Online Criminal Investigations The Usa Patriot Act

1

Online Criminal Investigations:Online Criminal Investigations:The USA Patriot Act,The USA Patriot Act,ECPA, and BeyondECPA, and Beyond

Mark EckenwilerMark Eckenwiler

Computer Crime and Intellectual Property SectionComputer Crime and Intellectual Property SectionU.S. Department of JusticeU.S. Department of Justice

2

The Computer Crime and The Computer Crime and Intellectual Property SectionIntellectual Property Section

■ Founded in 1991 as Computer Crime UnitFounded in 1991 as Computer Crime Unit■ Current staff of 30 attorneysCurrent staff of 30 attorneys■ Mission of CCIPSMission of CCIPS

– Combat computer crime and IP crimesCombat computer crime and IP crimes– Develop enforcement policyDevelop enforcement policy– Train agents and prosecutorsTrain agents and prosecutors– Promote international cooperationPromote international cooperation– Propose and comment on federal legislationPropose and comment on federal legislation

3

OverviewOverview

■ The origins of ECPA (The Electronic The origins of ECPA (The Electronic Communications Privacy Act of 1986)Communications Privacy Act of 1986)

■ Substance of the statuteSubstance of the statute– real-time monitoringreal-time monitoring– stored informationstored information

■ How USA Patriot changed (or didn’t How USA Patriot changed (or didn’t change) thingschange) things

4

Why You Might Care Why You Might Care About ECPAAbout ECPA

■ Comprehensive privacy framework for Comprehensive privacy framework for communications providerscommunications providers

■ Regulates conduct betweenRegulates conduct between– different usersdifferent users– provider and customerprovider and customer– government and providergovernment and provider

■ Civil and criminal penalties for violationsCivil and criminal penalties for violations■ Note: state laws may impose additional Note: state laws may impose additional

restrictions/obligationsrestrictions/obligations

5

Why ECPA Matters toWhy ECPA Matters toLaw EnforcementLaw Enforcement

■ As people take their lives online, crime As people take their lives online, crime follows; no different from the real worldfollows; no different from the real world

■ Online records are often the key to Online records are often the key to investigating and prosecuting criminal investigating and prosecuting criminal activityactivity– ““cyber” crimes (network intrusions)cyber” crimes (network intrusions)– traditional crimes (threats, fraud, etc.)traditional crimes (threats, fraud, etc.)

■ ECPA says how and when government can ECPA says how and when government can (and cannot) obtain those records(and cannot) obtain those records

6

Scope of the 1968 Wiretap ActScope of the 1968 Wiretap Act

■ Protected two kinds of communicationsProtected two kinds of communications– ““oral” and “wire” oral” and “wire” – criminal penalties and civil remediescriminal penalties and civil remedies– extensive procedural rules for court orders to extensive procedural rules for court orders to

conduct eavesdroppingconduct eavesdropping

■ By mid-1980s, emerging technologies By mid-1980s, emerging technologies created areas of uncertainty in statute as tocreated areas of uncertainty in statute as to– wireless telephoneswireless telephones– non-voice transmissions (non-voice transmissions (e.g.e.g., e-mail), e-mail)

7

Concerns Addressed in ECPAConcerns Addressed in ECPA(Enacted in 1986)(Enacted in 1986)

■ Added protection for “electronic” (non-Added protection for “electronic” (non-voice!) communications to Title IIIvoice!) communications to Title III

■ In addition, created a new companion In addition, created a new companion chapter to regulate privacy ofchapter to regulate privacy of– stored communicationsstored communications– non-content information about subscribers (non-content information about subscribers (e.g., e.g.,

transactional information)transactional information)

■ Also: new pen register/trap & trace statutesAlso: new pen register/trap & trace statutes– for prospective collection of telephone calling for prospective collection of telephone calling

recordsrecords

8

Changes 1986-2000Changes 1986-2000

■ A variety of tweaks & technical A variety of tweaks & technical amendmentsamendments– cordless phonescordless phones– CALEACALEA

9

Sweeping New Surveillance Sweeping New Surveillance Powers Under USA Patriot Act:Powers Under USA Patriot Act:

A ListA List

10

Changes 2001 (USA Patriot)Changes 2001 (USA Patriot)

