Transcript ECPA Primer

ISPs and Federal Privacy Law:
Everything You Need to Know About
the Electronic Communications
Privacy Act (ECPA)
Mark Eckenwiler
Computer Crime and Intellectual Property Section
U.S. Department of Justice
1
The Computer Crime and
Intellectual Property Section
Founded in 1991 as Computer Crime Unit
 Current staff of 22 attorneys
 Mission of CCIPS

–
–
–
–
–
–
Combat computer crime and IP crimes
Develop enforcement policy
Train agents and prosecutors
Contribute to public awareness of the issues
Promote international cooperation
Propose and comment on federal legislation
2
Why You Might Care
About ECPA
Comprehensive privacy framework for
communications providers
 Regulates conduct between

– different users
– provider and customer
– government and provider
Civil and criminal penalties for violations
 Note: state laws may impose additional
restrictions/obligations

3
Why ECPA Matters to
Law Enforcement
As people take their lives online, crime
follows; no different from the real world
 Online records are often the key to
investigating and prosecuting criminal
activity

– “cyber” crimes (network intrusions)
– traditional crimes (threats, fraud, etc.)

ECPA says how and when government can
(and cannot) obtain those records
4
Substantive Provisions
of ECPA
Or,
Everything you know is wrong
5
ECPA & The Courts:
A Love Affair

“famous (if not infamous) for its lack of
clarity”
– Steve Jackson Games v. United States Secret
Service, 36 F.3d 457, 462 (5th Cir. 1994)

“fraught with trip wires”
– Forsyth v. Barr, 19 F.3d 1527, 1543 (5th Cir.
1994)

“a fog of inclusions and exclusions”
– Briggs v. American Air Filter, 630 F.2d 414,
415 (5th Cir. 1980)
6
The Matrix
Acquisition in
Real Time
Historical
Information
Contents of
Communications
Other Records
(Subscriber and
Transactional
Data)
7
Real-Time Acquisition of
Communications (Interception)

The default rule under § 2511(1): do not
– eavesdrop on others’ communications
– use or disclose illegally intercepted contents
Applies to oral/wire/electronic comms.
 Violations may lead to

– criminal penalties (5-year felony) [§ 2511(4)]
» exception for first offense, wireless comms.
– civil damages of $10,000 per violation
– suppression
8
Relevance to Computer Networks
Makes it illegal to install an unauthorized
packet sniffer
 In several recent federal prosecutions,
defendants have pled guilty to interception
violations

– e.g., Cloverdale minors
9
Exceptions to the
General Prohibition

Publicly accessible system [§ 2511(2)(g)(i)]
– open chat room/IRC channel
Consent of a party
 System provider privileges
 Court-authorized intercepts

10
Consent of a Party

May be implied through
– login banner
– terms of service

Implied consent may give an ISP authority
to pass information to law enforcement and
other officials
11
System Operator Privileges

Provider may monitor private real-time
communications to protect its rights or
property [§ 2511(2)(a)(i)]
– e.g., logging every keystroke typed by a
suspected intruder
– phone companies more restricted than ISPs

Under same subsection, a provider may also
intercept communications if inherently
necessary to providing the service
12
Court-Authorized Monitoring

Requires a kind of “super-warrant”
– a/k/a “Title III order” (or T-3)
– § 2518
Good for 30 days maximum
 Necessity, minimization requirements
 Ten-day reporting
 Sealing

13
Types of Wiretap Orders
You May Encounter

Keystroking
– common in network intrusion cases

Cloning an e-mail account
14
The Matrix
Acquisition in
Real Time
Contents of
Communications
Historical
Information
Title III order or consent,
generally
Other Records
(Subscriber and
Transactional
Data)
15
Real-Time Transactional Records
The pen register/trap and trace statute (same
as for telephones) applies
 Law enforcement may obtain a court order
to gather prospective non-content
information about a user, such as

– addresses on in/outbound e-mail
– inbound FTP connections
– where remote user is logging in from (dialup?
remote IP address?)
16
The Matrix
Acquisition in
Real Time
Contents of
Communications
Title III order or consent,
generally
Other Records
(Subscriber and
Transactional
Data)
Pen register/trap and trace
order or consent
Historical
Information
17
Stored Communications
and Historical Records
18
Dichotomies ‘R’ Us

Permissive disclosure vs. mandatory
– “may” vs. “must”

Content of communications vs. non-content
– content
» unopened e-mail vs. opened e-mail
– non-content
» transactional records vs. subscriber information

Basic rule: content receives more protection
19
Penalties for Stored Records &
Communications Violations

Civil remedies [18 U.S.C. § 2707]
– $1,000 minimum per violation
– attorneys’ fees

