Embed Size (px)
Citation preview
1
CSCD 496Computer Forensics
Lecture 12Laws – Specific
Winter 2010
2
Introduction
• Laws – Specific laws related to Electronic
Crimes• CFFA – Computer Fraud and Abuse Act• Economic Espionage Act • Digital Millennium Copyright Act• Federal Wiretap Act• Patriot Act I
– How some of these relate to privacy• Laws that try to Protect Privacy
3
Background
• Last time ... heard a lawyer speak of you being expert witnesses– Assumption when you testify, know
something about the court system and process
– Also, know about the laws governing digital evidence
4
Overview
• As a digital forensics Practitioner– Why do you need to know the laws?
5
General Electronic Crime Laws
6
CFAA• The first truly comprehensive federal computer
crime statute Computer Fraud and Abuse Act of 1986 (CFAA).
• The act amended Title 18 United States Code Section 1030 to enhance penalties for six types of computer activities: – Unauthorized access of a computer to obtain information
of national secrecy with an intent to injure the United States or give advantage to a foreign nation
– Unauthorized access of a computer to obtain protected financial or credit information
– Unauthorized access into a computer used by the federal government
– Unauthorized interstate or foreign access of a computer system with an intent to defraud
– Unauthorized interstate or foreign access of computer systems that results in at least $1,000 aggregate damage
– Fraudulent trafficking in computer passwords affecting interstate commerce
7
CFAA
• Consequences of law– Made it crime to break into government
computers or financial institutions • Credit card data
– Extended to include all federal interested computers
• Now, included University computers funded by federal research grants
– Penalties of up to 20 years in prison
8
Application of CFAA• Most famous application of this statute was
United States v. Morris in 1989– Robert Tappan Morris, a Cornell University
graduate student who, on November 2, 1988, released a computer "worm" across the Internet computer network
– Worm targeted Unix systems – Didn’t steal or damage computer it infected –
only purpose was to break into as many computers as it could
– Morris said it was an experiment that went wrong
– Convicted and had to contribute 400 hours of community service, $10,000 fine and 3 years probation
9
Application of CFAA• Despite successful prosecution in the Morris case and several
other famous computer crime prosecutions (including prosecutions of computer hackers of the Legion of Doom and Masters of Deception), problems continued with the statute. – The most glaring was the omission of what was called
malicious code -- computer viruses
• As a result, in 1992 Congress amended the computer crime statute to punish those who, without the knowledge and authorization of the "persons or entities who own or are responsible for" a computer, bring about the transmission of "a program, information, code, or command to a computer or computer system" with the intent to cause damage to the computer or information in the computer or prevent the use of the system.
• As well as punishing intentional conduct, the amended statute criminalizes those who act with reckless disregard or a substantial and unjustifiable risk of damage or loss, – Would create a civil case for compensatory damages for "any
person who suffers damage or loss by reason of a violation of the section."
10
Application of CFAA
• In addition to addressing intrusions and viruses• Statute prohibits DoS attacks that cause $1,000 or more
damage • CFAA can be used with other laws to bring charges against
an individual
• Yet, all states except Vermont have additional computer crime statutes that extend CFAA
• Many state statutes make it illegal to break into a computer even if no damage was done
• Illegal to alter or destroy data,• Steal services, • Deny another person access or use the computer with
intent to commit a variety of crimes
11
Economic Espionage Act
• Economic Espionage Act– Enacted in 1996 – Theft of trade secrets
• Declared criminal violation
– Prior to this• Corporate spying and stealing of trade
secrets violation of civil law• Now, became criminal to steal trade secrets
– Now• Corporate officials who condone, fund, know
of spying by their employees may be held responsible under this law
• Has to be $100,000 minimum threshold
12
Electronic Theft Act• 1997 – First law to deal with electronic
copyright violations– Authorize criminal fines and incarceration for
people convicted of intentionally distributing copyrighted works over the Internet
– Previous laws• If you did not profit, didn’t face criminal charges• Now, includes anyone who distributes
copyrighted material – even if they don’t charge– Justice department
• This was their response to curtail the growing problem of copyright infringement by electronic means
13
Digital Millennium Copyright Act
• 1998 – One year later – More comprehensive law – DMCA– “Illegal to manufacture, distribute or sell
technology to circumvent copyright protections …”
– Also set limits on liability for those who do try to circumvent copyright protections
14
DMCA
• Specifically …1. Prohibits manufacture, sale or
distribution of code-cracking devices2. Limits ISP’s from copyright
infringement liability3. Higher education institutions are
limited for liability for students and faculty
15
Wiretaps and Privacy
Copyright 2005 - 2009: Hi Tech Criminal Justice, Raymond E. Foster
General Wiretap Rules
• Generally requires both prosecutorial and judicial review
• Wiretaps require probable cause like any search warrant
• Must focus on gaining specific information about a crime– Not just general investigative
information
Copyright 2005 - 2009: Hi Tech Criminal Justice, Raymond E. Foster
General Wiretap Rules• To obtain court order, investigators
must show that the information cannot be obtained in another manner
• Investigators must provide the court with:– Specific offense– Specific place to be tapped– Types of conversations believed to be
overheard
Copyright 2005 - 2009: Hi Tech Criminal Justice, Raymond E. Foster
Legal History of Wiretaps• 1968 Omnibus Crime Control and
Safe Streets Act – Title III known as Federal Wiretap Act– In a nutshell says ... – Electronic surveillance made illegal,
except pursuant to a court order
Precursor to Patriot Act
• Foreign Intelligence Surveillance Act of 1978 (FISA)– Requires approval from the Foreign
Intelligence Surveillance Court for electronic surveillance in national security cases
20
Federal Wiretap Act and ECPA
• 1986, Congress passed Electronic Communication Privacy Act (ECPA) to update Federal Wiretap Act– Considered all form of electronic
communication – telephone, cell phone, computer or other electronic devices
– Law enabled ISP’s to intercept and read suspicious e-mails
– Granted nationwide recording consent to law enforcement officers conducting criminal investigations
– Police can monitor e-mail with assistance from ISP’s.