■ Structure of ECPA/Title III/Pen-Trap Structure of ECPA/Title III/Pen-Trap remains the sameremains the same

■ No major expansion of authorityNo major expansion of authority■ Many changes simply codify existing Many changes simply codify existing

practice or harmonize parallel provisions of practice or harmonize parallel provisions of statutestatute

■ In the following slides, a postfixed asterisk In the following slides, a postfixed asterisk (*) indicates USA Patriot changes to prior (*) indicates USA Patriot changes to prior lawlaw

11

Substantive ProvisionsSubstantive Provisionsof ECPAof ECPA

Or, Or,

Everything you know is wrongEverything you know is wrong

12

Title III/ECPA & The Courts:Title III/ECPA & The Courts:A Love AffairA Love Affair

■ ““famous (if not infamous) for its lack of famous (if not infamous) for its lack of clarity”clarity”– Steve Jackson Games v. United States Secret Steve Jackson Games v. United States Secret

Service,Service, 36 F.3d 457, 462 (5th Cir. 1994) 36 F.3d 457, 462 (5th Cir. 1994)

■ ““fraught with trip wires”fraught with trip wires”– Forsyth v. BarrForsyth v. Barr, 19 F.3d 1527, 1543 (5th Cir. , 19 F.3d 1527, 1543 (5th Cir.

1994)1994)

■ ““a fog of inclusions and exclusions”a fog of inclusions and exclusions”– Briggs v. American Air FilterBriggs v. American Air Filter, 630 F.2d 414, , 630 F.2d 414,

415 (5th Cir. 1980)415 (5th Cir. 1980)

13

The Major CategoriesThe Major Categories

■ Real-time interception (content)Real-time interception (content)■ Real-time traffic data (non-content)Real-time traffic data (non-content)■ Stored data (content)Stored data (content)■ Subscriber records (non-content)Subscriber records (non-content)

14

The MatrixThe Matrix

Acquisition inReal Time

HistoricalInformation

Contents ofCommunications

Other Records(Subscriber andTransactionalData)

15

Interception of CommunicationsInterception of Communications

■ The default rule under § 2511(1): do not The default rule under § 2511(1): do not – eavesdropeavesdrop– use or disclose intercepted contentsuse or disclose intercepted contents

■ Applies to oral/wire/electronic comms.Applies to oral/wire/electronic comms.

16

PenaltiesPenalties

■ Criminal penalties (five-year felony) Criminal penalties (five-year felony) [§ 2511(4)][§ 2511(4)]

» exception for first offense, wireless comms.exception for first offense, wireless comms.

■ Civil damages of $10,000 per violation* Civil damages of $10,000 per violation* plus attorney’s feesplus attorney’s fees– USA Patriot added new language specifically USA Patriot added new language specifically

imposing liability on government agentsimposing liability on government agents

■ Statutory suppressionStatutory suppression

17

Relevance to Computer Relevance to Computer NetworksNetworks

■ Makes it illegal to install an unauthorized Makes it illegal to install an unauthorized packet snifferpacket sniffer

■ In numerous federal prosecutions, In numerous federal prosecutions, defendants have pled guilty to Title III defendants have pled guilty to Title III violations for such conductviolations for such conduct

18

Exceptions to the Exceptions to the General ProhibitionGeneral Prohibition

■ Publicly accessible system [§ 2511(2)(g)(i)]Publicly accessible system [§ 2511(2)(g)(i)]– open IRC channel/chat roomopen IRC channel/chat room

■ Consent of a partyConsent of a party■ System provider privilegesSystem provider privileges■ ““Computer trespasser” monitoring*Computer trespasser” monitoring*■ Court-authorized interceptsCourt-authorized intercepts

19

Consent of a PartyConsent of a Party

■ Parallels the Fourth Amendment exceptionParallels the Fourth Amendment exception■ May be implied throughMay be implied through

– login bannerlogin banner– terms of serviceterms of service

■ Such implied consent may give an ISP Such implied consent may give an ISP authority to pass information to law authority to pass information to law enforcement and other officialsenforcement and other officials

20

System Operator PrivilegesSystem Operator Privileges

■ Provider may monitor private real-time Provider may monitor private real-time communications to protect its rights or communications to protect its rights or property [§ 2511(2)(a)(i)]property [§ 2511(2)(a)(i)]– e.g.e.g., logging every keystroke typed by a , logging every keystroke typed by a

suspected intrudersuspected intruder– phone companies more restricted than ISPsphone companies more restricted than ISPs

