1
Online Criminal Investigations:Online Criminal Investigations:The USA Patriot Act,The USA Patriot Act,ECPA, and BeyondECPA, and Beyond
Mark EckenwilerMark Eckenwiler
Computer Crime and Intellectual Property SectionComputer Crime and Intellectual Property SectionU.S. Department of JusticeU.S. Department of Justice
2
The Computer Crime and The Computer Crime and Intellectual Property SectionIntellectual Property Section
Founded in 1991 as Computer Crime UnitFounded in 1991 as Computer Crime Unit Current staff of 30 attorneysCurrent staff of 30 attorneys Mission of CCIPSMission of CCIPS
– Combat computer crime and IP crimesCombat computer crime and IP crimes– Develop enforcement policyDevelop enforcement policy– Train agents and prosecutorsTrain agents and prosecutors– Promote international cooperationPromote international cooperation– Propose and comment on federal legislationPropose and comment on federal legislation
3
OverviewOverview
The origins of ECPA (The Electronic The origins of ECPA (The Electronic Communications Privacy Act of 1986)Communications Privacy Act of 1986)
Substance of the statuteSubstance of the statute– real-time monitoringreal-time monitoring– stored informationstored information
How USA Patriot changed (or didn’t How USA Patriot changed (or didn’t change) thingschange) things
4
Why You Might Care Why You Might Care About ECPAAbout ECPA
Comprehensive privacy framework for Comprehensive privacy framework for communications providerscommunications providers
Regulates conduct betweenRegulates conduct between– different usersdifferent users– provider and customerprovider and customer– government and providergovernment and provider
Civil and criminal penalties for violationsCivil and criminal penalties for violations Note: state laws may impose additional Note: state laws may impose additional
restrictions/obligationsrestrictions/obligations
5
Why ECPA Matters toWhy ECPA Matters toLaw EnforcementLaw Enforcement
As people take their lives online, crime As people take their lives online, crime follows; no different from the real worldfollows; no different from the real world
Online records are often the key to Online records are often the key to investigating and prosecuting criminal activityinvestigating and prosecuting criminal activity– ““cyber” crimes (network intrusions)cyber” crimes (network intrusions)
– traditional crimes (threats, fraud, etc.)traditional crimes (threats, fraud, etc.) ECPA says how and when government can ECPA says how and when government can
(and cannot) obtain those records(and cannot) obtain those records
6
Scope of the 1968 Wiretap ActScope of the 1968 Wiretap Act
Protected two kinds of communicationsProtected two kinds of communications– ““oral” and “wire” oral” and “wire” – criminal penalties and civil remediescriminal penalties and civil remedies– extensive procedural rules for court orders to extensive procedural rules for court orders to
conduct eavesdroppingconduct eavesdropping By mid-1980s, emerging technologies created By mid-1980s, emerging technologies created
areas of uncertainty in statute as toareas of uncertainty in statute as to– wireless telephoneswireless telephones– non-voice transmissions (non-voice transmissions (e.g.e.g., e-mail), e-mail)
7
Concerns Addressed in ECPAConcerns Addressed in ECPA(Enacted in 1986)(Enacted in 1986)
Added protection for “electronic” (non-voice!) Added protection for “electronic” (non-voice!) communications to Title IIIcommunications to Title III
In addition, created a new companion chapter to In addition, created a new companion chapter to regulate privacy ofregulate privacy of– stored communicationsstored communications
– non-content information about subscribers (non-content information about subscribers (e.g., e.g., transactional information)transactional information)
Also: new pen register/trap & trace statutesAlso: new pen register/trap & trace statutes– for prospective collection of telephone calling recordsfor prospective collection of telephone calling records
8
Changes 1986-2000Changes 1986-2000
A variety of tweaks & technical A variety of tweaks & technical amendmentsamendments– cordless phonescordless phones– CALEACALEA
9
Sweeping New Surveillance Sweeping New Surveillance Powers Under USA Patriot Act:Powers Under USA Patriot Act:
A ListA List
10
Changes 2001 (USA Patriot)Changes 2001 (USA Patriot)
Structure of ECPA/Title III/Pen-Trap remains Structure of ECPA/Title III/Pen-Trap remains the samethe same
No major expansion of authorityNo major expansion of authority Many changes simply codify existing practice Many changes simply codify existing practice
