Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
1
Legal Framework Regulatingoutside the box investigations
Thomas K. ClancyThomas K. Clancy
DirectorDirector
www.www.NCJRL.orgNCJRL.org
"inside the box, outside the box"
The Box Outside the box:network investigations
• Criminals exploit technology
– E‐mail– Chat rooms– Instant messaging– Message boards
network or internet crime
NCJRLNCJRL..orgorg
g– Web sites– Internet auction sites – Social networking sites– Voice over IP– Peer‐to‐Peer– ETC ......
2
three different legal frameworks for investigation
1 obtaining info that has no legal regulation
governmental responses:investigating on the internet /networks
1. obtaining info that has no legal regulation
2. Fourth Amendment applicability
3. statutory regulation
using publicly available tools: no legal regulation
search engines, public web sites, chat rooms, etc.
info a ailable sing ad anced Inte net toolsinfo available using advanced Internet tools
NS lookup, Whois, Finger, Traceroute, Ping
Domain names, IP addresses, networks, contact persons
protections mostly statutory
Fourth Amendment protections for data held by networks or in remote locations is unclear
Congress /states have enacted “gap fillers” Stored Communications Act Wiretap Act Pen Register / Trap and Trace
3
Sender (AOL)
obtaining evidence
AOL ServerTemporary Storage
Recipient (G Mail)
Google ServerTemporary Storage
Search Warrant
Search Warrant
Stored Communications Act
sender's ISP ServerTemporary Storage
Sender
Recipient
recipient's ISP ServerTemporary Storage
wiretap(content)
pen/trap(non content)
non-consensual interception of communications, etc, over the Internet to another party
example: email
possible analogies:
uncertain F/A applicability outside the box
possible analogies:
its like a letter in the mail
its like numbers dialed on a telephone
its like any info possessed by third party
4
Traditional F/A doctrine
No F/A Protection from 3rd Party Disclosures to Gov't
Rationale: Risk Analysis -- Voluntary Exposure
i l d b li f t h l t il fid ill t misplaced belief to whom voluntarily confides will not reveal secret
Miller
such risk “probably inherent in the conditions of human society"
Hoffa
Peer-to-Peer (P2P) Networks
file-sharing technology --- creates virtual networks
criminal activity:
Copyright Infringement
Computer Hacking Worms -- Viruses -- Theft of information
Child Exploitation and Pornography
How P2P Works
5
Considerations
User on Internet voluntarily
User decides, through software settings, what filessoftware settings, what files open to others
Every download exact duplicate of original
Law Enforcement Response
search file sharing networks for known childporn images
Questions:
“Search” w/in meaning of 4th Amendment?
Does user connected to Internet via P2P have reasonable expectation of privacy in files in shared folders?
6
Operation Fairplay
U.S. v. Ganoe, 538 F.3d 1117 (9th Cir. 2008)
"To argue that Ganoe lacked the technical d t fi Li Wi
no REP in P2P
savvy or good sense to configure Lime Wire to prevent access to his child pornography files is like saying that
he did not know enough to close his drapes."
connecting to local network
US v. King, 509 F.3d 1338 (11th Cir. 2007)
REP?
hard drive contents "akin to items stored in the
unsecured areas of a multi-unit apartment building or put in dumpster accessible to the public"
7
same principles applied --- No F/A protection against
1. disclosure of subscriber info by ISPs
2. Email recovered from recipient doctrines:
3. Internet chat rooms
4. Posting Info on a Website
doctrines:
voluntary exposure
assumption of risk
application of principles to --
1. Virtual worlds
2. cloud computing
3. web based datastorage
what are the relevant considerations?
virtual worlds
http://www.lively.com/html/landing.htmlhttp://www.lively.com/html/landing.html
create own virtual spacechat and interact with your friendsin rooms you create
express yourselfcustomize your avatar and stream personal videos and photos
add your room to your siteInvite your friends to chat and decorate
8
virtual worlds
virtual Porn
rooms in virtual world
9
getting more cloudy !
on line storage
10
City of Ontario v. Quon, 130 S. Ct. 2619 (2010):some answers?
cop sent text messages to wife, mistress via gov't issued pager
agency reviewed printouts obtained from provider to determine if needed more capacity for police businessdetermine if needed more capacity for police business
issues:
1. Quon have REP in messages?
2. Wife / mistress have REP in messages?
3. Was search Reasonable ?
Formal Written Policy
explicitly said user had no REP could audit, monitor, or log all activity not for personal use Quon aware of and signed
police pager policies
Quon aware of and signed
"Informal Policy"
Lt. Duke: you pay overages, will not audit
Quon: NO answers
"case touches issues of far reaching significance," but disposed "by settled principles determining when a search is reasonable”
concern: "broad holding" on REP "vis-à-vis employer-provided technological equipment might p y p g q p ghave implications for future cases that cannot be predicted"
1. assumed Quon / women had REP
2. search reasonable - did not even decide if Scalia or plurality approaches in O'Connor v. Ortego proper !