■ Under same subsection, a provider may also Under same subsection, a provider may also “intercept” communications if inherently “intercept” communications if inherently necessary to providing the servicenecessary to providing the service

21

““Computer Trespasser” Computer Trespasser” Monitoring (USA Patriot)*Monitoring (USA Patriot)*

■ Problem to be solved: what rules allow Problem to be solved: what rules allow government monitoring of a network government monitoring of a network intruder?intruder?– consent of system owner as a party?consent of system owner as a party?– ““rights or property” monitoring?rights or property” monitoring?– consent of the intruder via login banner?consent of the intruder via login banner?

■ Because none of these is entirely Because none of these is entirely satisfactory, new exception addedsatisfactory, new exception added

■ Note: amendment sunsets on 12/31/05Note: amendment sunsets on 12/31/05

22

““Computer Trespasser” DefinedComputer Trespasser” Defined■ New 18 U.S.C. 2510(21):New 18 U.S.C. 2510(21):

– person who accesses “without authorization”person who accesses “without authorization”– definition continues: “and thus has no reasonable definition continues: “and thus has no reasonable

expectation of privacy…”expectation of privacy…”

■ Excludes users who have “an existing Excludes users who have “an existing contractual relationship” with providercontractual relationship” with provider– Congress worried about TOS violations as Congress worried about TOS violations as

grounds for warrantless surveillancegrounds for warrantless surveillance– there is an opportunity to gain consent from such there is an opportunity to gain consent from such

usersusers– without it, possible constitutional problemswithout it, possible constitutional problems

23

Limits of the New “Computer Limits of the New “Computer Trespasser” ExceptionTrespasser” Exception

■ Interception under this exception has Interception under this exception has several prerequisites several prerequisites – consent of the ownerconsent of the owner– under color of lawunder color of law– relevant to an official investigation, andrelevant to an official investigation, and– cannot acquire communications other than those cannot acquire communications other than those

to/from the trespasserto/from the trespasser

24

Court-Authorized MonitoringCourt-Authorized Monitoring

■ Requires a kind of “super-warrant”Requires a kind of “super-warrant”– § 2518§ 2518

■ Good for 30 days maximumGood for 30 days maximum■ Necessity, minimization requirementsNecessity, minimization requirements■ Only available for specified offensesOnly available for specified offenses■ Ten-day reportingTen-day reporting■ SealingSealing

25

Types of Electronic Types of Electronic Communications InterceptsCommunications Intercepts

■ Cloned pagersCloned pagers■ ““Keystroking” Keystroking”

– common in network intrusion casescommon in network intrusion cases

■ ““Cloning” an e-mail accountCloning” an e-mail account

26





Title III order or consent,generally


27







28

Real-Time Collection of Real-Time Collection of Non-Content RecordsNon-Content Records

■ Governed by the pen register/trap and trace Governed by the pen register/trap and trace statute (originally enacted in 1986)statute (originally enacted in 1986)

■ Like the Wiretap Act, begins with a general Like the Wiretap Act, begins with a general prohibitionprohibition– criminal penalties for violationscriminal penalties for violations

■ Exceptions forExceptions for– provider self-protectionprovider self-protection– consent of customer (think “Caller ID”)consent of customer (think “Caller ID”)– court ordercourt order

29

How Things (Didn’t) ChangeHow Things (Didn’t) ChangeAs a Result of USA PatriotAs a Result of USA Patriot

■ Pre-USA Patriot, language was focused on Pre-USA Patriot, language was focused on telephone recordstelephone records– the term “pen register” means a device which the term “pen register” means a device which

records or decodes electronic or other impulses records or decodes electronic or other impulses which identify the numbers dialed or otherwise which identify the numbers dialed or otherwise transmitted on the telephone line to which such transmitted on the telephone line to which such device is attacheddevice is attached (18 U.S.C. 3127(3))(18 U.S.C. 3127(3))

