1

ISPs and Federal Privacy Law:ISPs and Federal Privacy Law:Everything You Need to Know Everything You Need to Know

About the Electronic About the Electronic Communications Privacy Act Communications Privacy Act

(ECPA)(ECPA)

Mark EckenwilerMark Eckenwiler

Computer Crime and Intellectual Property SectionComputer Crime and Intellectual Property SectionU.S. Department of JusticeU.S. Department of Justice

2

The Computer Crime and The Computer Crime and Intellectual Property SectionIntellectual Property Section

Founded in 1991 as Computer Crime UnitFounded in 1991 as Computer Crime Unit Current staff of 22 attorneysCurrent staff of 22 attorneys Mission of CCIPSMission of CCIPS

– Combat computer crime and IP crimesCombat computer crime and IP crimes– Develop enforcement policyDevelop enforcement policy– Train agents and prosecutorsTrain agents and prosecutors– Contribute to public awareness of the issuesContribute to public awareness of the issues– Promote international cooperationPromote international cooperation– Propose and comment on federal legislationPropose and comment on federal legislation

3

Why You Might Care Why You Might Care About ECPAAbout ECPA

Comprehensive privacy framework for Comprehensive privacy framework for communications providerscommunications providers

Regulates conduct betweenRegulates conduct between– different usersdifferent users– provider and customerprovider and customer– government and providergovernment and provider

Civil and criminal penalties for violationsCivil and criminal penalties for violations Note: state laws may impose additional Note: state laws may impose additional

restrictions/obligationsrestrictions/obligations

4

Why ECPA Matters toWhy ECPA Matters toLaw EnforcementLaw Enforcement

As people take their lives online, crime As people take their lives online, crime follows; no different from the real worldfollows; no different from the real world

Online records are often the key to Online records are often the key to investigating and prosecuting criminal activityinvestigating and prosecuting criminal activity– ““cyber” crimes (network intrusions)cyber” crimes (network intrusions)

– traditional crimes (threats, fraud, etc.)traditional crimes (threats, fraud, etc.) ECPA says how and when government can ECPA says how and when government can

(and cannot) obtain those records(and cannot) obtain those records

5

Substantive ProvisionsSubstantive Provisionsof ECPAof ECPA

Or, Or,

Everything you know is wrongEverything you know is wrong

6

ECPA & The Courts:ECPA & The Courts:A Love AffairA Love Affair

““famous (if not infamous) for its lack of clarity”famous (if not infamous) for its lack of clarity”– Steve Jackson Games v. United States Secret Service,Steve Jackson Games v. United States Secret Service,

36 F.3d 457, 462 (5th Cir. 1994)36 F.3d 457, 462 (5th Cir. 1994) ““fraught with trip wires”fraught with trip wires”

– Forsyth v. BarrForsyth v. Barr, 19 F.3d 1527, 1543 (5th Cir. 1994), 19 F.3d 1527, 1543 (5th Cir. 1994) ““a fog of inclusions and exclusions”a fog of inclusions and exclusions”

– Briggs v. American Air FilterBriggs v. American Air Filter, 630 F.2d 414, 415 , 630 F.2d 414, 415 (5th Cir. 1980)(5th Cir. 1980)

7

The MatrixThe Matrix

Acquisition inReal Time

HistoricalInformation

Contents ofCommunications

Other Records(Subscriber andTransactionalData)

8

Real-Time Acquisition of Real-Time Acquisition of Communications (Interception)Communications (Interception)

The default rule under § 2511(1): do not The default rule under § 2511(1): do not – eavesdrop on others’ communicationseavesdrop on others’ communications

– use or disclose illegally intercepted contentsuse or disclose illegally intercepted contents Applies to oral/wire/electronic comms.Applies to oral/wire/electronic comms. Violations may lead toViolations may lead to

– criminal penalties (5-year felony) [§ 2511(4)]criminal penalties (5-year felony) [§ 2511(4)]» exception for first offense, wireless comms.exception for first offense, wireless comms.

