1 Online Criminal Investigations: The USA Patriot Act, ECPA, and Beyond Mark Eckenwiler Computer...

1

Online Criminal Investigations:Online Criminal Investigations:The USA Patriot Act,The USA Patriot Act,ECPA, and BeyondECPA, and Beyond

Mark EckenwilerMark Eckenwiler

Computer Crime and Intellectual Property SectionComputer Crime and Intellectual Property SectionU.S. Department of JusticeU.S. Department of Justice

2

The Computer Crime and The Computer Crime and Intellectual Property SectionIntellectual Property Section

Founded in 1991 as Computer Crime UnitFounded in 1991 as Computer Crime Unit Current staff of 30 attorneysCurrent staff of 30 attorneys Mission of CCIPSMission of CCIPS

– Combat computer crime and IP crimesCombat computer crime and IP crimes– Develop enforcement policyDevelop enforcement policy– Train agents and prosecutorsTrain agents and prosecutors– Promote international cooperationPromote international cooperation– Propose and comment on federal legislationPropose and comment on federal legislation

3

OverviewOverview

The origins of ECPA (The Electronic The origins of ECPA (The Electronic Communications Privacy Act of 1986)Communications Privacy Act of 1986)

Substance of the statuteSubstance of the statute– real-time monitoringreal-time monitoring– stored informationstored information

How USA Patriot changed (or didn’t How USA Patriot changed (or didn’t change) thingschange) things

4

Why You Might Care Why You Might Care About ECPAAbout ECPA

Comprehensive privacy framework for Comprehensive privacy framework for communications providerscommunications providers

Regulates conduct betweenRegulates conduct between– different usersdifferent users– provider and customerprovider and customer– government and providergovernment and provider

Civil and criminal penalties for violationsCivil and criminal penalties for violations Note: state laws may impose additional Note: state laws may impose additional

restrictions/obligationsrestrictions/obligations

5

Why ECPA Matters toWhy ECPA Matters toLaw EnforcementLaw Enforcement

As people take their lives online, crime As people take their lives online, crime follows; no different from the real worldfollows; no different from the real world

Online records are often the key to Online records are often the key to investigating and prosecuting criminal activityinvestigating and prosecuting criminal activity– ““cyber” crimes (network intrusions)cyber” crimes (network intrusions)

– traditional crimes (threats, fraud, etc.)traditional crimes (threats, fraud, etc.) ECPA says how and when government can ECPA says how and when government can

(and cannot) obtain those records(and cannot) obtain those records

6

Scope of the 1968 Wiretap ActScope of the 1968 Wiretap Act

Protected two kinds of communicationsProtected two kinds of communications– ““oral” and “wire” oral” and “wire” – criminal penalties and civil remediescriminal penalties and civil remedies– extensive procedural rules for court orders to extensive procedural rules for court orders to

conduct eavesdroppingconduct eavesdropping By mid-1980s, emerging technologies created By mid-1980s, emerging technologies created

areas of uncertainty in statute as toareas of uncertainty in statute as to– wireless telephoneswireless telephones– non-voice transmissions (non-voice transmissions (e.g.e.g., e-mail), e-mail)

7

Concerns Addressed in ECPAConcerns Addressed in ECPA(Enacted in 1986)(Enacted in 1986)

Added protection for “electronic” (non-voice!) Added protection for “electronic” (non-voice!) communications to Title IIIcommunications to Title III

In addition, created a new companion chapter to In addition, created a new companion chapter to regulate privacy ofregulate privacy of– stored communicationsstored communications

– non-content information about subscribers (non-content information about subscribers (e.g., e.g., transactional information)transactional information)

Also: new pen register/trap & trace statutesAlso: new pen register/trap & trace statutes– for prospective collection of telephone calling recordsfor prospective collection of telephone calling records

8

Changes 1986-2000Changes 1986-2000

A variety of tweaks & technical A variety of tweaks & technical amendmentsamendments– cordless phonescordless phones– CALEACALEA

9

Sweeping New Surveillance Sweeping New Surveillance Powers Under USA Patriot Act:Powers Under USA Patriot Act:

A ListA List

10

Changes 2001 (USA Patriot)Changes 2001 (USA Patriot)

