Legal Considerations in Obtaining Electronic Evidence in

Online Investigations

CSC 486/586

1

Statutory Restrictions on Obtaining Electronic Evidence

Through electronic surveillance;

From ISPs & other service providers;

That includes material intended for publication

2

The Statutes

• ECPA: Electronic Communications Privacy Act of 1986 -- dictates how LE obtains information from electronic communications providers– Title III (Wiretaps) – Stored Electronic Communications

• Privacy Protection Act –– Restricts methods LE can use to obtain info

intended for publication

3

Wiretap Act, 18 USC 2511

• Prohibits “interception” of “oral,” “wire,” or “electronic communications” with a “mechanical device”

• “Interception” means real-time acquisition• Govt can get “T-III order” for oral or wire

communications only for a very specific list of felonies - Statutory suppression for violations

4

Obtaining a Title III Wiretap Order for Electronic Evidence

• ECPA applies wiretap act to electronic communications intercepted in real-time (“keystroke monitoring”)

• Federal prosecutor can get court order for electronic wiretapping on any felony; no statutory suppression remedy

• Order must be issued where “interception” occurs

5

Exceptions to warrant requirement

• If wiretapping (and don’t have court order), committing a federal felony (5 years imprisonment) unless fall within one of 4 exceptions– Provider protection exception– Consent exception– Inadvertently obtained information– Computer trespass exception

6

Provider Protection Exception • Interception authorized to protect provider (18

U.S.C. 2511(2)(a)(i))• Authorizes interception or disclosure “while

engaged in any activity which is a necessary incident to the rendition of service or the protection of the rights or property of the provider of the service.”

• Provider can give results of past monitoring to law enforcement

7

Wiretaps-Consent exception• Consent of party

– Banner– Terms of service agreement

• Consent of system operator -- No!• Dangerous to rely on implied consent

forever– When need a T-III decided on a case-by-case

basis

8

Inadvertently Obtained

• ECS provider may also disclose a communication to law enforcement if communication was inadvertently obtained and appears to pertain to the commission of a crime.– 18 U.S.C. 2511(3)(b)

9

The Computer Trespasser Exception

• Solution: new exception to Title III at 18 U.S.C. 2511(2)(i) (Subject to 4-year sunset provision)– “Computer trespasser” defined (18 U.S.C. 2510(21))

• Person who accesses “without authorization”• Definition continues: “and thus has no reasonable expectation

of privacy…”

– Excludes users who have “an existing contractual relationship”

• Congress worried about violations of terms of service• There is an opportunity to gain consent from such users• Without it, possible constitutional problems

10

Limits of the New Exception

• Interception under this exception requires:– Consent of the owner– Under color of law– Relevant to an investigation– Cannot acquire communications other than

to/from the trespasser

• May combine this authority with other exceptions, such as consent

11

Stored Communications and Transactional Records

12

Stored Electronic Communications Act

• Dictates how and when LE may obtain information from Internet Service Providers, Telcos, other computing service providers– Enacted in 1986 as part of “ECPA”– Codified at 18 USC 2701 et seq– Modified (slightly) by Patriot Act

13

Government Access to Customer Communications and Records

• These provisions apply only to info held on provider’s system, not to standalone PC

• Content of communications vs. non-content– content

• unopened e-mail vs. opened e-mail

– non-content• transactional records vs. subscriber information

• Basic rule: content receives more protection

14

Stored Electronic Communications Act - Overview• Covers 3 categories of information• Held by ECS or RCS --

– Content– Basic subscriber information– Transactional Records (everything else)

• Substantive provisions– a. When services may disclose– b. When services must disclose

• Remedies

15

Remedies

• Civil damages exclusively (2707, 08)

• No suppression remedy for non-constitutional violation– but decision in McVeigh (gay Navy officer with

AOL account) granted suppression remedy, voided administrative action (discharge)

17

Stored Electronic Communications: Key Terms

• “Electronic Communication Service Provider”

• “Remote Communications Service Provider”

A

B

ECS

A RCS

18

Provisions of the Stored Electronic Communications Act

• 18 USC 2701: Prohibits:– Accessing without or in excess of authorization; – A facility through which electronic

communication services are provided;– And thereby obtain, alter, or prevent access to a

wire or electronic communication;– While in electronic storage

• Misdemeanor19

When ECS or RCS May Disclose (2702)

• If public, prohibited from voluntarily disclosing the content of stored electronic communications

• Exceptions:– consent– necessary to protect property of service provider– to law enforcement if contents inadvertently

obtained, pertains to the commission of a crime• If not public, not so constrained, as to any of the three

classes of information

20

Requiring Disclosure of Information from ECS or RCS2703: Three categories:

• Content

• Basic subscriber information

• Transactional Records (everything else)

21

Stored Wire and Electronic Communications Act - Content

• E-mail and voice mail in electronic storage– Which is: “Any temporary, intermediate

storage of a wire or electronic communication” incidental to transmission, or intended to be a backup

• Once opened, no longer protected

• Protects customers and subscribers: the real party of interest

22

Obtaining Content of E-mails

For ECS, if unopened and in storage for less than 180 days, search warrant (2703(a))– Warrant operates like a subpoena– Patriot Act gave nation-wide effect to warrants

• Must be issued by court having jurisdiction over the offense

• No notice to customer necessary

23

Obtaining Electronic ContentNot In “Electronic Storage”

• What’s not in “electronic storage”?– opened e-mail

– files (text, database, programs, etc.)