or harmonize parallel provisions of statuteor harmonize parallel provisions of statute In the following slides, a postfixed asterisk (*) In the following slides, a postfixed asterisk (*)
indicates USA Patriot changes to prior lawindicates USA Patriot changes to prior law
11
Substantive ProvisionsSubstantive Provisionsof ECPAof ECPA
Or, Or,
Everything you know is wrongEverything you know is wrong
12
Title III/ECPA & The Courts:Title III/ECPA & The Courts:A Love AffairA Love Affair
““famous (if not infamous) for its lack of clarity”famous (if not infamous) for its lack of clarity”– Steve Jackson Games v. United States Secret Service,Steve Jackson Games v. United States Secret Service,
36 F.3d 457, 462 (5th Cir. 1994)36 F.3d 457, 462 (5th Cir. 1994) ““fraught with trip wires”fraught with trip wires”
– Forsyth v. BarrForsyth v. Barr, 19 F.3d 1527, 1543 (5th Cir. 1994), 19 F.3d 1527, 1543 (5th Cir. 1994) ““a fog of inclusions and exclusions”a fog of inclusions and exclusions”
– Briggs v. American Air FilterBriggs v. American Air Filter, 630 F.2d 414, 415 , 630 F.2d 414, 415 (5th Cir. 1980)(5th Cir. 1980)
13
The Major CategoriesThe Major Categories
Real-time interception (content)Real-time interception (content) Real-time traffic data (non-content)Real-time traffic data (non-content) Stored data (content)Stored data (content) Subscriber records (non-content)Subscriber records (non-content)
14
The MatrixThe Matrix
Acquisition inReal Time
HistoricalInformation
Contents ofCommunications
Other Records(Subscriber andTransactionalData)
15
Interception of CommunicationsInterception of Communications
The default rule under § 2511(1): do not The default rule under § 2511(1): do not – eavesdropeavesdrop– use or disclose intercepted contentsuse or disclose intercepted contents
Applies to oral/wire/electronic comms.Applies to oral/wire/electronic comms.
16
PenaltiesPenalties
Criminal penalties (five-year felony) Criminal penalties (five-year felony) [§ 2511(4)][§ 2511(4)]
» exception for first offense, wireless comms.exception for first offense, wireless comms.
Civil damages of $10,000 per violation* Civil damages of $10,000 per violation* plus attorney’s feesplus attorney’s fees– USA Patriot added new language specifically USA Patriot added new language specifically
imposing liability on government agentsimposing liability on government agents Statutory suppressionStatutory suppression
17
Relevance to Computer Relevance to Computer NetworksNetworks
Makes it illegal to install an unauthorized Makes it illegal to install an unauthorized packet snifferpacket sniffer
In numerous federal prosecutions, In numerous federal prosecutions, defendants have pled guilty to Title III defendants have pled guilty to Title III violations for such conductviolations for such conduct
18
Exceptions to the Exceptions to the General ProhibitionGeneral Prohibition
Publicly accessible system [§ 2511(2)(g)(i)]Publicly accessible system [§ 2511(2)(g)(i)]– open IRC channel/chat roomopen IRC channel/chat room
Consent of a partyConsent of a party System provider privilegesSystem provider privileges ““Computer trespasser” monitoring*Computer trespasser” monitoring* Court-authorized interceptsCourt-authorized intercepts
19
Consent of a PartyConsent of a Party
Parallels the Fourth Amendment exceptionParallels the Fourth Amendment exception May be implied throughMay be implied through
– login bannerlogin banner– terms of serviceterms of service
Such implied consent may give an ISP Such implied consent may give an ISP authority to pass information to law authority to pass information to law enforcement and other officialsenforcement and other officials
20
System Operator PrivilegesSystem Operator Privileges
Provider may monitor private real-time Provider may monitor private real-time communications to protect its rights or property communications to protect its rights or property [§ 2511(2)(a)(i)][§ 2511(2)(a)(i)]– e.g.e.g., logging every keystroke typed by a suspected , logging every keystroke typed by a suspected
intruderintruder– phone companies more restricted than ISPsphone companies more restricted than ISPs
Under same subsection, a provider may also Under same subsection, a provider may also “intercept” communications if inherently “intercept” communications if inherently necessary to providing the servicenecessary to providing the service
21
““Computer Trespasser” Computer Trespasser” Monitoring (USA Patriot)*Monitoring (USA Patriot)*
Problem to be solved: what rules allow Problem to be solved: what rules allow government monitoring of a network intruder?government monitoring of a network intruder?– consent of system owner as a party?consent of system owner as a party?