Structure of ECPA/Title III/Pen-Trap remains Structure of ECPA/Title III/Pen-Trap remains the samethe same

No major expansion of authorityNo major expansion of authority Many changes simply codify existing practice Many changes simply codify existing practice

or harmonize parallel provisions of statuteor harmonize parallel provisions of statute In the following slides, a postfixed asterisk (*) In the following slides, a postfixed asterisk (*)

indicates USA Patriot changes to prior lawindicates USA Patriot changes to prior law

11

Substantive ProvisionsSubstantive Provisionsof ECPAof ECPA

Or, Or,

Everything you know is wrongEverything you know is wrong

12

Title III/ECPA & The Courts:Title III/ECPA & The Courts:A Love AffairA Love Affair

““famous (if not infamous) for its lack of clarity”famous (if not infamous) for its lack of clarity”– Steve Jackson Games v. United States Secret Service,Steve Jackson Games v. United States Secret Service,

36 F.3d 457, 462 (5th Cir. 1994)36 F.3d 457, 462 (5th Cir. 1994) ““fraught with trip wires”fraught with trip wires”

– Forsyth v. BarrForsyth v. Barr, 19 F.3d 1527, 1543 (5th Cir. 1994), 19 F.3d 1527, 1543 (5th Cir. 1994) ““a fog of inclusions and exclusions”a fog of inclusions and exclusions”

– Briggs v. American Air FilterBriggs v. American Air Filter, 630 F.2d 414, 415 , 630 F.2d 414, 415 (5th Cir. 1980)(5th Cir. 1980)

13

The Major CategoriesThe Major Categories

Real-time interception (content)Real-time interception (content) Real-time traffic data (non-content)Real-time traffic data (non-content) Stored data (content)Stored data (content) Subscriber records (non-content)Subscriber records (non-content)

14

The MatrixThe Matrix

Acquisition inReal Time

HistoricalInformation

Contents ofCommunications

Other Records(Subscriber andTransactionalData)

15

Interception of CommunicationsInterception of Communications

The default rule under § 2511(1): do not The default rule under § 2511(1): do not – eavesdropeavesdrop– use or disclose intercepted contentsuse or disclose intercepted contents

Applies to oral/wire/electronic comms.Applies to oral/wire/electronic comms.

16

PenaltiesPenalties

Criminal penalties (five-year felony) Criminal penalties (five-year felony) [§ 2511(4)][§ 2511(4)]

» exception for first offense, wireless comms.exception for first offense, wireless comms.

Civil damages of $10,000 per violation* Civil damages of $10,000 per violation* plus attorney’s feesplus attorney’s fees– USA Patriot added new language specifically USA Patriot added new language specifically

imposing liability on government agentsimposing liability on government agents Statutory suppressionStatutory suppression

17

Relevance to Computer Relevance to Computer NetworksNetworks

Makes it illegal to install an unauthorized Makes it illegal to install an unauthorized packet snifferpacket sniffer

In numerous federal prosecutions, In numerous federal prosecutions, defendants have pled guilty to Title III defendants have pled guilty to Title III violations for such conductviolations for such conduct

18

Exceptions to the Exceptions to the General ProhibitionGeneral Prohibition

Publicly accessible system [§ 2511(2)(g)(i)]Publicly accessible system [§ 2511(2)(g)(i)]– open IRC channel/chat roomopen IRC channel/chat room

Consent of a partyConsent of a party System provider privilegesSystem provider privileges ““Computer trespasser” monitoring*Computer trespasser” monitoring* Court-authorized interceptsCourt-authorized intercepts

19

Consent of a PartyConsent of a Party

Parallels the Fourth Amendment exceptionParallels the Fourth Amendment exception May be implied throughMay be implied through

– login bannerlogin banner– terms of serviceterms of service

Such implied consent may give an ISP Such implied consent may give an ISP authority to pass information to law authority to pass information to law enforcement and other officialsenforcement and other officials

20

System Operator PrivilegesSystem Operator Privileges

Provider may monitor private real-time Provider may monitor private real-time communications to protect its rights or property communications to protect its rights or property [§ 2511(2)(a)(i)][§ 2511(2)(a)(i)]– e.g.e.g., logging every keystroke typed by a suspected , logging every keystroke typed by a suspected

intruderintruder– phone companies more restricted than ISPsphone companies more restricted than ISPs

Under same subsection, a provider may also Under same subsection, a provider may also “intercept” communications if inherently “intercept” communications if inherently necessary to providing the servicenecessary to providing the service

21

““Computer Trespasser” Computer Trespasser” Monitoring (USA Patriot)*Monitoring (USA Patriot)*

Problem to be solved: what rules allow Problem to be solved: what rules allow government monitoring of a network intruder?government monitoring of a network intruder?– consent of system owner as a party?consent of system owner as a party?