– civil damages of $10,000 per violationcivil damages of $10,000 per violation

– suppressionsuppression

9

Relevance to Computer Relevance to Computer NetworksNetworks

Makes it illegal to install an unauthorized Makes it illegal to install an unauthorized packet snifferpacket sniffer

In several recent federal prosecutions, In several recent federal prosecutions, defendants have pled guilty to interception defendants have pled guilty to interception violations violations – e.g.e.g., Cloverdale minors, Cloverdale minors

10

Exceptions to the Exceptions to the General ProhibitionGeneral Prohibition

Publicly accessible system [§ 2511(2)(g)(i)]Publicly accessible system [§ 2511(2)(g)(i)]– open chat room/IRC channelopen chat room/IRC channel

Consent of a partyConsent of a party System provider privilegesSystem provider privileges Court-authorized interceptsCourt-authorized intercepts

11

Consent of a PartyConsent of a Party

May be implied throughMay be implied through– login bannerlogin banner– terms of serviceterms of service

Implied consent may give an ISP authority Implied consent may give an ISP authority to pass information to law enforcement and to pass information to law enforcement and other officialsother officials

12

System Operator PrivilegesSystem Operator Privileges

Provider may monitor private real-time Provider may monitor private real-time communications communications to protect its rights or propertyto protect its rights or property [§ 2511(2)(a)(i)][§ 2511(2)(a)(i)]– e.g.e.g., logging every keystroke typed by a suspected , logging every keystroke typed by a suspected

intruderintruder– phone companies more restricted than ISPsphone companies more restricted than ISPs

Under same subsection, a provider may also Under same subsection, a provider may also intercept communications if inherently intercept communications if inherently necessary to providing the servicenecessary to providing the service

13

Court-Authorized MonitoringCourt-Authorized Monitoring

Requires a kind of “super-warrant”Requires a kind of “super-warrant”

– a/k/a “Title III order” (or T-3)a/k/a “Title III order” (or T-3)– § 2518§ 2518

Good for 30 days maximumGood for 30 days maximum Necessity, minimization requirementsNecessity, minimization requirements Ten-day reportingTen-day reporting SealingSealing

14

Types of Wiretap OrdersTypes of Wiretap OrdersYou May EncounterYou May Encounter

KeystrokingKeystroking– common in network intrusion casescommon in network intrusion cases

Cloning an e-mail accountCloning an e-mail account

15

The MatrixThe Matrix

Acquisition inReal Time

HistoricalInformation

Contents ofCommunications

Title III order or consent,generally

Other Records(Subscriber andTransactionalData)

16

Real-Time Transactional RecordsReal-Time Transactional Records

The pen register/trap and trace statute (same as The pen register/trap and trace statute (same as for telephones) appliesfor telephones) applies

Law enforcement may obtain a court order to Law enforcement may obtain a court order to gather prospective non-content information gather prospective non-content information about a user, such asabout a user, such as– addresses on in/outbound e-mailaddresses on in/outbound e-mail– inbound FTP connectionsinbound FTP connections– where remote user is logging in from (dialup? where remote user is logging in from (dialup?

remote IP address?)remote IP address?)

17

The MatrixThe Matrix

Acquisition inReal Time

HistoricalInformation

Contents ofCommunications

Title III order or consent,generally

Other Records(Subscriber andTransactionalData)

Pen register/trap and traceorder or consent

18

Stored CommunicationsStored Communicationsand Historical Recordsand Historical Records

19

Dichotomies ‘R’ UsDichotomies ‘R’ Us

Permissive disclosure vs. mandatoryPermissive disclosure vs. mandatory– ““may” vs. “must”may” vs. “must”

Content of communications vs. non-contentContent of communications vs. non-content– contentcontent

» unopened e-mail vs. opened e-mailunopened e-mail vs. opened e-mail

– non-contentnon-content» transactional records vs. subscriber informationtransactional records vs. subscriber information

Basic rule: content receives more protectionBasic rule: content receives more protection

20

Penalties for Stored Records & Penalties for Stored Records & Communications ViolationsCommunications Violations

