Title: Online Criminal Investigations: The USA Patriot Act, ECPA, and Beyond
1Online Criminal InvestigationsThe USA Patriot
Act,ECPA, and Beyond
Computer Crime and Intellectual Property
Section U.S. Department of Justice
2The Computer Crime and Intellectual Property
Section
- Founded in 1991 as Computer Crime Unit
- Current staff of 30 attorneys
- Mission of CCIPS
- Combat computer crime and IP crimes
- Develop enforcement policy
- Train agents and prosecutors
- Promote international cooperation
- Propose and comment on federal legislation
3Overview
- The origins of ECPA (The Electronic
Communications Privacy Act of 1986) - Substance of the statute
- real-time monitoring
- stored information
- How USA Patriot changed (or didnt change) things
4Why You Might Care About ECPA
- Comprehensive privacy framework for
communications providers - Regulates conduct between
- different users
- provider and customer
- government and provider
- Civil and criminal penalties for violations
- Note state laws may impose additional
restrictions/obligations
5Why ECPA Matters toLaw Enforcement
- As people take their lives online, crime follows
no different from the real world - Online records are often the key to investigating
and prosecuting criminal activity - cyber crimes (network intrusions)
- traditional crimes (threats, fraud, etc.)
- ECPA says how and when government can (and
cannot) obtain those records
6Scope of the 1968 Wiretap Act
- Protected two kinds of communications
- oral and wire
- criminal penalties and civil remedies
- extensive procedural rules for court orders to
conduct eavesdropping - By mid-1980s, emerging technologies created areas
of uncertainty in statute as to - wireless telephones
- non-voice transmissions (e.g., e-mail)
7Concerns Addressed in ECPA(Enacted in 1986)
- Added protection for electronic (non-voice!)
communications to Title III - In addition, created a new companion chapter to
regulate privacy of - stored communications
- non-content information about subscribers (e.g.,
transactional information) - Also new pen register/trap trace statutes
- for prospective collection of telephone calling
records
8Changes 1986-2000
- A variety of tweaks technical amendments
- cordless phones
- CALEA
9Sweeping New Surveillance Powers Under USA
Patriot ActA List
10Changes 2001 (USA Patriot)
- Structure of ECPA/Title III/Pen-Trap remains the
same - No major expansion of authority
- Many changes simply codify existing practice or
harmonize parallel provisions of statute - In the following slides, a postfixed asterisk ()
indicates USA Patriot changes to prior law
11Substantive Provisionsof ECPA
- Or,
- Everything you know is wrong
12Title III/ECPA The CourtsA Love Affair
- famous (if not infamous) for its lack of
clarity - Steve Jackson Games v. United States Secret
Service, 36 F.3d 457, 462 (5th Cir. 1994) - fraught with trip wires
- Forsyth v. Barr, 19 F.3d 1527, 1543 (5th Cir.
1994) - a fog of inclusions and exclusions
- Briggs v. American Air Filter, 630 F.2d 414, 415
(5th Cir. 1980)
13The Major Categories
- Real-time interception (content)
- Real-time traffic data (non-content)
- Stored data (content)
- Subscriber records (non-content)
14The Matrix
15Interception of Communications
- The default rule under 2511(1) do not
- eavesdrop
- use or disclose intercepted contents
- Applies to oral/wire/electronic comms.
16Penalties
- Criminal penalties (five-year felony)
2511(4) - exception for first offense, wireless comms.
- Civil damages of 10,000 per violation plus
attorneys fees - USA Patriot added new language specifically
imposing liability on government agents - Statutory suppression
17Relevance to Computer Networks
- Makes it illegal to install an unauthorized
packet sniffer - In numerous federal prosecutions, defendants have
pled guilty to Title III violations for such
conduct
18Exceptions to the General Prohibition
- Publicly accessible system 2511(2)(g)(i)
- open IRC channel/chat room
- Consent of a party
- System provider privileges
- Computer trespasser monitoring
- Court-authorized intercepts
19Consent of a Party
- Parallels the Fourth Amendment exception
- May be implied through
- login banner
- terms of service
- Such implied consent may give an ISP authority to
pass information to law enforcement and other
officials
20System Operator Privileges
- Provider may monitor private real-time
communications to protect its rights or property
2511(2)(a)(i) - e.g., logging every keystroke typed by a
suspected intruder - phone companies more restricted than ISPs
- Under same subsection, a provider may also
intercept communications if inherently
necessary to providing the service
21Computer Trespasser Monitoring (USA Patriot)
- Problem to be solved what rules allow government
monitoring of a network intruder? - consent of system owner as a party?