Legislative Background
• Electronic Communications Privacy Act – Basically .....– Amended Title III protections to cover
most wire and wireless communications– Requires a court order for the use of pen
register and trap and trace devices– Regulates use of roving wiretaps
• Wiretap that follows the target, can still follow if they get a new phone
General Wiretap Rules• Every five days the investigators must
provide the judicial authority with a thorough review of the conversations.
• In addition to five day review, at the end of the tap, the investigator’s must provide both the judicial and prosecutorial authority with a complete review.
• Thirty days after the conclusion of the tap, each person whose conversations were recorded must be notified in writing.
23
ECPA Communications Assistance for Law Enforcement Act of 1994 (CALEA)
• 1994 – Congress expanded ECPA to require Telecommunications Carriers – Assist law enforcement with electronic surveillance– ISP’s reluctant to cooperate in criminal
investigations – concerned about privacy violations– Law provided needed legal protection to
telecommunications companies – Today, all firms in compliance with ECPA– New ISP’s must demonstrate their ability to assist
law enforcement monitoring and surveillance needs prior to getting an operating license
– Note: There are some good things about ECPA and privacy … later
Copyright 2005 - 2009: Hi Tech Criminal Justice, Raymond E. Foster
Pens, Traps and Traces
• In compliance with CALEA, cellular and hard-wired telephone identifying information is now routed to law enforcement via secure TCP/IP connection.
• With Cellular information, the cell site can be known and the target’s general location determined.
Indicates cell Indicates cell receptionreception
Screen Capture provided by Pen-LinkScreen Capture provided by Pen-Link™™
25
USA Patriot Act
• Following 9/11 attack in 2001
– 6 weeks after attack, very little debate from Congress – passed USA Patriot Act
– Much easier to monitor and intercept communication from suspected terrorists or people having affiliations with terrorists
– Now, needed only a letter from law enforcement instead of court order and affidavit documenting suspicious activities
26
USA Patriot Act (PA)
• Act allowed real-time monitoring of communications and prohibited ISP’s from telling about the investigation
• Allowed warrant-less searches of homes and businesses instances involving suspected terrorists– PA makes it a federal crime to not
cooperate in these investigations• Prohibited business owners and others
from consulting their own legal counsel– This has since been restored – considered it a
violation of 1st Amendment rights to have legal counsel during investigation
27
USA Patriot Act (PA)• Congress did require an investigative
review in 2006 – 5 years after 9/11• What happened?
