Inevitably, the actions of some clients create legal issues that need to be addressed by hosts quickly and cost effectively. It is essential to have good hosting policies and procedures in place to deal with the legal and regulatory issues arising from operating a hosting business. Failure to implement good hosting practices can be disruptive and expensive for both hosts and their clients. Hosts must deal with a variety of law enforcement issues over time, ranging from cyber-crime to potential law suits.
A Beginners Guide to Building a RAG App Using Open Source Milvus
Strong Host Security Policies are Good Business
1. Strong Host Security Policies are Good
Business
San Diego, August 8th (HostingCon)
Alex de Joode Security Officer / LeaseWeb
Stephen E. Oakes Sup. Special Agent / F.B.I. (CIRFU)
Shane McGee Partner / SNR Denton
3. A DigitalOne’s customer response
• From the Instapaper blogpage:
http://blog.instapaper.com/post/6830514157
4. Summary
• June 21st 2011, FBI raided a hosting facility in
Reston, Va., used by DigitalOne, a dedicated
hosting company
• F.B.I. took 3 racks
• F.B.I. was actively investigating the Lulz Security
group and any affiliated hackers
• DigitalOne the hoster stated: “The agents took
entire server racks, perhaps because they
mistakenly thought that “one enclosure is equal
to one server.”
• src: http://bits.blogs.nytimes.com/2011/06/21/f-b-i-seizes-web-servers-knocking-sites-offline/
5. What can we learn ?
• Downtime for innocent customers
• Why ?
• Trust / No Personal Relations ?
• How can we solve this problem ?
• F.B.I. perspective:
• by Stephen E. Oakes, Supervisory Special Agent
• Legal perspective:
• by Shane McGee, partner SNR Denton
• Host perspective:
• by Alex de Joode, Security Officer LeaseWeb
10. LeaseWeb (some figures)
• ~ 1% internet traffic generated (1Tbps=1000Gbps)
• ~35.000 servers online (NL | BE | DE | US)
• ~235 FTE
11. F.B.I. & SNR Denton, summary
• FBI wants to collaborate with Hosts
• NCFTA – Cracking Down on Cyber Crime
(http://www.ncfta.net)
• SNR Denton: legal requirements to work with
FBI/LEA if proper legal instrument is used
• Hosts are prohibited from voluntarily disclosing any
subscriber records or content to the government (unless an
exception applies).
12. How does LeaseWeb handle these issues ?
• As a global company we have to deal with:
Dutch, German and US Law Enforcement
Agencies.
• Dedicated Security Office
• with qualified and experienced personel so we can:
• minimize these issues
• and correctly handle serious situations when they do arise
• Smart Hoster’s View
• Brand Protection
• Protect customers and corporate interests and resources
13. Conclusion
With the proper protocols and operating
procedures hosts can avoid DigitalOne
type issues and ensure a successful
hosting situation for your customers and a
profitable environment for you as a host.
16. Subpoena Compliance and the
Need for Cooperation with Law
Enforcement
•Responding to Subpoenas, Court
Orders, Warrants, National
Security Letters and More
Shane M. McGee, Esq., CISSP
Partner
T +1 202 408 9216
shane.mcgee@snrdenton.com
snrdenton.com
17. ECPA: What Is It?
• Originally enacted in 1986 as first use of email and
large data-processing began
• Designed generally to protect the privacy of electronic
records and communications stored with third parties.
• Often referred to interchangeably as “SCA” (Stored
Communications Act) or “ECPA” (Electronic
Communications Privacy Act), though the SCA was an
amendment to ECPA.
• The SCA applies only to historical records, i.e., those
available as of the date of the request.
18. ECPA: What Does it Do?
• Begins from assumption that, absent ECPA, service providers
could freely disclose information about customers, and the
government could compel disclosure of any record by issuing a
subpoena
• ECPA imposes limitations on this “default setting”
• Limits the instances in which and the types of information that
providers can voluntarily disclose
• Defines the legal process the government must obtain to compel
disclosure of certain information
• Complicated statute that is difficult to apply
• Archaic terminology
• Strained application to newer subscriber services
• Confusing distinctions between treatment of certain records
• Inconsistent Court interpretations
19. ECPA: How is it Structured?
• Provides series of rules providing escalating privacy
protection based on:
• The type of information at issue
• Who seeks the information (government or private
entity)
• Who holds the information (how the provider is
characterized under the law)