– ““rights or property” monitoring?rights or property” monitoring?
– consent of the intruder via login banner?consent of the intruder via login banner? Because none of these is entirely satisfactory, Because none of these is entirely satisfactory,
new exception addednew exception added Note: amendment sunsets on 12/31/05Note: amendment sunsets on 12/31/05
22
““Computer Trespasser” DefinedComputer Trespasser” Defined New 18 U.S.C. 2510(21):New 18 U.S.C. 2510(21):
– person who accesses “without authorization”person who accesses “without authorization”
– definition continues: “and thus has no reasonable definition continues: “and thus has no reasonable expectation of privacy…”expectation of privacy…”
Excludes users who have “an existing contractual Excludes users who have “an existing contractual relationship” with providerrelationship” with provider– Congress worried about TOS violations as grounds for Congress worried about TOS violations as grounds for
warrantless surveillancewarrantless surveillance
– there is an opportunity to gain consent from such usersthere is an opportunity to gain consent from such users
– without it, possible constitutional problemswithout it, possible constitutional problems
23
Limits of the New “Computer Limits of the New “Computer Trespasser” ExceptionTrespasser” Exception
Interception under this exception has Interception under this exception has several prerequisites several prerequisites – consent of the ownerconsent of the owner– under color of lawunder color of law– relevant to an official investigation, andrelevant to an official investigation, and– cannot acquire communications other than cannot acquire communications other than
those to/from the trespasserthose to/from the trespasser
24
Court-Authorized MonitoringCourt-Authorized Monitoring
Requires a kind of “super-warrant”Requires a kind of “super-warrant”– § 2518§ 2518
Good for 30 days maximumGood for 30 days maximum Necessity, minimization requirementsNecessity, minimization requirements Only available for specified offensesOnly available for specified offenses Ten-day reportingTen-day reporting SealingSealing
25
Types of Electronic Types of Electronic Communications InterceptsCommunications Intercepts
Cloned pagersCloned pagers ““Keystroking” Keystroking”
– common in network intrusion casescommon in network intrusion cases ““Cloning” an e-mail accountCloning” an e-mail account
26
The MatrixThe Matrix
Acquisition inReal Time
HistoricalInformation
Contents ofCommunications
Title III order or consent,generally
Other Records(Subscriber andTransactionalData)
27
The MatrixThe Matrix
Acquisition inReal Time
HistoricalInformation
Contents ofCommunications
Title III order or consent,generally
Other Records(Subscriber andTransactionalData)
28
Real-Time Collection of Real-Time Collection of Non-Content RecordsNon-Content Records
Governed by the pen register/trap and trace Governed by the pen register/trap and trace statute (originally enacted in 1986)statute (originally enacted in 1986)
Like the Wiretap Act, begins with a general Like the Wiretap Act, begins with a general prohibitionprohibition– criminal penalties for violationscriminal penalties for violations
Exceptions forExceptions for– provider self-protectionprovider self-protection– consent of customer (think “Caller ID”)consent of customer (think “Caller ID”)– court ordercourt order
29
How Things (Didn’t) ChangeHow Things (Didn’t) ChangeAs a Result of USA PatriotAs a Result of USA Patriot
Pre-USA Patriot, language was focused on Pre-USA Patriot, language was focused on telephone recordstelephone records– the term “pen register” means a device which records or the term “pen register” means a device which records or
decodes electronic or other impulses which identify the decodes electronic or other impulses which identify the numbers dialed or otherwise transmitted on the numbers dialed or otherwise transmitted on the telephone line to which such device is attachedtelephone line to which such device is attached (18 (18 U.S.C. 3127(3))U.S.C. 3127(3))
New statute: Technology-neutral languageNew statute: Technology-neutral language Amendments codify years of practice, orders Amendments codify years of practice, orders
routinely issued by courtsroutinely issued by courts
30
Pen Register/Trap and TracePen Register/Trap and Trace
Old statute very telephone-orientedOld statute very telephone-oriented– ““numbers dialed”numbers dialed”– ““telephone line”telephone line”
Updated statute is technology neutralUpdated statute is technology neutral– confirms that the same rules apply to, e.g., Internet confirms that the same rules apply to, e.g., Internet
communicationscommunications Retains historical (and constitutional) distinction Retains historical (and constitutional) distinction
between content & non-contentbetween content & non-content Codifies longstanding practice under prior statute (e.g., Codifies longstanding practice under prior statute (e.g.,
Kopp)Kopp)
31
What Can A Pen/Trap Device What Can A Pen/Trap Device Collect?Collect?
