ISPs and Federal Privacy Law: Everything You Need to Know About the Electronic Communications Privacy Act (ECPA)‏ Mark Eck...
The Computer Crime and Intellectual Property Section <ul><li>Founded in 1991 as Computer Crime Unit </li></ul><ul><li>Curr...
Why You Might Care  About ECPA <ul><li>Comprehensive privacy framework for communications providers </li></ul><ul><li>Regu...
Why ECPA Matters to Law Enforcement <ul><li>As people take their lives online, crime follows; no different from the real w...
Substantive Provisions of ECPA Or,  Everything you know is wrong
ECPA & The Courts: A Love Affair <ul><li>“ famous (if not infamous) for its lack of clarity” </li></ul><ul><ul><li>Steve J...
The Matrix
Real-Time Acquisition of Communications (Interception)‏ <ul><li>The default rule under § 2511(1): do not  </li></ul><ul><u...
Relevance to Computer Networks <ul><li>Makes it illegal to install an unauthorized packet sniffer </li></ul><ul><li>In sev...
Exceptions to the  General Prohibition <ul><li>Publicly accessible system [§ 2511(2)(g)(i)] </li></ul><ul><ul><li>open cha...
Consent of a Party <ul><li>May be implied through </li></ul><ul><ul><li>login banner </li></ul></ul><ul><ul><li>terms of s...
System Operator Privileges <ul><li>Provider may monitor private real-time communications  to protect its rights or propert...
Court-Authorized Monitoring <ul><li>Requires a kind of “super-warrant” </li></ul><ul><ul><li>a/k/a “Title III order” (or T...
Types of Wiretap Orders You May Encounter <ul><li>Keystroking </li></ul><ul><ul><li>common in network intrusion cases </li...
The Matrix
Real-Time Transactional Records <ul><li>The pen register/trap and trace statute (same as for telephones) applies </li></ul...
The Matrix
Stored Communications and Historical Records
Dichotomies ‘R’ Us <ul><li>Permissive disclosure vs. mandatory </li></ul><ul><ul><li>“ may” vs. “must” </li></ul></ul><ul>...
Penalties for Stored Records & Communications Violations <ul><li>Civil remedies [18 U.S.C. § 2707] </li></ul><ul><ul><li>$...
Subscriber Content  and the System Provider <ul><li>Any provider may freely  read  stored  e-mail or files of its customer...
Public Providers and  Permissive Disclosure <ul><li>General rule: a public provider ( e.g. , an ISP) may not freely  discl...
Government Access to Stored Communications Content <ul><li>For unretrieved e-mail < 181 days old stored on a provider’s sy...
Government Access to Stored Communications Content <ul><li>For opened e-mail (or other stored files), government may send ...
The Matrix
Permissive Disclosure and Non-Content Subscriber Information <ul><li>Rule is short and sweet </li></ul><ul><li>Provider ma...
The Two Categories of Non-Content Information <ul><li>Basic subscriber information </li></ul><ul><ul><li>§2703(c)(1)(C)‏ <...
Basic Subscriber Information <ul><li>Can be obtained through subpoena </li></ul><ul><li>Provider must give government </li...
Transactional Records <ul><li>Not content, not basic subscriber info </li></ul><ul><li>Everything in between </li></ul><ul...
Section 2703(d) Court Orders <ul><li>a/k/a “articulable facts” order  </li></ul><ul><ul><li>“ specific and articulable fac...
The Matrix
Summary:  Legal Process & ECPA <ul><li>Warrant  </li></ul><ul><ul><li>unopened e-mail </li></ul></ul><ul><li>Court order u...
ECPA In Practice: A Scenario <ul><li>A victim reports a threat of physical injury via e-mail from StalkNU@isp.com </li></u...
Preclusion of Notice <ul><li>In criminal investigations, general policy is to avoid tipping off target </li></ul><ul><li>U...
§ 2703(f) Requests to Preserve <ul><li>Government can ask for any existing records (content or non-content) to be preserve...
Summary <ul><li>For better or worse, ECPA shapes your destiny </li></ul><ul><li>Benefits of understanding (and complying w...
Where To Get More Information <ul><li>Computer Crime Section’s phone number:  202-514-1026 </li></ul><ul><li>Computer Crim...