• As to this category, statute protects only materials stored with a provider “to the public”– excludes, e.g., private corporate networks

– if provider isn’t public, investigator can use a normal subpoena to compel disclosure

24

Obtaining Content (cont.)• For ECS if more than 180 days or for RCS

– Warrant

– Subpoena with notice

• May delay notice 90 days (2705) if show --– destruction or tampering w/ evidence

– intimidation of potential witnesses

– otherwise seriously jeopardizing an investigation

• May extend delay an additional 90-days

25

Obtaining the Contents of Voice Mail

• Pre-Patriot Act: If unopened, obtainable only with a Title III order– § 2703 inapplicable by its own terms

• Patriot Act included contents of voice mail into 2703(b)

26

Basic Subscriber Information

• Can be obtained through subpoena• Gives you only: name, address, telephone toll

billing records, telephone number, type of service provided, and length of service rendered

• Patriot Act added connection records, session times, and temp assigned IP addresses

• Do not subpoena “all customer records”

27

Transactional Records

• Not content, not basic subscriber information

• Everything in between– financial information (e.g., credit card)– audit trails/logs– web sites visited– identities of e-mail correspondents– cell site data from cellular/PCS carriers

28

Transactional Records

• Obtain through – Warrant– Consent of customer– Articulable facts order (can get non-disclosure

order): “specific and articulable facts showing that there are reasonable grounds to believe that [the specified records] are relevant and material to an ongoing criminal investigation.” (2703(d) order)

29

Summary: Legal Process & ECPA

• Warrant – required for unopened e-mail

• Court order under § 2703(d)– opened e-mail or files (with prior notice)– transactional records

• Subpoena– opened e-mail or files (with prior notice)– basic subscriber info

30

Overview of 2703 processes for public ESPs

Subject matter Legal process

Unopened (“fresh”) email <= 180 days

Search warrant

Other email; RCS material

subpoena/2703(d) + notice (or S.W.)

Non-basic info. (“txn records”)

2703(d) (or S.W.)

Basic subscriber info subpoena (or 2703(d) or S.W.)

31

Process• Can talk to ECS/RCS in advance about

what you want, what they may have• May request provider for 90 days, to “take

all necessary steps to preserve records and other evidence in its possession pending the issuance of a court order or other process.” 2703(f)– Only for information already in their

possession, not future information

32

Cable Problems• 47 USC § 551. Protection of subscriber privacy• Restricts dissemination by cable provider of

“personally identifiable information” collected by cable operator – “Personally identifiable information”?– Restriction applies to PII collected as part of

providing “other services”• “Other services” include “wire or radio

communications” provided using facilities of cable operator

33

Cable Problems -- Cont’d

47 USC § 551(h) Disclosure of information to governmental entity pursuant to court order

• A governmental entity may obtain personally identifiable information concerning a cable subscriber pursuant to a court order only if, in the court proceeding relevant to such court order--

(1) such entity offers clear and convincing evidence that the subject of the information is reasonably suspected of engaging in criminal activity and that the information sought would be material evidence in the case; and

(2) the subject of the information is afforded the opportunity to appear and contest such entity's claim.

34

Patriot Act Cable Fix

• Added 47 USC 551(c)(2)(D) – ECPA governs access to cable Internet service– Provisions of Sec. 551 still govern access to

traditional cable services

35

The Privacy Protection Act

36

Privacy Protection Act

• 42 USC 2000AA

• Response to Zucher v. Stanford Daily

37

Privacy Protection Act

• Protects material intended for dissemination to the public:– Work product (e.g., book in progress)

• Prepared for communication and intended for dissemination to the public (included impressions, conclusions, opinions, theories)

– Documentary materials (materials used to produce “work product”)

• Defined as media which holds info used “in connection with” work product materials

• Includes e.g. photo/film/tape/disk.

38

Privacy Protection Act

• Must use a subpoena to obtain work product, documentary materials in the possession of a person reasonably believed to have a purpose to disseminate it.

39

Exceptions Allowing Use of Search Warrant/Seizure

• Contraband or fruits or instrumentalities of a crime

• Exigent circumstances• Probable cause that person possessing such

material has committed or is committing a criminal offense– Except if mere possession offense

• Except classified material or child pornography

40

The PPA in an Electronic Environment

• Anyone with a modem can be a publisher• Problems of commingling, connections• If need to seize protected materials, obtain DAAG

approval--through CCIPS• Subject to civil penalties, not suppression• Guest v. Leis -- can seize PPA materials

“incidental to lawful search”• Be reasonable: The 300,000 lessons of Steve

Jackson Games

41

WHERE TO GET MORE INFORMATION

• CCIPS phone number: 202-514-1026

• Computer Crime Section’s page on the World Wide Web:

http://www.usdoj.gov/criminal/cybercrime

or

http://www.cybercrime.gov

42

43

Questions???

Use the discussion board, as usual…

44