Plainly includedPlainly included– telephone source/destination numberstelephone source/destination numbers– most e-mail header informationmost e-mail header information– source and destination IP address and portsource and destination IP address and port
» Kopp case (2000)Kopp case (2000)
Plainly excluded:Plainly excluded:– subject line of e-mailssubject line of e-mails– content of a downloaded filecontent of a downloaded file
32
The Device Formerly KnownThe Device Formerly KnownAs “Carnivore”As “Carnivore”
USA Patriot mandates additional judicial USA Patriot mandates additional judicial oversight oversight
Where law enforcement uses its own device on Where law enforcement uses its own device on a public provider’s computer network pursuant a public provider’s computer network pursuant to a pen/trap order (3123(a)(3)), agents must to a pen/trap order (3123(a)(3)), agents must file detailed report with the authorizing courtfile detailed report with the authorizing court– e.g., date and time of installation and removal; e.g., date and time of installation and removal;
information collectedinformation collected
33
New Penalties forNew Penalties forGovernment MisconductGovernment Misconduct
New section 2712 creates explicit civil and New section 2712 creates explicit civil and administrative sanctions for violations ofadministrative sanctions for violations of– wiretap statutewiretap statute
– ECPA (stored records)ECPA (stored records)
– pen/trap statutepen/trap statute
– FISA (Foreign Intelligence Surveillance Act)FISA (Foreign Intelligence Surveillance Act) Minimum $10,000 civil damagesMinimum $10,000 civil damages Mandatory 2-level administrative review for Mandatory 2-level administrative review for
intentional violations by federal officersintentional violations by federal officers
34
The MatrixThe Matrix
Acquisition inReal Time
HistoricalInformation
Contents ofCommunications
Title III order or consent,generally
Other Records(Subscriber andTransactionalData)
Pen register/trap and traceorder or consent
35
Stored CommunicationsStored Communicationsand Subscriber Recordsand Subscriber Records
18 U.S.C., Chapter 12118 U.S.C., Chapter 121
36
Objectives of Chapter 121Objectives of Chapter 121
Regulate privacy of communications held Regulate privacy of communications held by electronic middlemenby electronic middlemen– Congress sought to set the bar higher than Congress sought to set the bar higher than
subpoena in some casesubpoena in some case– put e-mail on a par with postal letterput e-mail on a par with postal letter
Not applicable to materials in the Not applicable to materials in the possession of the sender/recipientpossession of the sender/recipient
37
Dichotomies ‘R’ UsDichotomies ‘R’ Us
Permissive disclosure vs. mandatoryPermissive disclosure vs. mandatory– ““may” vs. “must”may” vs. “must”
Content of communications vs. non-contentContent of communications vs. non-content– contentcontent
» unopened e-mail vs. opened e-mailunopened e-mail vs. opened e-mail
– non-contentnon-content» transactional records vs. subscriber informationtransactional records vs. subscriber information
Basic rule: content receives more protectionBasic rule: content receives more protection
38
Criminal ViolationsCriminal Violations
18 USC § 2701 prohibition18 USC § 2701 prohibition– Illegal to access without or in excess of Illegal to access without or in excess of
authorizationauthorization
– a facility through which electronic communication a facility through which electronic communication services are providedservices are provided
– and thereby obtain, alter, or prevent access to a wire and thereby obtain, alter, or prevent access to a wire or electronic communication;or electronic communication;
– while in electronic storage while in electronic storage Misdemeanor, absent aggravating factorsMisdemeanor, absent aggravating factors
39
Other Enforcement MechanismsOther Enforcement Mechanisms
Civil remediesCivil remedies– $1,000 per violation$1,000 per violation– attorney’s feesattorney’s fees– punitive damagespunitive damages
40
Subscriber Content Subscriber Content and the System Providerand the System Provider
Any provider may freely Any provider may freely readread stored stored email/files of its customersemail/files of its customers– Bohach v. City of RenoBohach v. City of Reno, 932 F. Supp. 1232 (D. , 932 F. Supp. 1232 (D.