- rights or property monitoring?
- consent of the intruder via login banner?
- Because none of these is entirely satisfactory,
new exception added - Note amendment sunsets on 12/31/05
22Computer Trespasser Defined
- New 18 U.S.C. 2510(21)
- person who accesses without authorization
- definition continues and thus has no reasonable
expectation of privacy - Excludes users who have an existing contractual
relationship with provider - Congress worried about TOS violations as grounds
for warrantless surveillance - there is an opportunity to gain consent from such
users - without it, possible constitutional problems
23Limits of the New Computer Trespasser Exception
- Interception under this exception has several
prerequisites - consent of the owner
- under color of law
- relevant to an official investigation, and
- cannot acquire communications other than those
to/from the trespasser
24Court-Authorized Monitoring
- Requires a kind of super-warrant
- 2518
- Good for 30 days maximum
- Necessity, minimization requirements
- Only available for specified offenses
- Ten-day reporting
- Sealing
25Types of Electronic Communications Intercepts
- Cloned pagers
- Keystroking
- common in network intrusion cases
- Cloning an e-mail account
26The Matrix
27The Matrix
28Real-Time Collection of Non-Content Records
- Governed by the pen register/trap and trace
statute (originally enacted in 1986) - Like the Wiretap Act, begins with a general
prohibition - criminal penalties for violations
- Exceptions for
- provider self-protection
- consent of customer (think Caller ID)
- court order
29How Things (Didnt) ChangeAs a Result of USA
Patriot
- Pre-USA Patriot, language was focused on
telephone records - the term pen register means a device which
records or decodes electronic or other impulses
which identify the numbers dialed or otherwise
transmitted on the telephone line to which such
device is attached (18 U.S.C. 3127(3)) - New statute Technology-neutral language
- Amendments codify years of practice, orders
routinely issued by courts
30Pen Register/Trap and Trace
- Old statute very telephone-oriented
- numbers dialed
- telephone line
- Updated statute is technology neutral
- confirms that the same rules apply to, e.g.,
Internet communications - Retains historical (and constitutional)
distinction between content non-content - Codifies longstanding practice under prior
statute (e.g., Kopp)
31What Can A Pen/Trap Device Collect?
- Plainly included
- telephone source/destination numbers
- most e-mail header information
- source and destination IP address and port
- Kopp case (2000)
- Plainly excluded
- subject line of e-mails
- content of a downloaded file
32The Device Formerly KnownAs Carnivore
- USA Patriot mandates additional judicial
oversight - Where law enforcement uses its own device on a
public providers computer network pursuant to a
pen/trap order (3123(a)(3)), agents must file
detailed report with the authorizing court - e.g., date and time of installation and removal
information collected
33New Penalties forGovernment Misconduct
- New section 2712 creates explicit civil and
administrative sanctions for violations of - wiretap statute
- ECPA (stored records)
- pen/trap statute
- FISA (Foreign Intelligence Surveillance Act)
- Minimum 10,000 civil damages
- Mandatory 2-level administrative review for
intentional violations by federal officers
34The Matrix
35Stored Communicationsand Subscriber Records
36Objectives of Chapter 121
- Regulate privacy of communications held by
electronic middlemen - Congress sought to set the bar higher than
subpoena in some case - put e-mail on a par with postal letter
- Not applicable to materials in the possession of
the sender/recipient
37Dichotomies R Us
- Permissive disclosure vs. mandatory
- may vs. must
- Content of communications vs. non-content
- content
- unopened e-mail vs. opened e-mail
- non-content
- transactional records vs. subscriber information
- Basic rule content receives more protection
38Criminal Violations
- 18 USC 2701 prohibition
- Illegal to access without or in excess of
authorization - a facility through which electronic communication
services are provided - and thereby obtain, alter, or prevent access to a
wire or electronic communication - while in electronic storage
- Misdemeanor, absent aggravating factors
39Other Enforcement Mechanisms
- Civil remedies
- 1,000 per violation
- attorneys fees
- punitive damages
40Subscriber Content and the System Provider
- Any provider may freely read stored email/files
of its customers - Bohach v. City of Reno, 932 F. Supp. 1232 (D.