11
Reasonable as to Quon because ...
had very "limited" REP
legitimate gov't purpose for search
scope of search reasonable
redacted transcripts -- on duty hours only 2 months examined rejected least intrusive means etc
Reasonable as to the Women ?
Respondents:
if S/ unreasonable as to Quon, unreasonable as to his correspondents
no argument: unreasonable as to women even if Q no argument: unreasonable as to women even if Q search was reasonable
Court:
"In light of this litigating position," since search reasonable as to Quon, "other respondents cannot prevail"
dicta on REP analysis -- some possible factors
whether Duke's statements change in OPD policy
did Duke have "fact or appearance" of authority to make change / guarantee REP
should public/ private employees be treated differently
gov't interests in review of messages, including performance evaluations, litigation on lawfulness of police actions, compliance with open records laws
12
Rapid changes in dynamics of communication and information transmission affects what society accepts as proper behavior -- makes predicting EP and REP difficult
many employers expect / tolerate personal use often increases worker efficiency
employer policies concerning communications will shape REP, "especially" when "clearly communicated
some recent state statutes require employers to notify when monitoring electronic communications
uncertain evolution of workplace norms / law's treatment
Cell phone / text messaging pervasive -- hence:
one view -- "essential means or necessary instruments for self-expression, even self-identification"
another view -- because of ubiquity / affordability employees can buy own
Scalia, concurring
Applicability discussion “unnecessary” and “exaggerated”
Court's implication that where electronic privacy is concerned we should decide less than we otherwise would (that is less than the principle of lawwould (that is, less than the principle of law necessary to resolve the case and guide private action)–or that we should hedge our bets by concocting case-specific standards or issuing opaque opinions–is in my view indefensible. The-times-they-are-a-changin' is a feeble excuse for disregard of duty.
13
courts/ litigants likely to use dicta as "heavy-handed hint about how they should proceed"
Standard unworkable:
"Any rule that requires evaluating whether a given gadget is a 'necessary instrument for self-expression, even self-identification,' on top of assessing the degree to which 'the law's treatment of workplace norms has evolved,' is (to put it mildly) unlikely to yield objective answers."
statutory regulation of obtaining digital evidence
Congress /states have enacted “gap fillers”
ECPA ECPA wiretap pen register / trap and trace
See outline in binder
Sender (AOL)
obtaining evidence
AOL ServerTemporary Storage
Recipient (Earthlink)
Earthlink ServerTemporary Storage
14
Sender (AOL)Stored CommunicationsAct
AOL ServerTemporary Storage
Recipient (Earthlink)
Earthlink ServerTemporary Storage
Search Warrant
Search Warrant
AOL ServerTemporary Storage
Sender
Recipient
Earthlink ServerTemporary Storage
wiretap (content)
pen/trap(non content)
1. type of surveillance
real time: monitoring of communications in transit
stored records
significant statutory considerations
2. what type of information is gov't seeking
content: communication itself
non-content: addressing information
15
Obtaining Digital Evidence
Content
Real-timeWiretap order
StoredSCA Fourth Amendment
StoredSCA
Real-timePen / trap & trace order
Non-Content
Roy Olmsteadwiretapping yesteryears
http://www.seattlechannel.org/videos/video.asp?ID=2591
hearing
Katz 1967
excluding the uninvited ear
16
wiretapping today !
wiretap?