Criminal remedies [§ 2701]
– only for accessing stored communications
without authorization (e.g., one user snooping
in another’s inbox)
– inapplicable to the provider [§ 2701(c)(3)]
20
Subscriber Content
and the System Provider

Any provider may freely read stored
e-mail or files of its customers
– Bohach v. City of Reno, 932 F. Supp. 1232 (D.
Nev. 1996) (pager messages)

While ECPA imposes no prohibition,
contractual agreement with customer may
limit right of access
21
Public Providers and
Permissive Disclosure
General rule: a public provider (e.g., an ISP)
may not freely disclose customer content to
others [18 U.S.C. § 2702]
 Exceptions include

– subscriber consent
– necessary to protect rights or property of
service provider
– to law enforcement if contents inadvertently
obtained, pertains to the commission of a crime
22
Government Access to Stored
Communications Content

For unretrieved e-mail < 181 days old
stored on a provider’s system, government
must obtain a search warrant [18 U.S.C.
§ 2703(a)]
– Warrant operates like a subpoena
23
Government Access to Stored
Communications Content

For opened e-mail (or other stored files),
government may send provider a subpoena
and notify subscriber in advance [18 U.S.C.
§ 2703(b)]
– government may delay notice 90 days in certain
cases (§ 2705(a))
– no notice to subscriber required if not a
provider “to the public”
24
The Matrix
Contents of
Communications
Acquisition in
Real Time
Historical
Information
Title III order or consent,
generally
Warrant (for unopened
email) or consent
Subpoena with notice (for
files, opened e-mail) or
consent
Other Records
(Subscriber and
Transactional
Data)
Pen register/trap and trace
order or consent
25
Permissive Disclosure and NonContent Subscriber Information
Rule is short and sweet
 Provider may disclose non-content records
to anyone except a governmental entity
 Government needs

– appropriate legal process
– or consent of subscriber
26
The Two Categories of
Non-Content Information

Basic subscriber information
– §2703(c)(1)(C)

Transactional records
– § 2703(c)(1)(B)
27
Basic Subscriber Information
Can be obtained through subpoena
 Provider must give government

–
–
–
–
–
–
name of subscriber
address
local and LD telephone toll billing records
telephone number or other account identifier
type of service provided
length of service rendered
28
Transactional Records
Not content, not basic subscriber info
 Everything in between

– past audit trails/logs
– addresses of past e-mail correspondents

Government may compel via a “section
2703(d) court order”
29
Section 2703(d) Court Orders

a/k/a “articulable facts” order
– “specific and articulable facts showing that
there are reasonable grounds to believe that [the
specified records] are relevant and material to
an ongoing criminal investigation”
A lower standard than probable cause
 Like warrant (& unlike subpoena), requires
judicial oversight & factfinding

30
The Matrix
Contents of
Communications
Acquisition in
Real Time
Historical
Information
Title III order or
consent, generally
Warrant (for unopened
email) or consent
Subpoena with notice (for
files, opened e-mail) or
consent; may delay notice
Other Records
(Subscriber and
Transactional
Data)
Pen register/trap and
trace order or consent
Subpoena (for basic
subscriber info only),
consent
2703(d) “specific and
articulable facts” court
order (for all other noncontent records), consent
31
Summary:
Legal Process & ECPA

Warrant
– unopened e-mail

Court order under § 2703(d)
– transactional records

Subpoena
– opened e-mail, unopened e-mail >180 days old,
or stored files
– basic subscriber info

Higher-order process always valid
– e.g., warrant can compel transactional logs
32
ECPA In Practice: A Scenario
A victim reports a threat of physical injury
via e-mail from [email protected]
 To determine StalkNU’s identity, gov’t
would serve a
on isp.com
 For the target’s login records, gov’t serves a
_______ on isp.com
 To obtain all the e-mail (opened and
unopened) in target’s account, gov’t serves a
________
33

Preclusion of Notice
In criminal investigations, general policy is
to avoid tipping off target
 Under ECPA, government may ask a court
to prohibit ISP from notifying subscriber
that records have been requested from ISP
[§ 2705(b)]

34
§ 2703(f) Requests to Preserve

Government can ask for any existing
records (content or non-content) to be
preserved
– no court order required
– does not apply prospectively

Government must still satisfy the usual
standards if it wants to receive the preserved
data
35
Summary
For better or worse, ECPA shapes your
destiny
 Benefits of understanding (and complying
with) the statute include

– avoiding civil & criminal liability
– smoother relations with law enforcement
36
Where To Get More Information
Computer Crime Section’s phone number:
202-514-1026
 Computer Crime Section’s home page:
http://www.cybercrime.gov

37