• The guiding principles
• Content generally more protected than non-
content
• More limitations on voluntary disclosures to
government, but they have more tools to compel
20. ECPA: Who Does it Cover?
• Covered entities defined in ECPA are “Electronic
Communications Services” (ECS) and “Remote Computing
Services” (RCS)
• ECS defined as “any service which provides to users thereof
the ability to send or receive wire or electronic
communications”
• Example: the web-based email service offered by many
web hosts
• RCS defined as “the provision to the public of computer
storage or processing services by means of an electronic
communications system”
• “Provision to the public:” Anyone who wants to purchase
hosting services can sign up (as opposed to private
corporate email service)
• Web hosting companies may be an ECS and/or RCS
depending on the services being offered to that particular
customer
21. Three Categories of Information
• The process the government is required to use
depends on the type of information sought as follows:
• Basic subscriber information
• Subpoena
• Transactional or other records
• Court Order
• Content of files or messages
• Search Warrant
22. Requests for Basic Subscriber Information
• This is the most common request web hosting companies will
receive.
• The following information may be obtained through virtually
any type of subpoena
• name & address
• local and long distance telephone connection records
• telephone number or other account identifier
• length & type of service provided
• session times and duration
• temporarily assigned network address (IP Address)
• means and source of payment (cc# or bank acct)
23. Requests for Transactional Records –
2703(d) Order
• Not content, not basic subscriber information -- everything in
between
• Email headers (if applicable)
• Subscriber info not “basic subscriber information”
• e.g., date of birth, social security number, etc
• Articulable facts order
• “specific and articulable facts showing that there are
reasonable grounds to believe that [the requested records]
are relevant and material to an ongoing criminal
investigation”
• lower standard than warrant, but higher than pen
register/trap & trace
• May include a directive to provider not to disclose to
subscriber
24. Requests for Files or Contents of
Communications
• Generally speaking, a warrant is required.
• ECPA contains a number of sub-categories of
information when dealing with the contents of files or
communications, each which requires a different
process.
• The courts disagree with how these sub-categories of
information should be classified, leading to
difficulties applying the law.
• Some state laws treats all of these sub-categories of
information the same, and apply a higher level of
protection to all stored files and the contents of
communications.
25. Voluntary Disclosure
• Web hosting companies are prohibited from voluntarily disclosing
any subscriber records or content to the government unless an
exception applies.
• Exceptions for the release of subscriber records (not content)
include:
• Disclosure to anyone with the consent of the originator or
addressee/intended recipient
• Disclosure to an addressee or intended recipient
• Disclosure to law enforcement if contents inadvertently obtained &
pertain to commission of a crime
• Disclosure to a person employed or authorized or whose facilities are
used to forward such communication (within the scope of their work)
• As necessary to protect the company’s rights and property
• To NCMEC in child pornography report
• Disclosure to the government if provider in good faith believes an
emergency exists threatening death or serious physical injury
26. National Security Letters - § 2709
• Permits government to compel disclosure of “subscriber
information and toll billing records information, or electronic
communication transactional records”
• Government must certify in writing that records sought are
relevant to an authorized investigation to protect against
international terrorism or clandestine intelligence activities
• Look carefully for a nondisclosure requirements contained in
the National Security Letters often prohibit the recipient from
disclosing the existence or content of the National Security
Letter to anyone other than those to whom such disclosure is
necessary to comply with the request or an attorney to obtain
legal advice or legal assistance with respect to the request.
27. Lawsuits for ECPA Violations
• ECPA allows for a civil action for relief from improper
disclosures
• “person aggrieved by any violation of this chapter in which the
conduct constituting the violation is engaged in with a knowing
or intentional state of mind may, in a civil action, recover from
the person or entity, other than the United States, which
engaged in that violation such relief as may be appropriate” 18
U.S.C. § 2707(a)
• ECPA contains two defenses against this liability in sections
2703(e) and 2707(e), but they are not guaranteed to protect a
web hosting company
28. Subpoena Compliance and the
Need for Cooperation with Law
Enforcement
•Responding to Subpoenas, Court
Orders, Warrants, National
Security Letters and More
Shane M. McGee, Esq., CISSP
Partner
T +1 202 408 9216
shane.mcgee@snrdenton.com
snrdenton.com
37. SSA Stephen E. Oakes
Federal Bureau of Investigation (FBI)
Cyber Initiative and Resource Fusion Unit Cyber Division (CIRFU)
Desk: 412-802-8000 x324
BB: 202-437-6555
Email: Stephen.Oakes@ic.fbi.gov
37