facts showing that there are reasonable grounds to believe that [the specified records] are relevant and material to an ongoing criminal investigation ” A lower standard than probable cause Like warrant (& unlike subpoena), requires judicial oversight & factfinding

a/k/a “articulable facts” order

“ specific and articulable facts showing that there are reasonable grounds to believe that [the specified records] are relevant and material to an ongoing criminal investigation ”

A lower standard than probable cause

Like warrant (& unlike subpoena), requires judicial oversight & factfinding

The Matrix

Summary: Legal Process & ECPA Warrant unopened e-mail Court order under § 2703(d)‏ transactional records Subpoena opened e-mail, unopened e-mail >180 days old, or stored files basic subscriber info Higher-order process always valid e.g., warrant can compel transactional logs

Warrant

unopened e-mail

Court order under § 2703(d)‏

transactional records

Subpoena

opened e-mail, unopened e-mail >180 days old, or stored files

basic subscriber info

Higher-order process always valid

e.g., warrant can compel transactional logs

ECPA In Practice: A Scenario A victim reports a threat of physical injury via e-mail from StalkNU@isp.com To determine StalkNU’s identity, gov’t would serve a on isp.com For the target’s login records, gov’t serves a _______ on isp.com To obtain all the e-mail (opened and unopened) in target’s account, gov’t serves a ________

A victim reports a threat of physical injury via e-mail from StalkNU@isp.com

To determine StalkNU’s identity, gov’t would serve a on isp.com

For the target’s login records, gov’t serves a _______ on isp.com

To obtain all the e-mail (opened and unopened) in target’s account, gov’t serves a ________

Preclusion of Notice In criminal investigations, general policy is to avoid tipping off target Under ECPA, government may ask a court to prohibit ISP from notifying subscriber that records have been requested from ISP [§ 2705(b)]

In criminal investigations, general policy is to avoid tipping off target

Under ECPA, government may ask a court to prohibit ISP from notifying subscriber that records have been requested from ISP [§ 2705(b)]

§ 2703(f) Requests to Preserve Government can ask for any existing records (content or non-content) to be preserved no court order required does not apply prospectively Government must still satisfy the usual standards if it wants to receive the preserved data

Government can ask for any existing records (content or non-content) to be preserved

no court order required

does not apply prospectively

Government must still satisfy the usual standards if it wants to receive the preserved data

Summary For better or worse, ECPA shapes your destiny Benefits of understanding (and complying with) the statute include avoiding civil & criminal liability smoother relations with law enforcement

For better or worse, ECPA shapes your destiny

Benefits of understanding (and complying with) the statute include

avoiding civil & criminal liability

smoother relations with law enforcement

Where To Get More Information Computer Crime Section’s phone number: 202-514-1026 Computer Crime Section’s home page: http://www.cybercrime.gov

Computer Crime Section’s phone number: 202-514-1026

Computer Crime Section’s home page: http://www.cybercrime.gov