Civil remedies [18 U.S.C. § 2707]Civil remedies [18 U.S.C. § 2707]– $1,000 minimum per violation$1,000 minimum per violation– attorneys’ feesattorneys’ fees

Criminal remedies [§ 2701]Criminal remedies [§ 2701]– only for accessing stored communications only for accessing stored communications

without authorization (without authorization (e.g.e.g., one user snooping , one user snooping in another’s inbox)in another’s inbox)

– inapplicable to the provider [§ 2701(c)(3)]inapplicable to the provider [§ 2701(c)(3)]

21

Subscriber Content Subscriber Content and the System Providerand the System Provider

Any provider may freely Any provider may freely readread stored stored e-mail or files of its customerse-mail or files of its customers– Bohach v. City of RenoBohach v. City of Reno, 932 F. Supp. 1232 (D. , 932 F. Supp. 1232 (D.

Nev. 1996) (pager messages)Nev. 1996) (pager messages) While ECPA imposes no prohibition, While ECPA imposes no prohibition,

contractual agreement with customer may contractual agreement with customer may limit right of accesslimit right of access

22

Public Providers and Public Providers and Permissive DisclosurePermissive Disclosure

General rule: a public provider (General rule: a public provider (e.g.e.g., an ISP) , an ISP) may not freely may not freely disclosedisclose customer content to customer content to others [18 U.S.C. § 2702]others [18 U.S.C. § 2702]

Exceptions includeExceptions include– subscriber consentsubscriber consent– necessary to protect rights or property of service necessary to protect rights or property of service

providerprovider– to law enforcement if contents inadvertently to law enforcement if contents inadvertently

obtained, pertains to the commission of a crimeobtained, pertains to the commission of a crime

23

Government Access to Stored Government Access to Stored Communications ContentCommunications Content

For unretrieved e-mail < 181 days old For unretrieved e-mail < 181 days old stored on a provider’s system, government stored on a provider’s system, government must obtain a search warrant [18 U.S.C. must obtain a search warrant [18 U.S.C. § 2703(a)]§ 2703(a)]– Warrant operates like a subpoenaWarrant operates like a subpoena

24

Government Access to Stored Government Access to Stored Communications ContentCommunications Content

For opened e-mail (or other stored files), For opened e-mail (or other stored files), government may send provider a subpoena government may send provider a subpoena and notify subscriber in advance and notify subscriber in advance [18 U.S.C. [18 U.S.C. § 2703(b)]§ 2703(b)]– government may delay notice 90 days in certain government may delay notice 90 days in certain

cases (§ 2705(a))cases (§ 2705(a))– no notice to subscriber required if not a no notice to subscriber required if not a

provider “to the public”provider “to the public”

25

The MatrixThe Matrix

Acquisition inReal Time

HistoricalInformation

Warrant (for unopenedemail) or consent

Contents ofCommunications

Title III order or consent,generally

Subpoena with notice (forfiles, opened e-mail) orconsent

Other Records(Subscriber andTransactionalData)

Pen register/trap and traceorder or consent

26

Permissive Disclosure and Non-Permissive Disclosure and Non-Content Subscriber InformationContent Subscriber Information

Rule is short and sweetRule is short and sweet Provider may disclose non-content records Provider may disclose non-content records

to anyone to anyone exceptexcept a governmental entity a governmental entity Government needs Government needs

– appropriate legal process appropriate legal process – or consent of subscriberor consent of subscriber

27

The Two Categories ofThe Two Categories ofNon-Content InformationNon-Content Information

Basic subscriber informationBasic subscriber information– §2703(c)(1)(C)§2703(c)(1)(C)

Transactional recordsTransactional records– § 2703(c)(1)(B)§ 2703(c)(1)(B)

28

Basic Subscriber InformationBasic Subscriber Information

Can be obtained through subpoenaCan be obtained through subpoena Provider must give governmentProvider must give government

– name of subscribername of subscriber– addressaddress– local and LD telephone toll billing recordslocal and LD telephone toll billing records– telephone number or other account identifiertelephone number or other account identifier– type of service providedtype of service provided– length of service rendered length of service rendered

