2. 1 Online Criminal Investigations: The USA Patriot Act, ECPA, and Beyond Mark Eckenwiler Computer Crime and Intellectual Property Section U.S. Department of Justice

3. 2 The Computer Crime and Intellectual Property Section n Founded in 1991 as Computer Crime Unit n Current staff of 30 attorneys n Mission of CCIPS –Combat computer crime and IP crimes –Develop enforcement policy –Train agents and prosecutors –Promote international cooperation –Propose and comment on federal legislation

4. 3 Overview n The origins of ECPA (The Electronic Communications Privacy Act of 1986) n Substance of the statute –real-time monitoring –stored information n How USA Patriot changed (or didnt change) things

5. 4 Why You Might Care About ECPA n Comprehensive privacy framework for communications providers n Regulates conduct between –different users –provider and customer –government and provider n Civil and criminal penalties for violations n Note: state laws may impose additional restrictions/obligations

6. 5 Why ECPA Matters to Law Enforcement n As people take their lives online, crime follows; no different from the real world n Online records are often the key to investigating and prosecuting criminal activity –cyber crimes (network intrusions) –traditional crimes (threats, fraud, etc.) n ECPA says how and when government can (and cannot) obtain those records

7. 6 Scope of the 1968 Wiretap Act n Protected two kinds of communications –oral and wire –criminal penalties and civil remedies –extensive procedural rules for court orders to conduct eavesdropping n By mid-1980s, emerging technologies created areas of uncertainty in statute as to –wireless telephones –non-voice transmissions (e.g., e-mail)

8. 7 Concerns Addressed in ECPA (Enacted in 1986) n Added protection for electronic (non- voice!) communications to Title III n In addition, created a new companion chapter to regulate privacy of –stored communications –non-content information about subscribers (e.g., transactional information) n Also: new pen register/trap & trace statutes –for prospective collection of telephone calling records

9. 8 Changes 1986-2000 n A variety of tweaks & technical amendments –cordless phones –CALEA

10. 9 Sweeping New Surveillance Powers Under USA Patriot Act: A List

11. 10 Changes 2001 (USA Patriot) n Structure of ECPA/Title III/Pen-Trap remains the same n No major expansion of authority n Many changes simply codify existing practice or harmonize parallel provisions of statute n In the following slides, a postfixed asterisk (*) indicates USA Patriot changes to prior law

12. 11 Substantive Provisions of ECPA Or, Everything you know is wrong

13. 12 Title III/ECPA & The Courts: A Love Affair n famous (if not infamous) for its lack of clarity –Steve Jackson Games v. United States Secret Service, 36 F.3d 457, 462 (5th Cir. 1994) n fraught with trip wires –Forsyth v. Barr, 19 F.3d 1527, 1543 (5th Cir. 1994) n a fog of inclusions and exclusions –Briggs v. American Air Filter, 630 F.2d 414, 415 (5th Cir. 1980)

14. 13 The Major Categories n Real-time interception (content) n Real-time traffic data (non-content) n Stored data (content) n Subscriber records (non-content)

15. 14 The Matrix

16. 15 Interception of Communications n The default rule under § 2511(1): do not –eavesdrop –use or disclose intercepted contents n Applies to oral/wire/electronic comms.

17. 16 Penalties n Criminal penalties (five-year felony) [§ 2511(4)] »exception for first offense, wireless comms. n Civil damages of $10,000 per violation* plus attorneys fees –USA Patriot added new language specifically imposing liability on government agents n Statutory suppression

18. 17 Relevance to Computer Networks n Makes it illegal to install an unauthorized packet sniffer n In numerous federal prosecutions, defendants have pled guilty to Title III violations for such conduct

19. 18 Exceptions to the General Prohibition n Publicly accessible system [§ 2511(2)(g)(i)] –open IRC channel/chat room n Consent of a party n System provider privileges n Computer trespasser monitoring* n Court-authorized intercepts

20. 19 Consent of a Party n Parallels the Fourth Amendment exception n May be implied through –login banner –terms of service n Such implied consent may give an ISP authority to pass information to law enforcement and other officials

