Legal Considerations in Obtaining Electronic Evidence in Online Investigations CSC 486/586 1

Statutory Restrictions on Obtaining Electronic Evidence Through electronic surveillance; From ISPs & other service providers; That includes material intended for publication 2

The Statutes ECPA: Electronic Communications Privacy Act of dictates how LE obtains information from electronic communications providers –Title III (Wiretaps) –Stored Electronic Communications Privacy Protection Act – –Restricts methods LE can use to obtain info intended for publication 3

Wiretap Act, 18 USC 2511 Prohibits “interception” of “oral,” “wire,” or “electronic communications” with a “mechanical device” “Interception” means real-time acquisition Govt can get “T-III order” for oral or wire communications only for a very specific list of felonies - Statutory suppression for violations 4

Obtaining a Title III Wiretap Order for Electronic Evidence ECPA applies wiretap act to electronic communications intercepted in real-time (“keystroke monitoring”) Federal prosecutor can get court order for electronic wiretapping on any felony; no statutory suppression remedy Order must be issued where “interception” occurs 5

Exceptions to warrant requirement If wiretapping (and don’t have court order), committing a federal felony (5 years imprisonment) unless fall within one of 4 exceptions –Provider protection exception –Consent exception –Inadvertently obtained information –Computer trespass exception 6

Provider Protection Exception Interception authorized to protect provider (18 U.S.C. 2511(2)(a)(i)) Authorizes interception or disclosure “while engaged in any activity which is a necessary incident to the rendition of service or the protection of the rights or property of the provider of the service.” Provider can give results of past monitoring to law enforcement 7

Wiretaps-Consent exception Consent of party –Banner –Terms of service agreement Consent of system operator -- No! Dangerous to rely on implied consent forever –When need a T-III decided on a case-by-case basis 8

Inadvertently Obtained ECS provider may also disclose a communication to law enforcement if communication was inadvertently obtained and appears to pertain to the commission of a crime. –18 U.S.C. 2511(3)(b) 9

The Computer Trespasser Exception Solution: new exception to Title III at 18 U.S.C. 2511(2)(i) (Subject to 4-year sunset provision) –“Computer trespasser” defined (18 U.S.C. 2510(21)) Person who accesses “without authorization” Definition continues: “and thus has no reasonable expectation of privacy…” –Excludes users who have “an existing contractual relationship” Congress worried about violations of terms of service There is an opportunity to gain consent from such users Without it, possible constitutional problems 10

Limits of the New Exception Interception under this exception requires: –Consent of the owner –Under color of law –Relevant to an investigation –Cannot acquire communications other than to/from the trespasser May combine this authority with other exceptions, such as consent 11

Stored Communications and Transactional Records 12

Stored Electronic Communications Act Dictates how and when LE may obtain information from Internet Service Providers, Telcos, other computing service providers –Enacted in 1986 as part of “ECPA” –Codified at 18 USC 2701 et seq –Modified (slightly) by Patriot Act 13

Government Access to Customer Communications and Records These provisions apply only to info held on provider’s system, not to standalone PC Content of communications vs. non-content –content unopened vs. opened –non-content transactional records vs. subscriber information Basic rule: content receives more protection 14

Stored Electronic Communications Act - Overview Covers 3 categories of information Held by ECS or RCS -- –Content –Basic subscriber information –Transactional Records (everything else) Substantive provisions –a. When services may disclose –b. When services must disclose Remedies 15

Stored Electronic Communications Act - Coverage Three categories of information (18 U.S.C. Sec. 2703): Content Basic subscriber information Transactional Records (everything else) 16

Remedies Civil damages exclusively (2707, 08) No suppression remedy for non- constitutional violation –but decision in McVeigh (gay Navy officer with AOL account) granted suppression remedy, voided administrative action (discharge) 17

Stored Electronic Communications: Key Terms “Electronic Communication Service Provider” “Remote Communications Service Provider” A B ECS A RCS 18

Provisions of the Stored Electronic Communications Act 18 USC 2701: Prohibits: –Accessing without or in excess of authorization; –A facility through which electronic communication services are provided; –And thereby obtain, alter, or prevent access to a wire or electronic communication; –While in electronic storage Misdemeanor 19

When ECS or RCS May Disclose (2702) If public, prohibited from voluntarily disclosing the content of stored electronic communications Exceptions: –consent –necessary to protect property of service provider –to law enforcement if contents inadvertently obtained, pertains to the commission of a crime If not public, not so constrained, as to any of the three classes of information 20

Requiring Disclosure of Information from ECS or RCS 2703: Three categories: Content Basic subscriber information Transactional Records (everything else) 21