■ New statute: Technology-neutral languageNew statute: Technology-neutral language■ Amendments codify years of practice, Amendments codify years of practice,

orders routinely issued by courtsorders routinely issued by courts

30

Pen Register/Trap and TracePen Register/Trap and Trace

■ Old statute very telephone-orientedOld statute very telephone-oriented– ““numbers dialed”numbers dialed”– ““telephone line”telephone line”

■ Updated statute is technology neutralUpdated statute is technology neutral– confirms that the same rules apply to, e.g., Internet confirms that the same rules apply to, e.g., Internet

communicationscommunications

■ Retains historical (and constitutional) Retains historical (and constitutional) distinction between content & non-contentdistinction between content & non-content

■ Codifies longstanding practice under prior Codifies longstanding practice under prior statute (e.g., Kopp)statute (e.g., Kopp)

31

What Can A Pen/Trap Device What Can A Pen/Trap Device Collect?Collect?

■ Plainly includedPlainly included– telephone source/destination numberstelephone source/destination numbers– most e-mail header informationmost e-mail header information– source and destination IP address and portsource and destination IP address and port

» Kopp case (2000)Kopp case (2000)

■ Plainly excluded:Plainly excluded:– subject line of e-mailssubject line of e-mails– content of a downloaded filecontent of a downloaded file

32

The Device Formerly KnownThe Device Formerly KnownAs “Carnivore”As “Carnivore”

■ USA Patriot mandates additional judicial USA Patriot mandates additional judicial oversight oversight

■ Where law enforcement uses its own device Where law enforcement uses its own device on a public provider’s computer network on a public provider’s computer network pursuant to a pen/trap order (3123(a)(3)), pursuant to a pen/trap order (3123(a)(3)), agents must file detailed report with the agents must file detailed report with the authorizing courtauthorizing court– e.g., date and time of installation and removal; e.g., date and time of installation and removal;

information collectedinformation collected

33

New Penalties forNew Penalties forGovernment MisconductGovernment Misconduct

■ New section 2712 creates explicit civil and New section 2712 creates explicit civil and administrative sanctions for violations ofadministrative sanctions for violations of– wiretap statutewiretap statute– ECPA (stored records)ECPA (stored records)– pen/trap statutepen/trap statute– FISA (Foreign Intelligence Surveillance Act)FISA (Foreign Intelligence Surveillance Act)

■ Minimum $10,000 civil damagesMinimum $10,000 civil damages■ Mandatory 2-level administrative review for Mandatory 2-level administrative review for

intentional violations by federal officersintentional violations by federal officers

34







Pen register/trap and traceorder or consent

35

Stored CommunicationsStored Communicationsand Subscriber Recordsand Subscriber Records

18 U.S.C., Chapter 12118 U.S.C., Chapter 121

36

Objectives of Chapter 121Objectives of Chapter 121

■ Regulate privacy of communications held Regulate privacy of communications held by electronic middlemenby electronic middlemen– Congress sought to set the bar higher than Congress sought to set the bar higher than

subpoena in some casesubpoena in some case– put e-mail on a par with postal letterput e-mail on a par with postal letter

■ Not applicable to materials in the Not applicable to materials in the possession of the sender/recipientpossession of the sender/recipient

37

Dichotomies ‘R’ UsDichotomies ‘R’ Us

■ Permissive disclosure vs. mandatoryPermissive disclosure vs. mandatory– ““may” vs. “must”may” vs. “must”

■ Content of communications vs. non-contentContent of communications vs. non-content– contentcontent

» unopened e-mail vs. opened e-mailunopened e-mail vs. opened e-mail

– non-contentnon-content» transactional records vs. subscriber informationtransactional records vs. subscriber information

■ Basic rule: content receives more protectionBasic rule: content receives more protection

38

Criminal ViolationsCriminal Violations

■ 18 USC § 2701 prohibition18 USC § 2701 prohibition– Illegal to access without or in excess of Illegal to access without or in excess of

authorizationauthorization– a facility through which electronic a facility through which electronic

communication services are providedcommunication services are provided– and thereby obtain, alter, or prevent access to a and thereby obtain, alter, or prevent access to a

wire or electronic communication;wire or electronic communication;– while in electronic storage while in electronic storage

■ Misdemeanor, absent aggravating factorsMisdemeanor, absent aggravating factors

39

Other Enforcement MechanismsOther Enforcement Mechanisms

■ Civil remediesCivil remedies– $1,000 per violation$1,000 per violation– attorney’s feesattorney’s fees– punitive damagespunitive damages

40

Subscriber Content Subscriber Content and the System Providerand the System Provider

■ Any provider may freely Any provider may freely readread stored stored email/files of its customersemail/files of its customers– Bohach v. City of RenoBohach v. City of Reno, 932 F. Supp. 1232 (D. , 932 F. Supp. 1232 (D.