Nev. 1996) (pager messages) - A non-public provider may also freely disclose
that information - for example, an employer
41Public Providers and Permissive Disclosure
- General rule a public provider (e.g., an ISP)
may not freely disclose customer content to
others 18 U.S.C. 2702 - Exceptions
- consent
- necessary to protect rights or property of
service provider - to law enforcement if contents inadvertently
obtained, pertains to the commission of a crime - imminent threat of death/serious injury
42Permissive Disclosure and Non-Content Subscriber
Information
- Rule is short and sweet
- Provider may disclose non-content records to
anyone except a governmental entity - New exceptions
- to protect providers rights/property
- threat of death/serious bodily injury
- Pre-existing exceptions
- appropriate legal process
- consent of subscriber
43Mandatory Disclosures Legal Process Used by the
Government
- Keep in mind the same dichotomy
- content vs. non-content
- All governed by 2703
- Types of process
- search warrant
- subpoena (grand jury, administrative, etc.)
44Government Access to Private Communications
(Content)
- For unopened email/voicemail lt 180 days old
stored on a providers system, government must
obtain a search warrant 18 U.S.C. 2703(a) - warrant operates like a subpoena
- Congressional analogy treat undelivered email
like postal mail (see S. Ct. cases)
45Government Access to Private Communications
(Content)
- For opened e-mail/voicemail (or other stored
files), government may send provider a subpoena
and notify subscriber 18 U.S.C. 2703(b) - only applicable to public providers
- May delay notice 90 days ( 2705(a)) if
- destruction or tampering w/ evidence
- intimidation of potential witnesses
- otherwise seriously jeopardizing an investigation
46The Matrix
47The Two Categories ofNon-Content Information
- Subscriber information
- 2703(c)(2)
- Transactional records
- 2703(c)(1)
48Basic Subscriber Information
- Can be obtained through subpoena
- Provider must give government
- name address of subscriber
- local and LD telephone toll billing records
- telephone number or other account identifier
- type of service provided
- length of service rendered
- USA Patriot clarifies that this includes
- method/means of payment (e.g., credit card
number) - temporary address info (e.g., dynamic IP
assigment records)
49Transactional Records
- Not content, not basic subscriber info
- Everything in between
- audit trails/logs
- addresses of past e-mail correspondents
- Obtain through
- warrant
- section 2703(d) court order
- Note prior to CALEA (10/94), a subpoena was
sufficient
50Section 2703(d) Orders
- Articulable facts order
- specific and articulable facts showing that
there are reasonable grounds to believe that the
specified records are relevant and material to
an ongoing criminal investigation - Not as high a standard as probable cause
- But, like warrant ( unlike subpoena), requires
judicial oversight factfinding - Can get non-disclosure order with it
51The Matrix
52Summary Legal Process ECPA
- Warrant
- required for unopened e-mail
- can be used (but not required) for other info
- Court order under 2703(d)
- opened e-mail, unopened e-mail gt180 days old, or
files (with prior notice) - transactional records
- Subpoena
- opened e-mail or files (with prior notice)
- basic subscriber info
53 2703(f) Requests to Preserve
- Government can ask for anything (content or
non-content) to be preserved - Prospective?
- Government must still satisfy the usual standards
if it wants to receive the preserved data
54Summary of Notable Changes
- Pen register/trap and trace statute updated
- Enhanced disclosure by providers to protect life
limb - Computer trespasser monitoring exception added
- Scope of basic subscriber info clarified
- Expanded liability for government misuse
55Summary
- USA PATRIOT Act is not a sweeping expansion of
surveillance authority - Instead, makes narrowly tailored changes to
harmonize or clarify statute - Leaves intact the existing framework of privacy
statutes
56For More Information
- Computer Crime Sections home page
www.cybercrime.gov - legal policy treatises on intrusions, ECPA, USA
Patriot, computer search seizure - mailing list for news updates
- requests for speakers
57(No Transcript)