Upcoming SlideShare
Loading in …5
×

Is Ps And Federal Privacy Law

607 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
607
On SlideShare
0
From Embeds
0
Number of Embeds
14
Actions
Shares
0
Downloads
8
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Is Ps And Federal Privacy Law

  1. 1. ISPs and Federal Privacy Law: Everything You Need to Know About the Electronic Communications Privacy Act (ECPA)‏ Mark Eckenwiler Computer Crime and Intellectual Property Section U.S. Department of Justice
  2. 2. The Computer Crime and Intellectual Property Section <ul><li>Founded in 1991 as Computer Crime Unit </li></ul><ul><li>Current staff of 22 attorneys </li></ul><ul><li>Mission of CCIPS </li></ul><ul><ul><li>Combat computer crime and IP crimes </li></ul></ul><ul><ul><li>Develop enforcement policy </li></ul></ul><ul><ul><li>Train agents and prosecutors </li></ul></ul><ul><ul><li>Contribute to public awareness of the issues </li></ul></ul><ul><ul><li>Promote international cooperation </li></ul></ul><ul><ul><li>Propose and comment on federal legislation </li></ul></ul>
  3. 3. Why You Might Care About ECPA <ul><li>Comprehensive privacy framework for communications providers </li></ul><ul><li>Regulates conduct between </li></ul><ul><ul><li>different users </li></ul></ul><ul><ul><li>provider and customer </li></ul></ul><ul><ul><li>government and provider </li></ul></ul><ul><li>Civil and criminal penalties for violations </li></ul><ul><li>Note: state laws may impose additional restrictions/obligations </li></ul>
  4. 4. Why ECPA Matters to Law Enforcement <ul><li>As people take their lives online, crime follows; no different from the real world </li></ul><ul><li>Online records are often the key to investigating and prosecuting criminal activity </li></ul><ul><ul><li>“ cyber” crimes (network intrusions)‏ </li></ul></ul><ul><ul><li>traditional crimes (threats, fraud, etc.)‏ </li></ul></ul><ul><li>ECPA says how and when government can (and cannot) obtain those records </li></ul>
  5. 5. Substantive Provisions of ECPA Or, Everything you know is wrong
  6. 6. ECPA & The Courts: A Love Affair <ul><li>“ famous (if not infamous) for its lack of clarity” </li></ul><ul><ul><li>Steve Jackson Games v. United States Secret Service, 36 F.3d 457, 462 (5th Cir. 1994)‏ </li></ul></ul><ul><li>“ fraught with trip wires” </li></ul><ul><ul><li>Forsyth v. Barr , 19 F.3d 1527, 1543 (5th Cir. 1994)‏ </li></ul></ul><ul><li>“ a fog of inclusions and exclusions” </li></ul><ul><ul><li>Briggs v. American Air Filter , 630 F.2d 414, 415 (5th Cir. 1980)‏ </li></ul></ul>
  7. 7. The Matrix
  8. 8. Real-Time Acquisition of Communications (Interception)‏ <ul><li>The default rule under § 2511(1): do not </li></ul><ul><ul><li>eavesdrop on others’ communications </li></ul></ul><ul><ul><li>use or disclose illegally intercepted contents </li></ul></ul><ul><li>Applies to oral/wire/electronic comms. </li></ul><ul><li>Violations may lead to </li></ul><ul><ul><li>criminal penalties (5-year felony) [§ 2511(4)] </li></ul></ul><ul><ul><ul><li>exception for first offense, wireless comms. </li></ul></ul></ul><ul><ul><li>civil damages of $10,000 per violation </li></ul></ul><ul><ul><li>suppression </li></ul></ul>
  9. 9. Relevance to Computer Networks <ul><li>Makes it illegal to install an unauthorized packet sniffer </li></ul><ul><li>In several recent federal prosecutions, defendants have pled guilty to interception violations </li></ul><ul><ul><li>e.g. , Cloverdale minors </li></ul></ul>
  10. 10. Exceptions to the General Prohibition <ul><li>Publicly accessible system [§ 2511(2)(g)(i)] </li></ul><ul><ul><li>open chat room/IRC channel </li></ul></ul><ul><li>Consent of a party </li></ul><ul><li>System provider privileges </li></ul><ul><li>Court-authorized intercepts </li></ul>
  11. 11. Consent of a Party <ul><li>May be implied through </li></ul><ul><ul><li>login banner </li></ul></ul><ul><ul><li>terms of service </li></ul></ul><ul><li>Implied consent may give an ISP authority to pass information to law enforcement and other officials </li></ul>