Nev. 1996) (pager messages)Nev. 1996) (pager messages)

■ A A non-publicnon-public provider may also freely provider may also freely disclose that informationdisclose that information– for example, an employerfor example, an employer

41

Public Providers and Public Providers and Permissive DisclosurePermissive Disclosure

■ General rule: a public provider (General rule: a public provider (e.g.e.g., an , an ISP) may not freely ISP) may not freely disclosedisclose customer customer content to others [18 U.S.C. § 2702]content to others [18 U.S.C. § 2702]

■ Exceptions:Exceptions:– consentconsent– necessary to protect rights or property of service necessary to protect rights or property of service

providerprovider– to law enforcement if contents inadvertently to law enforcement if contents inadvertently

obtained, pertains to the commission of a crimeobtained, pertains to the commission of a crime– imminent threat of death/serious injury*imminent threat of death/serious injury*

42

Permissive Disclosure and Non-Permissive Disclosure and Non-Content Subscriber InformationContent Subscriber Information

■ Rule is short and sweetRule is short and sweet■ Provider may disclose non-content records Provider may disclose non-content records

to anyone to anyone exceptexcept a governmental entity a governmental entity■ New exceptions*New exceptions*

– to protect provider’s rights/propertyto protect provider’s rights/property– threat of death/serious bodily injurythreat of death/serious bodily injury

■ Pre-existing exceptions Pre-existing exceptions – appropriate legal process appropriate legal process – consent of subscriberconsent of subscriber

43

Mandatory Disclosures: Legal Mandatory Disclosures: Legal Process Used by the GovernmentProcess Used by the Government

■ Keep in mind the same dichotomyKeep in mind the same dichotomy– content vs. non-contentcontent vs. non-content

■ All governed by § 2703All governed by § 2703■ Types of processTypes of process

– search warrantsearch warrant– subpoena (grand jury, administrative, etc.)subpoena (grand jury, administrative, etc.)

44

Government Access to Private Government Access to Private Communications (Content)Communications (Content)

■ For For unopenedunopened email/voicemail < 180 days email/voicemail < 180 days old stored on a provider’s system, old stored on a provider’s system, government must obtain a search warrant government must obtain a search warrant [18 U.S.C. §2703(a)][18 U.S.C. §2703(a)]– warrant operates like a subpoenawarrant operates like a subpoena

■ Congressional analogy: treat undelivered Congressional analogy: treat undelivered email like postal mail (see S. Ct. cases)email like postal mail (see S. Ct. cases)

45

Government Access to Private Government Access to Private Communications (Content)Communications (Content)

■ For opened e-mail/voicemail (or other For opened e-mail/voicemail (or other stored files), government may send provider stored files), government may send provider a subpoena a subpoena and notify subscriber and notify subscriber [18 U.S.C. [18 U.S.C. § 2703(b)]§ 2703(b)]– only applicable to public providersonly applicable to public providers

■ May delay notice 90 days (§ 2705(a)) ifMay delay notice 90 days (§ 2705(a)) if– destruction or tampering w/ evidencedestruction or tampering w/ evidence– intimidation of potential witnessesintimidation of potential witnesses– otherwise seriously jeopardizing an investigationotherwise seriously jeopardizing an investigation

46




Warrant (for unopenedmessages) or consent



Subpoena with notice(for files, openedmessages) or consent


Pen register/trap and traceorder or consent

47

The Two Categories ofThe Two Categories ofNon-Content InformationNon-Content Information

■ Subscriber informationSubscriber information– §2703(c)(2)§2703(c)(2)

■ Transactional recordsTransactional records– § 2703(c)(1)§ 2703(c)(1)

48

Basic Subscriber InformationBasic Subscriber Information

■ Can be obtained through subpoenaCan be obtained through subpoena■ Provider must give governmentProvider must give government