29

Transactional RecordsTransactional Records

Not content, not basic subscriber infoNot content, not basic subscriber info Everything in betweenEverything in between

– past audit trails/logspast audit trails/logs– addresses of past e-mail correspondentsaddresses of past e-mail correspondents

Government may compel via a “section Government may compel via a “section 2703(d) court order”2703(d) court order”

30

Section 2703(d) Court OrdersSection 2703(d) Court Orders

a/k/a “articulable facts” order a/k/a “articulable facts” order – ““specific and articulable factsspecific and articulable facts showing that showing that

there are reasonable grounds to believe that [the there are reasonable grounds to believe that [the specified records] are specified records] are relevant and material to relevant and material to an ongoing criminal investigationan ongoing criminal investigation””

A lower standard than probable causeA lower standard than probable cause Like warrant (& unlike subpoena), requires Like warrant (& unlike subpoena), requires

judicial oversight & factfindingjudicial oversight & factfinding

31

The MatrixThe Matrix

Acquisition inReal Time

HistoricalInformation

Warrant (for unopenedemail) or consent

Contents ofCommunications

Title III order orconsent, generally

Subpoena with notice (forfiles, opened e-mail) orconsent; may delay notice

Subpoena (for basicsubscriber info only),consent

Other Records(Subscriber andTransactionalData)

Pen register/trap andtrace order or consent

2703(d) “specific andarticulable facts” courtorder (for all other non-content records), consent

32

Summary: Summary: Legal Process & ECPALegal Process & ECPA Warrant Warrant

– unopened e-mailunopened e-mail Court order under § 2703(d)Court order under § 2703(d)

– transactional recordstransactional records SubpoenaSubpoena

– opened e-mail, unopened e-mail >180 days old, or stored files opened e-mail, unopened e-mail >180 days old, or stored files – basic subscriber infobasic subscriber info

Higher-order process always validHigher-order process always valid– e.g., warrant can compel transactional logse.g., warrant can compel transactional logs

33

ECPA In Practice: A ScenarioECPA In Practice: A Scenario

A victim reports a threat of physical injury via A victim reports a threat of physical injury via e-mail from StalkNU@isp.come-mail from StalkNU@isp.com

To determine StalkNU’s identity, gov’t would To determine StalkNU’s identity, gov’t would serve a serve a on isp.com on isp.com

For the target’s login records, gov’t serves a For the target’s login records, gov’t serves a ______________ on isp.com on isp.com

To obtain all the e-mail (opened and unopened) To obtain all the e-mail (opened and unopened) in target’s account, gov’t serves a in target’s account, gov’t serves a ________________

34

Preclusion of NoticePreclusion of Notice

In criminal investigations, general policy is In criminal investigations, general policy is to avoid tipping off targetto avoid tipping off target

Under ECPA, government may ask a court Under ECPA, government may ask a court to prohibit ISP from notifying subscriber to prohibit ISP from notifying subscriber that records have been requested from ISP that records have been requested from ISP [§ 2705(b)][§ 2705(b)]

35

§ 2703(f) Requests to Preserve§ 2703(f) Requests to Preserve

Government can ask for any existing Government can ask for any existing records (content or non-content) to be records (content or non-content) to be preservedpreserved– no court order requiredno court order required– does not apply prospectivelydoes not apply prospectively

Government must still satisfy the usual Government must still satisfy the usual standards if it wants to standards if it wants to receivereceive the the preserved datapreserved data

36

SummarySummary

For better or worse, ECPA shapes your For better or worse, ECPA shapes your destinydestiny

Benefits of understanding (and complying Benefits of understanding (and complying with) the statute includewith) the statute include– avoiding civil & criminal liabilityavoiding civil & criminal liability– smoother relations with law enforcementsmoother relations with law enforcement

37

Where To Get More InformationWhere To Get More Information

Computer Crime Section’s phone number: Computer Crime Section’s phone number: 202-514-1026202-514-1026

Computer Crime Section’s home page: Computer Crime Section’s home page: http://www.cybercrime.govhttp://www.cybercrime.gov