21. 20 System Operator Privileges n Provider may monitor private real-time communications to protect its rights or property [§ 2511(2)(a)(i)] –e.g., logging every keystroke typed by a suspected intruder –phone companies more restricted than ISPs n Under same subsection, a provider may also intercept communications if inherently necessary to providing the service

22. 21 Computer Trespasser Monitoring (USA Patriot)* n Problem to be solved: what rules allow government monitoring of a network intruder? –consent of system owner as a party? –rights or property monitoring? –consent of the intruder via login banner? n Because none of these is entirely satisfactory, new exception added n Note: amendment sunsets on 12/31/05

23. 22 Computer Trespasser Defined n New 18 U.S.C. 2510(21): –person who accesses without authorization –definition continues: and thus has no reasonable expectation of privacy… n Excludes users who have an existing contractual relationship with provider –Congress worried about TOS violations as grounds for warrantless surveillance –there is an opportunity to gain consent from such users –without it, possible constitutional problems

24. 23 Limits of the New Computer Trespasser Exception n Interception under this exception has several prerequisites –consent of the owner –under color of law –relevant to an official investigation, and –cannot acquire communications other than those to/from the trespasser

25. 24 Court-Authorized Monitoring n Requires a kind of super-warrant –§ 2518 n Good for 30 days maximum n Necessity, minimization requirements n Only available for specified offenses n Ten-day reporting n Sealing

26. 25 Types of Electronic Communications Intercepts n Cloned pagers n Keystroking –common in network intrusion cases n Cloning an e-mail account

27. 26 The Matrix

28. 27 The Matrix

29. 28 Real-Time Collection of Non-Content Records n Governed by the pen register/trap and trace statute (originally enacted in 1986) n Like the Wiretap Act, begins with a general prohibition –criminal penalties for violations n Exceptions for –provider self-protection –consent of customer (think Caller ID) –court order

30. 29 How Things (Didnt) Change As a Result of USA Patriot n Pre-USA Patriot, language was focused on telephone records –the term pen register means a device which records or decodes electronic or other impulses which identify the numbers dialed or otherwise transmitted on the telephone line to which such device is attached (18 U.S.C. 3127(3)) n New statute: Technology-neutral language n Amendments codify years of practice, orders routinely issued by courts

31. 30 Pen Register/Trap and Trace n Old statute very telephone-oriented –numbers dialed –telephone line n Updated statute is technology neutral –confirms that the same rules apply to, e.g., Internet communications n Retains historical (and constitutional) distinction between content & non-content n Codifies longstanding practice under prior statute (e.g., Kopp)

32. 31 What Can A Pen/Trap Device Collect? n Plainly included – telephone source/destination numbers –most e-mail header information –source and destination IP address and port »Kopp case (2000) n Plainly excluded: –subject line of e-mails –content of a downloaded file

33. 32 The Device Formerly Known As Carnivore n USA Patriot mandates additional judicial oversight n Where law enforcement uses its own device on a public providers computer network pursuant to a pen/trap order (3123(a)(3)), agents must file detailed report with the authorizing court –e.g., date and time of installation and removal; information collected

34. 33 New Penalties for Government Misconduct n New section 2712 creates explicit civil and administrative sanctions for violations of –wiretap statute –ECPA (stored records) –pen/trap statute –FISA (Foreign Intelligence Surveillance Act) n Minimum $10,000 civil damages n Mandatory 2-level administrative review for intentional violations by federal officers

35. 34 The Matrix

36. 35 Stored Communications and Subscriber Records 18 U.S.C., Chapter 121

37. 36 Objectives of Chapter 121 n Regulate privacy of communications held by electronic middlemen –Congress sought to set the bar higher than subpoena in some case –put e-mail on a par with postal letter n Not applicable to materials in the possession of the sender/recipient

38. 37 Dichotomies R Us n Permissive disclosure vs. mandatory –may vs. must n Content of communications vs. non-content –content »unopened e-mail vs. opened e-mail –non-content »transactional records vs. subscriber information n Basic rule: content receives more protection

39. 38 Criminal Violations n 18 USC § 2701 prohibition –Illegal to access without or in excess of authorization –a facility through which electronic communication services are provided –and thereby obtain, alter, or prevent access to a wire or electronic communication; –while in electronic storage n Misdemeanor, absent aggravating factors