– name & address of subscribername & address of subscriber– local and LD telephone toll billing recordslocal and LD telephone toll billing records– telephone number or other account identifiertelephone number or other account identifier– type of service providedtype of service provided– length of service rendered length of service rendered

■ USA Patriot clarifies that this includesUSA Patriot clarifies that this includes– method/means of payment (e.g., credit card number)method/means of payment (e.g., credit card number)– ““temporary address” info (e.g., dynamic IP assigment temporary address” info (e.g., dynamic IP assigment

records)records)

49

Transactional RecordsTransactional Records

■ Not content, not basic subscriber infoNot content, not basic subscriber info■ Everything in betweenEverything in between

– audit trails/logsaudit trails/logs– addresses of past e-mail correspondentsaddresses of past e-mail correspondents

■ Obtain throughObtain through

– warrantwarrant– section 2703(d) court ordersection 2703(d) court order

■ Note: prior to CALEA (10/94), a subpoena Note: prior to CALEA (10/94), a subpoena was sufficientwas sufficient

50

Section 2703(d) OrdersSection 2703(d) Orders

■ ““Articulable facts” order Articulable facts” order – ““specific and articulable facts showing that there specific and articulable facts showing that there

are reasonable grounds to believe that [the are reasonable grounds to believe that [the specified records] are relevant and material to an specified records] are relevant and material to an ongoing criminal investigation”ongoing criminal investigation”

■ Not as high a standard as probable causeNot as high a standard as probable cause■ But, like warrant (& unlike subpoena), But, like warrant (& unlike subpoena),

requires judicial oversight & factfindingrequires judicial oversight & factfinding■ Can get non-disclosure order with itCan get non-disclosure order with it

51




Warrant (for unopenedmessages) or consent


Title III order orconsent, generally

Subpoena with notice (forfiles, opened messages) orconsent; may delay notice

Subpoena (for basicsubscriber info only)


Pen register/trap andtrace order or consent

2703(d) Òspecific andarticulable factsÓ courtorder (for all other non-content records)

52

Summary: Summary: Legal Process & ECPALegal Process & ECPA

■ Warrant Warrant – required for unopened e-mailrequired for unopened e-mail– can be used (but not required) for other infocan be used (but not required) for other info

■ Court order under § 2703(d)Court order under § 2703(d)– opened e-mail, unopened e-mail >180 days old, opened e-mail, unopened e-mail >180 days old,

or files (with prior notice)or files (with prior notice)– transactional recordstransactional records

■ SubpoenaSubpoena– opened e-mail or files (with prior notice)opened e-mail or files (with prior notice)– basic subscriber infobasic subscriber info

53

§ 2703(f) Requests to Preserve§ 2703(f) Requests to Preserve

■ Government can ask for anything (content Government can ask for anything (content or non-content) to be preservedor non-content) to be preserved

■ Prospective?Prospective?■ Government must still satisfy the usual Government must still satisfy the usual

standards if it wants to receive the standards if it wants to receive the preserved datapreserved data

54

Summary of Notable ChangesSummary of Notable Changes

■ Pen register/trap and trace statute updatedPen register/trap and trace statute updated■ Enhanced disclosure by providers to protect Enhanced disclosure by providers to protect

life & limblife & limb■ ““Computer trespasser” monitoring Computer trespasser” monitoring

exception addedexception added■ Scope of “basic subscriber info” clarifiedScope of “basic subscriber info” clarified■ Expanded liability for government misuseExpanded liability for government misuse

55

SummarySummary

■ USA PATRIOT Act is not a sweeping USA PATRIOT Act is not a sweeping expansion of surveillance authorityexpansion of surveillance authority

■ Instead, makes narrowly tailored changes to Instead, makes narrowly tailored changes to harmonize or clarify statuteharmonize or clarify statute

■ Leaves intact the existing framework of Leaves intact the existing framework of privacy statutesprivacy statutes

56

For More InformationFor More Information

■ Computer Crime Section’s home page: Computer Crime Section’s home page: www.cybercrime.govwww.cybercrime.gov– legal & policy treatises on intrusions, ECPA, legal & policy treatises on intrusions, ECPA,

USA Patriot, computer search & seizureUSA Patriot, computer search & seizure– mailing list for news updatesmailing list for news updates– requests for speakersrequests for speakers