  12. 12. System Operator Privileges <ul><li>Provider may monitor private real-time communications to protect its rights or property [§ 2511(2)(a)(i)] </li></ul><ul><ul><li>e.g. , logging every keystroke typed by a suspected intruder </li></ul></ul><ul><ul><li>phone companies more restricted than ISPs </li></ul></ul><ul><li>Under same subsection, a provider may also intercept communications if inherently necessary to providing the service </li></ul>
  13. 13. Court-Authorized Monitoring <ul><li>Requires a kind of “super-warrant” </li></ul><ul><ul><li>a/k/a “Title III order” (or T-3)‏ </li></ul></ul><ul><ul><li>§ 2518 </li></ul></ul><ul><li>Good for 30 days maximum </li></ul><ul><li>Necessity, minimization requirements </li></ul><ul><li>Ten-day reporting </li></ul><ul><li>Sealing </li></ul>
  14. 14. Types of Wiretap Orders You May Encounter <ul><li>Keystroking </li></ul><ul><ul><li>common in network intrusion cases </li></ul></ul><ul><li>Cloning an e-mail account </li></ul>
  15. 15. The Matrix
  16. 16. Real-Time Transactional Records <ul><li>The pen register/trap and trace statute (same as for telephones) applies </li></ul><ul><li>Law enforcement may obtain a court order to gather prospective non-content information about a user, such as </li></ul><ul><ul><li>addresses on in/outbound e-mail </li></ul></ul><ul><ul><li>inbound FTP connections </li></ul></ul><ul><ul><li>where remote user is logging in from (dialup? remote IP address?)‏ </li></ul></ul>
  17. 17. The Matrix
  18. 18. Stored Communications and Historical Records
  19. 19. Dichotomies ‘R’ Us <ul><li>Permissive disclosure vs. mandatory </li></ul><ul><ul><li>“ may” vs. “must” </li></ul></ul><ul><li>Content of communications vs. non-content </li></ul><ul><ul><li>content </li></ul></ul><ul><ul><ul><li>unopened e-mail vs. opened e-mail </li></ul></ul></ul><ul><ul><li>non-content </li></ul></ul><ul><ul><ul><li>transactional records vs. subscriber information </li></ul></ul></ul><ul><li>Basic rule: content receives more protection </li></ul>
  20. 20. Penalties for Stored Records & Communications Violations <ul><li>Civil remedies [18 U.S.C. § 2707] </li></ul><ul><ul><li>$1,000 minimum per violation </li></ul></ul><ul><ul><li>attorneys’ fees </li></ul></ul><ul><li>Criminal remedies [§ 2701] </li></ul><ul><ul><li>only for accessing stored communications without authorization ( e.g. , one user snooping in another’s inbox)‏ </li></ul></ul><ul><ul><li>inapplicable to the provider [§ 2701(c)(3)] </li></ul></ul>
  21. 21. Subscriber Content and the System Provider <ul><li>Any provider may freely read stored e-mail or files of its customers </li></ul><ul><ul><li>Bohach v. City of Reno , 932 F. Supp. 1232 (D. Nev. 1996) (pager messages)‏ </li></ul></ul><ul><li>While ECPA imposes no prohibition, contractual agreement with customer may limit right of access </li></ul>
  22. 22. Public Providers and Permissive Disclosure <ul><li>General rule: a public provider ( e.g. , an ISP) may not freely disclose customer content to others [18 U.S.C. § 2702] </li></ul><ul><li>Exceptions include </li></ul><ul><ul><li>subscriber consent </li></ul></ul><ul><ul><li>necessary to protect rights or property of service provider </li></ul></ul><ul><ul><li>to law enforcement if contents inadvertently obtained, pertains to the commission of a crime </li></ul></ul>
  23. 23. Government Access to Stored Communications Content <ul><li>For unretrieved e-mail < 181 days old stored on a provider’s system, government must obtain a search warrant [18 U.S.C. § 2703(a)] </li></ul><ul><ul><li>Warrant operates like a subpoena </li></ul></ul>
  24. 24. Government Access to Stored Communications Content <ul><li>For opened e-mail (or other stored files), government may send provider a subpoena and notify subscriber in advance [18 U.S.C. § 2703(b)] </li></ul><ul><ul><li>government may delay notice 90 days in certain cases (§ 2705(a))‏ </li></ul></ul><ul><ul><li>no notice to subscriber required if not a provider “to the public” </li></ul></ul>