– Read about it http://www.cnn.com/2006/POLITICS/03/07/
patriot.act/
– It was voted in permanently in 2006
• It was up for review again in 2009– Obama administration elected to continue
with the main provisions of Patriot ACThttp://www.washingtontimes.com/news/2009/
sep/16/obama-seeks-patriot-act-extensions/
28
Privacy Provisions
29
Privacy
• Does technology complicate privacy?– Privacy is not defined the same way by
everyone• Has been defined as
–Right to be free from government intrusion
–Right to be free from others prying into our private lives
– Government Intrusions• Protected by constitutional interpretation
– Individual Intrusions• Protected by common law
30
Privacy
• From the perspective of US Law– Direct correlation between what
technology makes possible and what our privacy expectations are
– Definition of privacy is continually evolving
• What is private today and subject to protection under unreasonable search and seizure via the 4th amendment may no longer be private and exempt from such protection tomorrow
31
Privacy
• Number of Federal Statutes aimed at preserving privacy– ECPA – Electronic Communications
Privacy Act• Regulates interception of electronic
communication by both government and private individuals
– Privacy Act of 1974• Impose limits on the collection and use of
personal information by federal agencies
32
Privacy
• Federal Statutes– Family Educational Rights and Privacy
Act• Permits students (and Parents of Minor
students) to examine and challenge the accuracy of school records
– Fair Credit Reporting Act• Regulates the collection and use of personal
data by credit reporting agencies
33
Privacy
• Statutes– Federal Right to Financial Privacy Act 1978
• Limits ability of finance institution to disclose customer information to agencies of the federal government
• Right to Privacy• Protected by common law and statutes• “privacy” doesn’t appear in the constitution• Right to privacy separate body of law
developed over many years through interpretation and analysis of the 4th amendment
• Prohibits “unreasonable” search and seizure
34
Privacy
• Unreasonable search and seizure– What is unreasonable?
• Made by government without a warrant• Violates a person’s expectation of privacy
– Were they trying to keep something private– Or, is it in full view and not hidden
• And, is the expectation of privacy one that society believes is reasonable
• The above two arguments are used as a test for privacy by the courts
35
Privacy
• Cases– Katz vs. United States
• Had a conversation about gambling in a public phone booth
• Federal agents listened to his conversation through an electronic listening device pasted on the outside of the phone booth
• Was that illegal under the 4th?
36
Privacy
• Katz vs. the US• Actually, it was• Ruled that Katz had an expectation of
privacy since he had shut the door and was in an enclosed booth
• They had violated the 4th amendment• What about Cell phones?
37
Privacy• Case
– Kyllo vs. US – 2001• Suspected of growing Marijuana in his home• Without obtaining a warrant, federal agents used a
thermal imager to scan Kyllo’s triplex apartment from the seat of a car
• Imager showed that the roof and side wall of the garage was “hot” compared to the rest of the structure
• Agents concluded that Kyllo was using Halide lights to grow marijuana
• Based on these results plus Kyllo’s high energy bills and tip from an informer, agents got a warrant to search Kyllo’s home
• Found an indoor Marijuana operation in the home• Kyllo was indicted on one count of manufacturing
marijuana
38
Privacy
• Case – Kyllo vs. US – 2001
• Kyllo tried to suppress the evidence obtained by the thermal imaging
– Said that a warrant should have been used to do the imaging
• Ninth Circuit Court of Appeals held that no warrant was needed for the thermal imaging
– Kyllo had not exhibited a reasonable expectation of privacy because he had made not attempt to conceal the heat escaping from his home
– Even if he did, the thermal imager did not expose details of his life, just “hot spots” on his house
39
Privacy
• Case – Kyllo vs. US – 2001
• Supreme Court reversed the decision– Court noted that it is true that warrantless
surveillance is generally legal and that previous holdings say that visual observation is simply not a search and thus not subject to 4th amendment provisions,
– But, critical issue in this case was:...what limits there are upon the power of
technology to shrink the realm of guaranteed privacy
– Found that the thermal imager was a device not in general public use and it exposed details of activities in the home
40
Privacy
• Other Electronic Communication– ECPA
• Prohibits anyone – not just the government from unlawfully accessing or intercepting electronic communications
• Says that to obtain authorization to intercept transmissions, law enforcement must obtain a court order
• Makes it harder to get authorization to intercept electronic communication
• Search warrant doesn’t count as a court order• My Comments
– Of course the Patriot Act invalidated a lot of these provisions
41
Privacy
• ECPA– Stored communication
• Can be obtained with a search warrant • Belief is that intercepting transmission is
potentially a greater invasion of privacy than stored communication
• Stored communication – More targeted– Less chance of obtaining something unrelated
and private – Interception, more random and could overhear
something that wasn’t desired to be made public
42
Privacy
• ECPA– It is argued that under certain conditions
• Prior consent of one of the participants in a communication
• Organization can search employees communication
– Many companies have policies that require employees to sign an agreement to allow their personal communication to be monitored prior to allowing them to use e-mail or the company network
43
Conclusion• Laws are constantly evolving in
response to developing technology– Issues of Jurisdiction, Legality
• Become more vague when
• Technology makes privacy much harder to define
• Since we are “technologists”• Need to be aware of the latest laws that
affect your rights privately and as a professional
• We should be providing input on laws that we believe violate our rights
• Patriot Act for example
44
Resource URL's• Electronic Privacy Information Center:
– www.epic.org/ • Electronic Freedom Foundation:
– www.eff.org/
45
Resources
Digital Evidence and Computer Crimeby Eoghan Casey
Understanding and Managing Cybercrimeby Samuel C. McQuade III
46
End
• Look for Lab On your own