Nev. 1996) (pager messages)Nev. 1996) (pager messages) A A non-publicnon-public provider may also freely provider may also freely
disclose that informationdisclose that information– for example, an employerfor example, an employer
41
Public Providers and Public Providers and Permissive DisclosurePermissive Disclosure
General rule: a public provider (General rule: a public provider (e.g.e.g., an ISP) may , an ISP) may not freely not freely disclosedisclose customer content to others [18 customer content to others [18 U.S.C. § 2702]U.S.C. § 2702]
Exceptions:Exceptions:– consentconsent– necessary to protect rights or property of service necessary to protect rights or property of service
providerprovider– to law enforcement if contents inadvertently obtained, to law enforcement if contents inadvertently obtained,
pertains to the commission of a crimepertains to the commission of a crime– imminent threat of death/serious injury*imminent threat of death/serious injury*
42
Permissive Disclosure and Non-Permissive Disclosure and Non-Content Subscriber InformationContent Subscriber Information
Rule is short and sweetRule is short and sweet Provider may disclose non-content records to Provider may disclose non-content records to
anyone anyone exceptexcept a governmental entity a governmental entity New exceptions*New exceptions*
– to protect provider’s rights/propertyto protect provider’s rights/property– threat of death/serious bodily injurythreat of death/serious bodily injury
Pre-existing exceptions Pre-existing exceptions – appropriate legal process appropriate legal process – consent of subscriberconsent of subscriber
43
Mandatory Disclosures: Legal Mandatory Disclosures: Legal Process Used by the GovernmentProcess Used by the Government
Keep in mind the same dichotomyKeep in mind the same dichotomy– content vs. non-contentcontent vs. non-content
All governed by § 2703All governed by § 2703 Types of processTypes of process
– search warrantsearch warrant– subpoena (grand jury, administrative, etc.)subpoena (grand jury, administrative, etc.)
44
Government Access to Private Government Access to Private Communications (Content)Communications (Content)
For For unopenedunopened email/voicemail < 180 days email/voicemail < 180 days old stored on a provider’s system, old stored on a provider’s system, government must obtain a search warrant government must obtain a search warrant [18 U.S.C. §2703(a)][18 U.S.C. §2703(a)]– warrant operates like a subpoenawarrant operates like a subpoena
Congressional analogy: treat undelivered Congressional analogy: treat undelivered email like postal mail (see S. Ct. cases)email like postal mail (see S. Ct. cases)
45
Government Access to Private Government Access to Private Communications (Content)Communications (Content)
For opened e-mail/voicemail (or other stored For opened e-mail/voicemail (or other stored files), government may send provider a files), government may send provider a subpoena subpoena and notify subscriber and notify subscriber [18 U.S.C. § [18 U.S.C. § 2703(b)]2703(b)]– only applicable to public providersonly applicable to public providers
May delay notice 90 days (§ 2705(a)) ifMay delay notice 90 days (§ 2705(a)) if– destruction or tampering w/ evidencedestruction or tampering w/ evidence– intimidation of potential witnessesintimidation of potential witnesses– otherwise seriously jeopardizing an investigationotherwise seriously jeopardizing an investigation
46
The MatrixThe Matrix
Acquisition inReal Time
HistoricalInformation
Warrant (for unopenedmessages) or consent
Contents ofCommunications
Title III order or consent,generally
Subpoena with notice(for files, openedmessages) or consent
Other Records(Subscriber andTransactionalData)
Pen register/trap and traceorder or consent
47
The Two Categories ofThe Two Categories ofNon-Content InformationNon-Content Information
Subscriber informationSubscriber information– §2703(c)(2)§2703(c)(2)
Transactional recordsTransactional records– § 2703(c)(1)§ 2703(c)(1)
48
Basic Subscriber InformationBasic Subscriber Information
Can be obtained through subpoenaCan be obtained through subpoena Provider must give governmentProvider must give government
– name & address of subscribername & address of subscriber– local and LD telephone toll billing recordslocal and LD telephone toll billing records– telephone number or other account identifiertelephone number or other account identifier– type of service providedtype of service provided– length of service rendered length of service rendered
