A Gentle Introduction to the Electronic Communications
Download
Report
Transcript A Gentle Introduction to the Electronic Communications
Paul Ohm
Associate Professor, CU Law
Initiative Director, Silicon Flatirons
December 4, 2009
Background
and History
Wiretap Act and Pen Register and Trap
and Trace Act
Stored Communications Act
Background
and History
Wiretap Act and Pen Register and Trap
and Trace Act
Stored Communications Act
1928: Olmstead
v. United States
1934: Communications Act
1967: Katz v. United States
1968: Omnibus Crime Control and Safe
Street Acts: Title III—Wiretap Act
1986: Electronic Communications
Privacy Act
2001: USA PATRIOT Act
Privacy
on telephone and data networks
Rules for government access
Rules for sharing by providers
Criminalizes certain privacy invasions
Background
and History
Wiretap Act and Pen Register and Trap
and Trace Act
Stored Communications Act
The Wiretap
Act governs monitoring in
real-time
• Traditional telephone wiretaps
• Internet packet sniffers
The Wiretap
Act prohibits the
interception of wire or electronic
communications
Five-year felony
Unless an exception applies
Dozens
Several
used commonly in criminal
investigations
• Court order
• Consent of a party to the communication
• Provider self defense
Wiretap
order permits interception
Many hurdles
• “Super warrant”
• Probable cause
• Limited time
• Minimization
• Necessity
Interception
allowed if a “party to the
communication has given prior consent
to such interception”
Possible sources:
• Banner
• Terms of service
• Employment agreements
Provider
can monitor to “protect the
rights or property of the provider”
Provider can share results of past
monitoring with law enforcement
The
Pen Register and Trap and Trace Act
governs real-time collection of noncontent information about a user such as:
• Addresses on inbound/outbound email
• Internet addresses for websites visited by a user
• List of addresses from which visitors to website
originate
Does
not include content
Almost no hurdle for government
whatsoever
Background
and History
Wiretap Act and Pen Register and Trap
and Trace Act
Stored Communications Act
The
Stored Communications Act governs
stored information held by certain
communications providers
Type
of Provider
• To the public versus only non-public
• Providing communications versus
storage/processing services
• Providing those services versus other services
For
Content
• Fresh versus stale
• Unopened email versus opened email
For
Non-content
• Detailed transactional records versus basic
subscriber information
“Electronic
Communications Services”
• Email
• Phone
• IM
• Text messages
“Remote
Computing Services”
• Computer storage
Online backup services, photo hosting
• Processing services
Amazon’s EC2
Google
search
Google books
CNN.com
Amazon / eBay
Traditional
Understanding
ECS: Unopened email in storage 180
days or less
Theofel v. Farey JonesJones
ECS: E-mail in storage
180 days or less
Voluntary Disclosure Allowed?
Public Provider
Non-Public Provider
No, unless § 2702(b)
exception applies [ Yes [ § 2702(a)(1) ]
§ 2702(a)(1) ]
ECS: Unopened eECS: E-mail in storage
mail in storage more
more than 180 days
than 180 days
No, unless § 2702(b)
exception applies [ Yes [ § 2702(a)(1) ]
§ 2702(a)(1) ]
RCS: Opened e-mail,
RCS: Files not covered
other content files
above being remotely
being remotely
stored or processed
stored or processed
No, unless § 2702(b)
exception applies [ Yes [ § 2702(a)(2) ]
§ 2702(a)(2) ]
Most non-content
records
No, unless § 2702(c)
exception applies [ Yes [ § 2702(a)(3) ]
§ 2702(a)(3) ]
Most non-content
records
Basic subscriber
Basic subscriber
information, session information, session
logs, IP addresses
logs, IP addresses
No, unless § 2702(c)
exception applies [ Yes [ § 2702(a)(3) ]
§ 2702(a)(3) ]
Mechanisms to Compel Disclosure
Public Provider
Non-Public Provider
Search Warrant [ §
2703(a) ]
Search Warrant [ §
2703(a) ]
Subpoena with
notice; 2703(d)
order with notice;
or search warrant [ §
2703(a,b) ]
Subpoena with
notice; 2703(d)
order with notice;
or search warrant [ §
2703(b) ]
2703(d) order or
search warrant [ §
2703(c)(1) ]
Subpoena; 2703(d)
order; or search
warrant [ §
2703(c)(2) ]
Subpoena with
notice; 2703(d)
order with notice;
or search warrant [ §
2703(a,b) ]
Stored Communications Act (Title II of the Electronic Communications Privacy Act of 1986)
SCA doesn't apply [
§ 2711(2) ]
2703(d) order or
search warrant [ §
2703(c)(1) ]
Subpoena; 2703(d)
order; or search
warrant [ §
2703(c)(2) ]
Basic
Subscriber Information can be
obtained with a mere subpoena
Means
• Name & address
• Local and LD telephone toll billing records
• Telephone number or other account identifier
•
•
•
•
(such as username or “screen name”)
Length & type of service provided
Session times and duration
Temporarily assigned network address
Means and source of payment
Everything
that is not basic subscriber
information but is also not content
Means
• Audit trails / logfiles
• Identities of e-mail correspondents
Can be obtained with a court order
• 2703(d) order
• “specific and articulable facts showing that there are
reasonable grounds to believe that [the requested
records] are relevant and material to an ongoing
criminal investigation”
Rules
are somewhat in flux due to Theofel
v. Farey-Jones, 341 F.3d 978 (9th Cir. 2003)
Some contents require a search warrant
• Pre-Theofel: Unopened email
• Theofel: All email
Some
contents obtainable with mere
subpoena
• Pre-Theofel: Opened email
• Theofel: Almost no email
• Also: Non-email stored files, stale email
Subpoena
must include notice to
subscriber
• May be delayed 90 days
Providers
not to the public may disclose
anything to anyone. Unregulated by SCA
Providers to the public must look to
statutory exceptions
Public
providers may voluntarily share
non-content with any non-governmental
party for any reason
Public
providers may voluntarily share
non-content and content with
government only when:
• Consent to do so exists (terms of service)
• To protect rights and property
• If provider, in good faith, believes that an
emergency involving danger of death or serious
physical injury to any person requires disclosure
Three
panels
Two on ECPA reform