Warrants. Wiretaps. PRTTs. Subpoenas. Section 702. 2703(d) order. National Security Letters. All Writs Act. Many in the infosec community are aware that the government has an array of legal authorities to use in investigating crimes which allow them access to user content and metadata, but few people could articulate the differences among these types of orders. This talk will review each type of legal process used by state and federal agencies to request access to various types of user data and content.
9. How do court orders work?
Law enforcement officer goes to a judge with an
authorization request. The judge then issues an
order, and this is sent to the company.
11. Content: body of a letter while Metadata: addresses on the letter
○ Content requires a warrant. Metadata requires a subpoena
12. Warrants require a judge to determine that there is
probable cause: reasonable basis for believing that a
crime may have been committed (for an arrest) or when
evidence of the crime is present in the place to be
searched
22. Necessity:
“full and complete
statement” describing all
other investigative
techniques that have been
tried and failed or
explaining why such
techniques are likely to be
unsuccessful or too
dangerous 18 U.S.C. §
2518(1)(c)
23. Particularity
“details” underlying the alleged offense and a
“particular description” of the nature and location
of the facilities or place to be wiretapped, the type
of communication to be intercepted, and the
persons committing the offense and whose
communications are to be intercepted 18 U.S.C. §
2518(1)(b)
25. Wiretap time period
● 30 days at most - down to the time of the
order (you check the timestamp the Judge
signed with)
● Starts at date of the order or within 10 days
● May be renewed
27. 1. Must reference an application
under oath by a person qualified
to make the application
2. Must state that there is probable
cause
3. Must reference violations of a
crime specified in Title III that a
wiretap can be used to
investigate
28.
29. 1. Must specify place
interception will occur
2. Must specific that other
investigative techniques
have been tried or are not
feasible
3. Must specify that
communications relate to
the offenses being
investigated
4. Must state that the LEAs
are authorized to intercept
communications
5. Termination clause
34. Consent based order: these are different
● For longer periods of time
● A target has granted law enforcement consent to
have an ISP or other provider monitor their
communications
35. Subscriber data/(d) Orders: 18 USC 2703(d)
● Usually tacked onto a wiretap
● Gets you subscriber data about the target
● Court order must use specific language:
○ “specific and articulable facts showing that there are
reasonable grounds to believe that the contents of a
wire or electronic communication, or the records or
other information sought, are relevant and material to
an ongoing criminal investigation”
36. National Security Letters
These received a lot of
attention a few years ago when
recipients were banned from
even consulting with attorneys
about them.
Extremely limited in data that
is returned
NSLs are a form of
administrative subpoena, and
do not require a judge’s order
37. First NSL in 1978 was an amendment to the Right
to Financial Privacy Act. Currently there are five
statutory bases of authority for NSLs:
● Section 1114(a)(5) of the Right to Financial
Privacy Act (codified at 12 U.S.C. 3414)
● Sections 626 and 627 of the Fair Credit
Reporting Act (codified at 15 U.S.C. 1681u,
1691v)
● Electronic Communications Privacy Act
(ECPA) §2709 (codified at 18 U.S.C. 2709)
● Section 802 of the National Security Act
(codified at 50 U.S.C. 3162)
38. 2016
● 12,150 NSLs resulted in 24,801 ROIs
2017
● 12,762 NSLs resulted in 41,579 ROIs
https://www.dni.gov/files/documents/icotr/2018-ASTR----CY2017----FINAL-for-Release-5.4.18.pdf
39. Section 702
● FISA Court orders for data in cases
involving foreign intelligence threats to
the US.
● A FISC judge approves requests after
reviewing targets and procedures meant
to minimize the amount of data collected
to avoid unnecessary or overly broad
data collection.
● Once approved, FBI agents can use
the court orders to access metadata or
content and perform electronic
surveillance.
40.
41.
42. Section 702:
● allows for targeted collection of content for targets outside the
United States and is accompanied by a nondisclosure provision
● “about” collection by the Government of communications
to/from/about a target
● Can extend up to three “hops” from the target
● “Backdoor” searches by the FBI are a concern
● number of targets subject to Section 702 in latest ODNI
transparency report: 129,080 individuals, groups, or entities
Unlike other types of law in our common law system, this is almost entirely based on statutes in the US Code and Executive Orders. These laws are often referred to by statute numbers, like 18 USC 3233:That’s Title 18 (the criminal code), United States Code (the codified laws passed by Congress), section (sometimes written §) 3233.Or by name, like CALEA - Communications Assistance for Law Enforcement Act
https://www.flickr.com/photos/seattlemunicipalarchives/2716928469/
The 4th Amendment still applies here, though. It guarantees protection from unreasonable government intrusion, and is largely case law.
Ask-> statutes v case law
Common law
Judge made law
www.flickr.com/photos/ianafotog/6903741624
Title three is codified at 18 U.S.C. § 2510, et seq
Congress enacted Titlte 3 in 1968 to prohibit private citizens from using electronic surveillance techniques
Allowed law enforcement to use wiretaps and record calls, but requires compliance with specific requirements
www.flickr.com/photos/jcphotolog/5592963392
1986, Congress amended Title III by enacting the Electronic Communications Privacy Act of 1986. Specifically, Congress added "electronic communications" as a new category of communications whose interception is covered by Title III.