USA Patriot clarifies that this includesUSA Patriot clarifies that this includes– method/means of payment (e.g., credit card number)method/means of payment (e.g., credit card number)– ““temporary address” info (e.g., dynamic IP assigment records)temporary address” info (e.g., dynamic IP assigment records)
49
Transactional RecordsTransactional Records
Not content, not basic subscriber infoNot content, not basic subscriber info Everything in betweenEverything in between
– audit trails/logsaudit trails/logs– addresses of past e-mail correspondentsaddresses of past e-mail correspondents
Obtain throughObtain through
– warrantwarrant– section 2703(d) court ordersection 2703(d) court order
Note: prior to CALEA (10/94), a subpoena Note: prior to CALEA (10/94), a subpoena was sufficientwas sufficient
50
Section 2703(d) OrdersSection 2703(d) Orders
““Articulable facts” order Articulable facts” order – ““specific and articulable facts showing that there are specific and articulable facts showing that there are
reasonable grounds to believe that [the specified reasonable grounds to believe that [the specified records] are relevant and material to an ongoing records] are relevant and material to an ongoing criminal investigation”criminal investigation”
Not as high a standard as probable causeNot as high a standard as probable cause But, like warrant (& unlike subpoena), requires But, like warrant (& unlike subpoena), requires
judicial oversight & factfindingjudicial oversight & factfinding Can get non-disclosure order with itCan get non-disclosure order with it
51
The MatrixThe Matrix
Acquisition inReal Time
HistoricalInformation
Warrant (for unopenedmessages) or consent
Contents ofCommunications
Title III order orconsent, generally
Subpoena with notice (forfiles, opened messages) orconsent; may delay notice
Subpoena (for basicsubscriber info only)
Other Records(Subscriber andTransactionalData)
Pen register/trap andtrace order or consent
2703(d) “specific andarticulable facts” courtorder (for all other non-content records)
52
Summary: Summary: Legal Process & ECPALegal Process & ECPA
Warrant Warrant – required for unopened e-mailrequired for unopened e-mail– can be used (but not required) for other infocan be used (but not required) for other info
Court order under § 2703(d)Court order under § 2703(d)– opened e-mail, unopened e-mail >180 days old, or files (with opened e-mail, unopened e-mail >180 days old, or files (with
prior notice)prior notice)– transactional recordstransactional records
SubpoenaSubpoena– opened e-mail or files (with prior notice)opened e-mail or files (with prior notice)– basic subscriber infobasic subscriber info
53
§ 2703(f) Requests to Preserve§ 2703(f) Requests to Preserve
Government can ask for anything (content Government can ask for anything (content or non-content) to be preservedor non-content) to be preserved
Prospective?Prospective? Government must still satisfy the usual Government must still satisfy the usual
standards if it wants to receive the standards if it wants to receive the preserved datapreserved data
54
Summary of Notable ChangesSummary of Notable Changes
Pen register/trap and trace statute updatedPen register/trap and trace statute updated Enhanced disclosure by providers to protect Enhanced disclosure by providers to protect
life & limblife & limb ““Computer trespasser” monitoring Computer trespasser” monitoring
exception addedexception added Scope of “basic subscriber info” clarifiedScope of “basic subscriber info” clarified Expanded liability for government misuseExpanded liability for government misuse
55
SummarySummary
USA PATRIOT Act is not a sweeping USA PATRIOT Act is not a sweeping expansion of surveillance authorityexpansion of surveillance authority
Instead, makes narrowly tailored changes to Instead, makes narrowly tailored changes to harmonize or clarify statuteharmonize or clarify statute
Leaves intact the existing framework of Leaves intact the existing framework of privacy statutesprivacy statutes
56
For More InformationFor More Information
Computer Crime Section’s home page: Computer Crime Section’s home page: www.cybercrime.govwww.cybercrime.gov– legal & policy treatises on intrusions, ECPA, legal & policy treatises on intrusions, ECPA,
USA Patriot, computer search & seizureUSA Patriot, computer search & seizure– mailing list for news updatesmailing list for news updates– requests for speakersrequests for speakers