Stored Wire and Electronic Communications Act - Content and voice mail in electronic storage –Which is: “Any temporary, intermediate storage of a wire or electronic communication” incidental to transmission, or intended to be a backup Once opened, no longer protected Protects customers and subscribers: the real party of interest 22

Obtaining Content of s For ECS, if unopened and in storage for less than 180 days, search warrant (2703(a)) –Warrant operates like a subpoena –Patriot Act gave nation-wide effect to warrants Must be issued by court having jurisdiction over the offense No notice to customer necessary 23

Obtaining Electronic Content Not In “Electronic Storage” What’s not in “electronic storage”? –opened –files (text, database, programs, etc.) As to this category, statute protects only materials stored with a provider “to the public” –excludes, e.g., private corporate networks –if provider isn’t public, investigator can use a normal subpoena to compel disclosure 24

Obtaining Content (cont.) For ECS if more than 180 days or for RCS –Warrant –Subpoena with notice May delay notice 90 days (2705) if show -- –destruction or tampering w/ evidence –intimidation of potential witnesses –otherwise seriously jeopardizing an investigation May extend delay an additional 90-days 25

Obtaining the Contents of Voice Mail Pre-Patriot Act: If unopened, obtainable only with a Title III order –§ 2703 inapplicable by its own terms Patriot Act included contents of voice mail into 2703(b) 26

Basic Subscriber Information Can be obtained through subpoena Gives you only: name, address, telephone toll billing records, telephone number, type of service provided, and length of service rendered Patriot Act added connection records, session times, and temp assigned IP addresses Do not subpoena “all customer records” 27

Transactional Records Not content, not basic subscriber information Everything in between –financial information (e.g., credit card) –audit trails/logs –web sites visited –identities of correspondents –cell site data from cellular/PCS carriers 28

Transactional Records Obtain through –Warrant –Consent of customer –Articulable facts order (can get non-disclosure order): “specific and articulable facts showing that there are reasonable grounds to believe that [the specified records] are relevant and material to an ongoing criminal investigation.” (2703(d) order) 29

Summary: Legal Process & ECPA Warrant –required for unopened Court order under § 2703(d) –opened or files (with prior notice) –transactional records Subpoena –opened or files (with prior notice) –basic subscriber info 30

Overview of 2703 processes for public ESPs 31

Process Can talk to ECS/RCS in advance about what you want, what they may have May request provider for 90 days, to “take all necessary steps to preserve records and other evidence in its possession pending the issuance of a court order or other process.” 2703(f) –Only for information already in their possession, not future information 32

Cable Problems 47 USC § 551. Protection of subscriber privacy Restricts dissemination by cable provider of “personally identifiable information” collected by cable operator – “Personally identifiable information”? –Restriction applies to PII collected as part of providing “other services” “Other services” include “wire or radio communications” provided using facilities of cable operator 33

Cable Problems -- Cont’d 47 USC § 551(h) Disclosure of information to governmental entity pursuant to court order A governmental entity may obtain personally identifiable information concerning a cable subscriber pursuant to a court order only if, in the court proceeding relevant to such court order-- (1) such entity offers clear and convincing evidence that the subject of the information is reasonably suspected of engaging in criminal activity and that the information sought would be material evidence in the case; and (2) the subject of the information is afforded the opportunity to appear and contest such entity's claim. 34

Patriot Act Cable Fix Added 47 USC 551(c)(2)(D) –ECPA governs access to cable Internet service –Provisions of Sec. 551 still govern access to traditional cable services 35

The Privacy Protection Act 36

Privacy Protection Act 42 USC 2000AA Response to Zucher v. Stanford Daily 37

Privacy Protection Act Protects material intended for dissemination to the public: –Work product (e.g., book in progress) Prepared for communication and intended for dissemination to the public (included impressions, conclusions, opinions, theories) –Documentary materials (materials used to produce “work product”) Defined as media which holds info used “in connection with” work product materials Includes e.g. photo/film/tape/disk. 38

Privacy Protection Act Must use a subpoena to obtain work product, documentary materials in the possession of a person reasonably believed to have a purpose to disseminate it. 39

Exceptions Allowing Use of Search Warrant/Seizure Contraband or fruits or instrumentalities of a crime Exigent circumstances Probable cause that person possessing such material has committed or is committing a criminal offense –Except if mere possession offense Except classified material or child pornography 40

The PPA in an Electronic Environment Anyone with a modem can be a publisher Problems of commingling, connections If need to seize protected materials, obtain DAAG approval--through CCIPS Subject to civil penalties, not suppression Guest v. Leis -- can seize PPA materials “incidental to lawful search” Be reasonable: The 300,000 lessons of Steve Jackson Games 41

WHERE TO GET MORE INFORMATION CCIPS phone number: Computer Crime Section’s page on the World Wide Web: or 42

43 Questions??? Use the discussion board, as usual…

44