  25. 25. The Matrix
  26. 26. Permissive Disclosure and Non-Content Subscriber Information <ul><li>Rule is short and sweet </li></ul><ul><li>Provider may disclose non-content records to anyone except a governmental entity </li></ul><ul><li>Government needs </li></ul><ul><ul><li>appropriate legal process </li></ul></ul><ul><ul><li>or consent of subscriber </li></ul></ul>
  27. 27. The Two Categories of Non-Content Information <ul><li>Basic subscriber information </li></ul><ul><ul><li>§2703(c)(1)(C)‏ </li></ul></ul><ul><li>Transactional records </li></ul><ul><ul><li>§ 2703(c)(1)(B)‏ </li></ul></ul>
  28. 28. Basic Subscriber Information <ul><li>Can be obtained through subpoena </li></ul><ul><li>Provider must give government </li></ul><ul><ul><li>name of subscriber </li></ul></ul><ul><ul><li>address </li></ul></ul><ul><ul><li>local and LD telephone toll billing records </li></ul></ul><ul><ul><li>telephone number or other account identifier </li></ul></ul><ul><ul><li>type of service provided </li></ul></ul><ul><ul><li>length of service rendered </li></ul></ul>
  29. 29. Transactional Records <ul><li>Not content, not basic subscriber info </li></ul><ul><li>Everything in between </li></ul><ul><ul><li>past audit trails/logs </li></ul></ul><ul><ul><li>addresses of past e-mail correspondents </li></ul></ul><ul><li>Government may compel via a “section 2703(d) court order” </li></ul>
  30. 30. Section 2703(d) Court Orders <ul><li>a/k/a “articulable facts” order </li></ul><ul><ul><li>“ specific and articulable facts showing that there are reasonable grounds to believe that [the specified records] are relevant and material to an ongoing criminal investigation ” </li></ul></ul><ul><li>A lower standard than probable cause </li></ul><ul><li>Like warrant (& unlike subpoena), requires judicial oversight & factfinding </li></ul>
  31. 31. The Matrix
  32. 32. Summary: Legal Process & ECPA <ul><li>Warrant </li></ul><ul><ul><li>unopened e-mail </li></ul></ul><ul><li>Court order under § 2703(d)‏ </li></ul><ul><ul><li>transactional records </li></ul></ul><ul><li>Subpoena </li></ul><ul><ul><li>opened e-mail, unopened e-mail >180 days old, or stored files </li></ul></ul><ul><ul><li>basic subscriber info </li></ul></ul><ul><li>Higher-order process always valid </li></ul><ul><ul><li>e.g., warrant can compel transactional logs </li></ul></ul>
  33. 33. ECPA In Practice: A Scenario <ul><li>A victim reports a threat of physical injury via e-mail from StalkNU@isp.com </li></ul><ul><li>To determine StalkNU’s identity, gov’t would serve a on isp.com </li></ul><ul><li>For the target’s login records, gov’t serves a _______ on isp.com </li></ul><ul><li>To obtain all the e-mail (opened and unopened) in target’s account, gov’t serves a ________ </li></ul>
  34. 34. Preclusion of Notice <ul><li>In criminal investigations, general policy is to avoid tipping off target </li></ul><ul><li>Under ECPA, government may ask a court to prohibit ISP from notifying subscriber that records have been requested from ISP [§ 2705(b)] </li></ul>
  35. 35. § 2703(f) Requests to Preserve <ul><li>Government can ask for any existing records (content or non-content) to be preserved </li></ul><ul><ul><li>no court order required </li></ul></ul><ul><ul><li>does not apply prospectively </li></ul></ul><ul><li>Government must still satisfy the usual standards if it wants to receive the preserved data </li></ul>
  36. 36. Summary <ul><li>For better or worse, ECPA shapes your destiny </li></ul><ul><li>Benefits of understanding (and complying with) the statute include </li></ul><ul><ul><li>avoiding civil & criminal liability </li></ul></ul><ul><ul><li>smoother relations with law enforcement </li></ul></ul>
  37. 37. Where To Get More Information <ul><li>Computer Crime Section’s phone number: 202-514-1026 </li></ul><ul><li>Computer Crime Section’s home page: http://www.cybercrime.gov </li></ul>

×