– ““rights or property” monitoring?rights or property” monitoring?

– consent of the intruder via login banner?consent of the intruder via login banner? Because none of these is entirely satisfactory, Because none of these is entirely satisfactory,

new exception addednew exception added Note: amendment sunsets on 12/31/05Note: amendment sunsets on 12/31/05

22

““Computer Trespasser” DefinedComputer Trespasser” Defined New 18 U.S.C. 2510(21):New 18 U.S.C. 2510(21):

– person who accesses “without authorization”person who accesses “without authorization”

– definition continues: “and thus has no reasonable definition continues: “and thus has no reasonable expectation of privacy…”expectation of privacy…”

Excludes users who have “an existing contractual Excludes users who have “an existing contractual relationship” with providerrelationship” with provider– Congress worried about TOS violations as grounds for Congress worried about TOS violations as grounds for

warrantless surveillancewarrantless surveillance

– there is an opportunity to gain consent from such usersthere is an opportunity to gain consent from such users

– without it, possible constitutional problemswithout it, possible constitutional problems

23

Limits of the New “Computer Limits of the New “Computer Trespasser” ExceptionTrespasser” Exception

Interception under this exception has Interception under this exception has several prerequisites several prerequisites – consent of the ownerconsent of the owner– under color of lawunder color of law– relevant to an official investigation, andrelevant to an official investigation, and– cannot acquire communications other than cannot acquire communications other than

those to/from the trespasserthose to/from the trespasser

24

Court-Authorized MonitoringCourt-Authorized Monitoring

Requires a kind of “super-warrant”Requires a kind of “super-warrant”– § 2518§ 2518

Good for 30 days maximumGood for 30 days maximum Necessity, minimization requirementsNecessity, minimization requirements Only available for specified offensesOnly available for specified offenses Ten-day reportingTen-day reporting SealingSealing

25

Types of Electronic Types of Electronic Communications InterceptsCommunications Intercepts

Cloned pagersCloned pagers ““Keystroking” Keystroking”

– common in network intrusion casescommon in network intrusion cases ““Cloning” an e-mail accountCloning” an e-mail account

26





Title III order or consent,generally


27







28

Real-Time Collection of Real-Time Collection of Non-Content RecordsNon-Content Records

Governed by the pen register/trap and trace Governed by the pen register/trap and trace statute (originally enacted in 1986)statute (originally enacted in 1986)

Like the Wiretap Act, begins with a general Like the Wiretap Act, begins with a general prohibitionprohibition– criminal penalties for violationscriminal penalties for violations

Exceptions forExceptions for– provider self-protectionprovider self-protection– consent of customer (think “Caller ID”)consent of customer (think “Caller ID”)– court ordercourt order

29

How Things (Didn’t) ChangeHow Things (Didn’t) ChangeAs a Result of USA PatriotAs a Result of USA Patriot

Pre-USA Patriot, language was focused on Pre-USA Patriot, language was focused on telephone recordstelephone records– the term “pen register” means a device which records or the term “pen register” means a device which records or

decodes electronic or other impulses which identify the decodes electronic or other impulses which identify the numbers dialed or otherwise transmitted on the numbers dialed or otherwise transmitted on the telephone line to which such device is attachedtelephone line to which such device is attached (18 (18 U.S.C. 3127(3))U.S.C. 3127(3))

New statute: Technology-neutral languageNew statute: Technology-neutral language Amendments codify years of practice, orders Amendments codify years of practice, orders

routinely issued by courtsroutinely issued by courts

30

Pen Register/Trap and TracePen Register/Trap and Trace

Old statute very telephone-orientedOld statute very telephone-oriented– ““numbers dialed”numbers dialed”– ““telephone line”telephone line”

Updated statute is technology neutralUpdated statute is technology neutral– confirms that the same rules apply to, e.g., Internet confirms that the same rules apply to, e.g., Internet

communicationscommunications Retains historical (and constitutional) distinction Retains historical (and constitutional) distinction

between content & non-contentbetween content & non-content Codifies longstanding practice under prior statute (e.g., Codifies longstanding practice under prior statute (e.g.,

Kopp)Kopp)

31

What Can A Pen/Trap Device What Can A Pen/Trap Device Collect?Collect?