Electronic communications are non-voice communications made over a network in or affecting interstate commerce, and include text messages, electronic mail ("email"), facsimiles ("faxes"), other non-voice Internet traffic, and communications over digital-display pagers. See 18 U.S.C.
§ 2510(12).
Congress also enacted the Communications Assistance for Law Enforcement Act to require phone service providers to assist law enforcement with wiretaps
www.flickr.com/photos/nic1/17262200550
And finally, if the wiretaps are in regarding to a foreign intelligence matter, they would be performed under FISA.
https://www.flickr.com/photos/thomashawk/5239613363/
For each of these types of orders, the process is largely about the same. The law enforcement officer makes an application to the court- often after review by a prosecutor - and a judge decides if the applications meets the requirements laid out in the statute, and then approves the order.
That order gets sent out to the service provider company to process.
There are a wide array of types of lawful process, some with very arcane requirements.
aim is to educate about what types of orders can be used by the government, and to explain in non-legalese what each of the standards means.
won’t be any hype, or scare-mongering, or excessive editorializing about the evils or wonders of surveillance. It should instead be informative, hopefully educational.
Distinctions stemming from the very early days of Fourth Amendment case law hold that there is a difference between the contents of communication, such as the body of a letter, and information about that letter, such as address information of the sender and receiver
Warrants require a judge to determine that there is probable cause (which is reasonable basis for believing that a crime may have been committed (for an arrest) or when evidence of the crime is present in the place to be searched)
www.flickr.com/photos/thomashawk/130601225
ECPA/SCA (Electronic Communications Privacy Act/ Stored Electronic Communications Act)
Title I of the ECPA is the Wiretap Act… prohibits the use of illegally obtained communications as evidence. 18 U.S.C. § 2515
TItle II is the Stored Communications Act
Title III addresses PRTTs
www.flickr.com/photos/thomashawk/7117207093
Subpoena == metadata
Pre- Carpenter: Cell site location records
Also PRTTs
Internet history: email subject lines
Is a URL metadata?
www.flickr.com/photos/55295643@N03/5648504501
In 2001, the USA PATRIOT Act (P.L. 107-56) amended the Pen Register and Trap and Trace Statute (pen/trap statute), 18 U.S.C. § 3121 et seq., to clarify that courts may issue pen/trap orders to collect the non-content information associated with Internet communications. One issue that has been raised in this regard is whether a pen register order may be used to collect (URLs)
use of pen registers to collect all or part of a URL is prohibited without prior consultation with CCIPS. Among the factors that should be considered in deciding whether to apply for such a pen register are (1) the investigative need for the pen register order, (2) the litigation risk in the individual case, (3) how much of any given URL would be obtained, and (4) the impact of the order on the Department's policy goals
www.flickr.com/photos/babaks/5264900810
www.flickr.com/photos/seanpbarry/130468839
Title III was passed in 1968 as the Omnibus Crime Control and Safe Streets Act of 1968 - referred to as the Wiretap Act
State v Fed:
State authorities applying in state court under Title III must be authorized by state statute. 18 U.S.C. § 2516(2).
Pre-empted state law; state laws should be at least as restrictive as Title 3
Title III applications uniquely require an additional showing of necessity. The government’s application must provide a “full and complete statement” describing all other investigative techniques that have been tried and failed or explaining why such techniques are likely to be unsuccessful or too dangerous. 18 U.S.C. § 2518(1)(c). The court must determine that “normal investigative procedures” have been or would be unsuccessful or excessively dangerous. Id. § 2518(3)(c). A faulty necessity showing can result in suppression.[13]
Only crimes in 18 U.S.C. § 2516(1) may be investigated through the interception of wire or oral communications
“full and complete statement of the facts and circumstances,” including “details” underlying the alleged offense and a “particular description” of the nature and location of the facilities or place to be wiretapped, the type of communication to be intercepted, and the persons committing the offense and whose communications are to be intercepted. 18 U.S.C. § 2518(1)(b).
www.flickr.com/photos/deshaunicus/12787132615
www.flickr.com/photos/fmgbain/6395743535
18 U.S.C. § 2802(b)
18 U.S.C. § 2702(b)(5)
The language of these is messed up all the time
Used correctly, can get subscriber data of people that the person targets
https://www.flickr.com/photos/sidknee23/3737809354/
NSLs return subscriber data
Administraive subpoena means that the agency can issue using their own authority and do not need a judge to sign an order
www.flickr.com/photos/jimdelaney/4963088733
From the ODNI Transparency Report
URL is also in “Sources” at the end
There has been a lot of confusion about what the standard is to receive one of these
(is the FISA court a rubber stamp? Does it require exceptional standards of proof? why is it different from a Title III wiretap or stored content warrant?)
https://www.flickr.com/photos/threar/15467482926
passed as part of the Judiciary Act of 1789
https://www.flickr.com/photos/thomashawk/11028266054/
Usually this is really boring stuff to help make the court system run
https://www.flickr.com/photos/wiechert/6441071577/
court used the authority of the AWA to order the phone company to lend the FBI a telephone line and to help them install the monitoring device at the phone company
(Now we have CALEA)