40. 39 Other Enforcement Mechanisms n Civil remedies –$1,000 per violation –attorneys fees –punitive damages

41. 40 Subscriber Content and the System Provider n Any provider may freely read stored email/files of its customers –Bohach v. City of Reno, 932 F. Supp. 1232 (D. Nev. 1996) (pager messages) n A non-public provider may also freely disclose that information –for example, an employer

42. 41 Public Providers and Permissive Disclosure n General rule: a public provider (e.g., an ISP) may not freely disclose customer content to others [18 U.S.C. § 2702] n Exceptions: –consent –necessary to protect rights or property of service provider –to law enforcement if contents inadvertently obtained, pertains to the commission of a crime –imminent threat of death/serious injury*

43. 42 Permissive Disclosure and Non- Content Subscriber Information n Rule is short and sweet n Provider may disclose non-content records to anyone except a governmental entity n New exceptions* –to protect providers rights/property –threat of death/serious bodily injury n Pre-existing exceptions –appropriate legal process –consent of subscriber

44. 43 Mandatory Disclosures: Legal Process Used by the Government n Keep in mind the same dichotomy –content vs. non-content n All governed by § 2703 n Types of process –search warrant –subpoena (grand jury, administrative, etc.)

45. 44 Government Access to Private Communications (Content) n For unopened email/voicemail < 180 days old stored on a providers system, government must obtain a search warrant [18 U.S.C. §2703(a)] –warrant operates like a subpoena n Congressional analogy: treat undelivered email like postal mail (see S. Ct. cases)

46. 45 Government Access to Private Communications (Content) n For opened e-mail/voicemail (or other stored files), government may send provider a subpoena and notify subscriber [18 U.S.C. § 2703(b)] –only applicable to public providers n May delay notice 90 days (§ 2705(a)) if –destruction or tampering w/ evidence –intimidation of potential witnesses –otherwise seriously jeopardizing an investigation

47. 46 The Matrix

48. 47 The Two Categories of Non-Content Information n Subscriber information –§2703(c)(2) n Transactional records –§ 2703(c)(1)

49. 48 Basic Subscriber Information n Can be obtained through subpoena n Provider must give government –name & address of subscriber –local and LD telephone toll billing records –telephone number or other account identifier –type of service provided –length of service rendered n USA Patriot clarifies that this includes –method/means of payment (e.g., credit card number) –temporary address info (e.g., dynamic IP assigment records)

50. 49 Transactional Records n Not content, not basic subscriber info n Everything in between –audit trails/logs –addresses of past e-mail correspondents n Obtain through –warrant –section 2703(d) court order n Note: prior to CALEA (10/94), a subpoena was sufficient

51. 50 Section 2703(d) Orders n Articulable facts order –specific and articulable facts showing that there are reasonable grounds to believe that [the specified records] are relevant and material to an ongoing criminal investigation n Not as high a standard as probable cause n But, like warrant (& unlike subpoena), requires judicial oversight & factfinding n Can get non-disclosure order with it

52. 51 The Matrix

53. 52 Summary: Legal Process & ECPA n Warrant –required for unopened e-mail –can be used (but not required) for other info n Court order under § 2703(d) –opened e-mail, unopened e-mail >180 days old, or files (with prior notice) –transactional records n Subpoena –opened e-mail or files (with prior notice) –basic subscriber info

54. 53 § 2703(f) Requests to Preserve n Government can ask for anything (content or non-content) to be preserved n Prospective? n Government must still satisfy the usual standards if it wants to receive the preserved data

55. 54 Summary of Notable Changes n Pen register/trap and trace statute updated n Enhanced disclosure by providers to protect life & limb n Computer trespasser monitoring exception added n Scope of basic subscriber info clarified n Expanded liability for government misuse

56. 55 Summary n USA PATRIOT Act is not a sweeping expansion of surveillance authority n Instead, makes narrowly tailored changes to harmonize or clarify statute n Leaves intact the existing framework of privacy statutes

57. 56 For More Information n Computer Crime Sections home page: www.cybercrime.gov –legal & policy treatises on intrusions, ECPA, USA Patriot, computer search & seizure –mailing list for news updates –requests for speakers