Plainly includedPlainly included– telephone source/destination numberstelephone source/destination numbers– most e-mail header informationmost e-mail header information– source and destination IP address and portsource and destination IP address and port

» Kopp case (2000)Kopp case (2000)

Plainly excluded:Plainly excluded:– subject line of e-mailssubject line of e-mails– content of a downloaded filecontent of a downloaded file

32

The Device Formerly KnownThe Device Formerly KnownAs “Carnivore”As “Carnivore”

USA Patriot mandates additional judicial USA Patriot mandates additional judicial oversight oversight

Where law enforcement uses its own device on Where law enforcement uses its own device on a public provider’s computer network pursuant a public provider’s computer network pursuant to a pen/trap order (3123(a)(3)), agents must to a pen/trap order (3123(a)(3)), agents must file detailed report with the authorizing courtfile detailed report with the authorizing court– e.g., date and time of installation and removal; e.g., date and time of installation and removal;

information collectedinformation collected

33

New Penalties forNew Penalties forGovernment MisconductGovernment Misconduct

New section 2712 creates explicit civil and New section 2712 creates explicit civil and administrative sanctions for violations ofadministrative sanctions for violations of– wiretap statutewiretap statute

– ECPA (stored records)ECPA (stored records)

– pen/trap statutepen/trap statute

– FISA (Foreign Intelligence Surveillance Act)FISA (Foreign Intelligence Surveillance Act) Minimum $10,000 civil damagesMinimum $10,000 civil damages Mandatory 2-level administrative review for Mandatory 2-level administrative review for

intentional violations by federal officersintentional violations by federal officers

34







Pen register/trap and traceorder or consent

35

Stored CommunicationsStored Communicationsand Subscriber Recordsand Subscriber Records

18 U.S.C., Chapter 12118 U.S.C., Chapter 121

36

Objectives of Chapter 121Objectives of Chapter 121

Regulate privacy of communications held Regulate privacy of communications held by electronic middlemenby electronic middlemen– Congress sought to set the bar higher than Congress sought to set the bar higher than

subpoena in some casesubpoena in some case– put e-mail on a par with postal letterput e-mail on a par with postal letter

Not applicable to materials in the Not applicable to materials in the possession of the sender/recipientpossession of the sender/recipient

37

Dichotomies ‘R’ UsDichotomies ‘R’ Us

Permissive disclosure vs. mandatoryPermissive disclosure vs. mandatory– ““may” vs. “must”may” vs. “must”

Content of communications vs. non-contentContent of communications vs. non-content– contentcontent

» unopened e-mail vs. opened e-mailunopened e-mail vs. opened e-mail

– non-contentnon-content» transactional records vs. subscriber informationtransactional records vs. subscriber information

Basic rule: content receives more protectionBasic rule: content receives more protection

38

Criminal ViolationsCriminal Violations

18 USC § 2701 prohibition18 USC § 2701 prohibition– Illegal to access without or in excess of Illegal to access without or in excess of

authorizationauthorization

– a facility through which electronic communication a facility through which electronic communication services are providedservices are provided

– and thereby obtain, alter, or prevent access to a wire and thereby obtain, alter, or prevent access to a wire or electronic communication;or electronic communication;

– while in electronic storage while in electronic storage Misdemeanor, absent aggravating factorsMisdemeanor, absent aggravating factors

39

Other Enforcement MechanismsOther Enforcement Mechanisms

Civil remediesCivil remedies– $1,000 per violation$1,000 per violation– attorney’s feesattorney’s fees– punitive damagespunitive damages

40

Subscriber Content Subscriber Content and the System Providerand the System Provider

Any provider may freely Any provider may freely readread stored stored email/files of its customersemail/files of its customers– Bohach v. City of RenoBohach v. City of Reno, 932 F. Supp. 1232 (D. , 932 F. Supp. 1232 (D.

Nev. 1996) (pager messages)Nev. 1996) (pager messages) A A non-publicnon-public provider may also freely provider may also freely

disclose that informationdisclose that information– for example, an employerfor example, an employer

41

Public Providers and Public Providers and Permissive DisclosurePermissive Disclosure

General rule: a public provider (General rule: a public provider (e.g.e.g., an ISP) may , an ISP) may not freely not freely disclosedisclose customer content to others [18 customer content to others [18 U.S.C. § 2702]U.S.C. § 2702]

Exceptions:Exceptions:– consentconsent– necessary to protect rights or property of service necessary to protect rights or property of service

providerprovider– to law enforcement if contents inadvertently obtained, to law enforcement if contents inadvertently obtained,

pertains to the commission of a crimepertains to the commission of a crime– imminent threat of death/serious injury*imminent threat of death/serious injury*

42

Permissive Disclosure and Non-Permissive Disclosure and Non-Content Subscriber InformationContent Subscriber Information

Rule is short and sweetRule is short and sweet Provider may disclose non-content records to Provider may disclose non-content records to

anyone anyone exceptexcept a governmental entity a governmental entity New exceptions*New exceptions*

– to protect provider’s rights/propertyto protect provider’s rights/property– threat of death/serious bodily injurythreat of death/serious bodily injury

Pre-existing exceptions Pre-existing exceptions – appropriate legal process appropriate legal process – consent of subscriberconsent of subscriber

43

Mandatory Disclosures: Legal Mandatory Disclosures: Legal Process Used by the GovernmentProcess Used by the Government

Keep in mind the same dichotomyKeep in mind the same dichotomy– content vs. non-contentcontent vs. non-content

All governed by § 2703All governed by § 2703 Types of processTypes of process

– search warrantsearch warrant– subpoena (grand jury, administrative, etc.)subpoena (grand jury, administrative, etc.)

44

Government Access to Private Government Access to Private Communications (Content)Communications (Content)

For For unopenedunopened email/voicemail < 180 days email/voicemail < 180 days old stored on a provider’s system, old stored on a provider’s system, government must obtain a search warrant government must obtain a search warrant [18 U.S.C. §2703(a)][18 U.S.C. §2703(a)]– warrant operates like a subpoenawarrant operates like a subpoena

Congressional analogy: treat undelivered Congressional analogy: treat undelivered email like postal mail (see S. Ct. cases)email like postal mail (see S. Ct. cases)

45

Government Access to Private Government Access to Private Communications (Content)Communications (Content)

For opened e-mail/voicemail (or other stored For opened e-mail/voicemail (or other stored files), government may send provider a files), government may send provider a subpoena subpoena and notify subscriber and notify subscriber [18 U.S.C. § [18 U.S.C. § 2703(b)]2703(b)]– only applicable to public providersonly applicable to public providers

May delay notice 90 days (§ 2705(a)) ifMay delay notice 90 days (§ 2705(a)) if– destruction or tampering w/ evidencedestruction or tampering w/ evidence– intimidation of potential witnessesintimidation of potential witnesses– otherwise seriously jeopardizing an investigationotherwise seriously jeopardizing an investigation

46




Warrant (for unopenedmessages) or consent



Subpoena with notice(for files, openedmessages) or consent


Pen register/trap and traceorder or consent

47

The Two Categories ofThe Two Categories ofNon-Content InformationNon-Content Information

Subscriber informationSubscriber information– §2703(c)(2)§2703(c)(2)

Transactional recordsTransactional records– § 2703(c)(1)§ 2703(c)(1)

48

Basic Subscriber InformationBasic Subscriber Information

Can be obtained through subpoenaCan be obtained through subpoena Provider must give governmentProvider must give government

– name & address of subscribername & address of subscriber– local and LD telephone toll billing recordslocal and LD telephone toll billing records– telephone number or other account identifiertelephone number or other account identifier– type of service providedtype of service provided– length of service rendered length of service rendered

USA Patriot clarifies that this includesUSA Patriot clarifies that this includes– method/means of payment (e.g., credit card number)method/means of payment (e.g., credit card number)– ““temporary address” info (e.g., dynamic IP assigment records)temporary address” info (e.g., dynamic IP assigment records)

49

Transactional RecordsTransactional Records

Not content, not basic subscriber infoNot content, not basic subscriber info Everything in betweenEverything in between

– audit trails/logsaudit trails/logs– addresses of past e-mail correspondentsaddresses of past e-mail correspondents

Obtain throughObtain through

– warrantwarrant– section 2703(d) court ordersection 2703(d) court order

Note: prior to CALEA (10/94), a subpoena Note: prior to CALEA (10/94), a subpoena was sufficientwas sufficient

50

Section 2703(d) OrdersSection 2703(d) Orders

““Articulable facts” order Articulable facts” order – ““specific and articulable facts showing that there are specific and articulable facts showing that there are

reasonable grounds to believe that [the specified reasonable grounds to believe that [the specified records] are relevant and material to an ongoing records] are relevant and material to an ongoing criminal investigation”criminal investigation”

Not as high a standard as probable causeNot as high a standard as probable cause But, like warrant (& unlike subpoena), requires But, like warrant (& unlike subpoena), requires

judicial oversight & factfindingjudicial oversight & factfinding Can get non-disclosure order with itCan get non-disclosure order with it

51




Warrant (for unopenedmessages) or consent


Title III order orconsent, generally

Subpoena with notice (forfiles, opened messages) orconsent; may delay notice

Subpoena (for basicsubscriber info only)


Pen register/trap andtrace order or consent

2703(d) “specific andarticulable facts” courtorder (for all other non-content records)

52

Summary: Summary: Legal Process & ECPALegal Process & ECPA

Warrant Warrant – required for unopened e-mailrequired for unopened e-mail– can be used (but not required) for other infocan be used (but not required) for other info

Court order under § 2703(d)Court order under § 2703(d)– opened e-mail, unopened e-mail >180 days old, or files (with opened e-mail, unopened e-mail >180 days old, or files (with

prior notice)prior notice)– transactional recordstransactional records

SubpoenaSubpoena– opened e-mail or files (with prior notice)opened e-mail or files (with prior notice)– basic subscriber infobasic subscriber info

53

§ 2703(f) Requests to Preserve§ 2703(f) Requests to Preserve

Government can ask for anything (content Government can ask for anything (content or non-content) to be preservedor non-content) to be preserved

Prospective?Prospective? Government must still satisfy the usual Government must still satisfy the usual

standards if it wants to receive the standards if it wants to receive the preserved datapreserved data

54

Summary of Notable ChangesSummary of Notable Changes

Pen register/trap and trace statute updatedPen register/trap and trace statute updated Enhanced disclosure by providers to protect Enhanced disclosure by providers to protect

life & limblife & limb ““Computer trespasser” monitoring Computer trespasser” monitoring

exception addedexception added Scope of “basic subscriber info” clarifiedScope of “basic subscriber info” clarified Expanded liability for government misuseExpanded liability for government misuse

55

SummarySummary

USA PATRIOT Act is not a sweeping USA PATRIOT Act is not a sweeping expansion of surveillance authorityexpansion of surveillance authority

Instead, makes narrowly tailored changes to Instead, makes narrowly tailored changes to harmonize or clarify statuteharmonize or clarify statute

Leaves intact the existing framework of Leaves intact the existing framework of privacy statutesprivacy statutes

56

For More InformationFor More Information

Computer Crime Section’s home page: Computer Crime Section’s home page: www.cybercrime.govwww.cybercrime.gov– legal & policy treatises on intrusions, ECPA, legal & policy treatises on intrusions, ECPA,

USA Patriot, computer search & seizureUSA Patriot, computer search & seizure– mailing list for news updatesmailing list for news updates– requests for speakersrequests for speakers

1 Online Criminal Investigations: The USA Patriot Act, ECPA, and Beyond Mark Eckenwiler Computer...

Documents

Transcript of 1 Online Criminal Investigations: The USA Patriot Act, ECPA, and Beyond Mark Eckenwiler Computer...