Wiretap Stats – 2003(FISA stats not included)
• 1,442 wire taps approved
• 864 State applications for intercept• 578 Federal applications for intercept• States: 23 reported use of Wiretap• Locations:
• Electronic wiretaps: 49
• electronic pagers – 32
• computers - 12
• others /fax – 5
•Total WT Arrests = 3,674• Personal residence – 118• Businesses – 35• Portable devices (cells/pagers) –
1,165
• Types:• Wire (phone & cell) – 1271• Oral – 24• Electronic (pagers, computers) – 49
Drugs & Racketeeringmost prevalent investigations
17
Wiretap Act – “Title III”18 U.S.C. §§ 2510-2522
Regulates interception of content of communications in real time (not "stored")
Applies to everybody (not just gov’t actors)
Establishes floor:
state laws can be more restrictive, not less
Wiretap Orders requirements include:
need probable cause of specified felonies
must show less intrusive techniques “reasonably appear unlikely to succeed”
short time period (30 days)
minimization requirements: avoid communications not subject to order
Wiretap Order Exceptions
Consent by one party
example: implied consent
landlady said all calls recorded y
System banner announcing that “all communications may be monitored” may create “implied” consent
example: prison phones
Some states require consent of both–or all–parties
18
wiretap remedies
statutory exclusion of evidence for
oral communications
types of Communications:
Oral -- in person recording of human voiceWire -- containing human voice“Electronic” -- others, including email
wire communications
Criminal penalties for violations
Civil remedies for violations
obtaining non-content
Pen Registers: Outgoing
Trap & Trace: Incoming
records numbers dialed by telephone
Fourth Amendment does not apply
Smith v. MD , 442 U.S. 735 (1979) -- robber kept calling victim
pen registers
no REP in numbers dialed
voluntarily conveyed info to 3rd party
assumed risk of disclosure
19
Pen Register / Trap & Trace18 U.S.C. §§ 3121-3127
get “dialing, routing, addressing, or signaling information”
Not a search under 4th Amendment Not a search under 4th Amendment
U.S. v. Forrester , 512 F.3d 500 (9th Cir. 2008)
to/from addresses
IP addresses of websites visited
volume of info to/from his account
Info in Real Time with Pen/Trap: only non-content
“To”, “From”
dd
get most e-mail header information
IP address & port
For both source & destination
But not
“Subject” line of e-mails
Content of downloaded file
Post-Cut Through Dialed Digits
numbers dialed after call initially set up
includes acct #s, pin numbers, ID #s, social security #, credit card #s
Content or Non-content?
In re Application, 515 F. Supp. 2d 325 (E.D.N.Y. 2007):
"functional equivalent of the human voice"
20
URLs (uniform resource locators)
Content or not?
www biosupplies com /mailorder /Anthrax htmwww.biosupplies.com /mailorder /Anthrax.htm
path or "file path"host
In re application, 396 F. Supp. 2d 45 (D. Mass. 2005):
same as post-cut through digit extraction
Legal requirements for Pen / Traps
18 U.S.C. § 3123
gov't can get order when
1. authorized attorney applies under oath for order and
2. asserts “information likely to be obtained is relevant to an ongoing criminal investigation”
no independent judicial determination of 2In re application
pen /trap remedies
no exclusion in criminal cases See Forester
C i i l l i f i l i Criminal penalties for violations
Civil remedies for violations
21
Controls disclosure of stored data on networked computers of --
non content
Stored Communications Act (SCA) 18 U.S.C. §§ 2701-2712
basic subscriber information transactional records
content of stored data & communications
Stored Communications Act18 U.S.C. §§ 2701-2712
Prohibits unauthorized access by non-providers of stored communications
Governs:
Voluntary disclosure of communications or account records [§ 2702]
Compelled disclosure of communications or account records to government [§ 2703]
Types of Providers Regulated
Electronic communication services
Remote computing services
not covered
Information in someone’s home computer not in possession of provider -- access not governed by Act
22
Electronic Communication Service (ECS)
Any service that provides users ability to send or receive wire or electronic communications
18 U.S.C. § 2510 (15)
covers public and private providers
Examples:
AOL, Earthlink, Hotmail
Private company
State government
Remote Computing Service (RCS)
Any service that provides “to the public ... computer storage or processing services by means of an electronic communications system”
18 U.S.C. § 2711(2)
Only public providers
Examples:
payroll processing company off site data bank services (medical file storage, etc) on line storage service Andersen: consultants used UOP's internal email
system -- not public
Compelled Production –types of process
Subpoenas
Subpoenas with notice
applies to public andnonpublic providers
"d" orders [§ 2703(d)]
"d" orders w/notice
Search warrants
more process = more info
23
Compelled Production – subpoenas
Subpoenas: get basic subscriber info
name and address session records (time, duration)
no prior notice tosubscriber needed
( , )
telephone number
length of service, including starting date types of services used dynamic IP addresses connection and session logs means of payment (credit card, bank account numbers)
Compelled Production – subpoenas with notice to subscriber
get
contents in Electronic Storage more than 180 days contents in RCS, including open emails all info could have got w/ mere subpoena
exception: 9th Circuit need warrant for opened email
Theofel v. Farey-Jones
Compelled Production – "d" orders
"d" orders [§ 2703(d)]: get account logs, transactional records
all info could have got w/ lesser process Historical data involving past activity on account E-mail addresses of correspondents E mail addresses of correspondents Web sites visited Cell-site data for cellular phone calls buddy lists
Must show: specific and articulable facts that info sought is
relevant and material to ongoing criminal investigation
24
Compelled Production –"d" orders w/ notice
all info could have got w/ lesser process
Contents in RCS storage (including opened email)Contents in electronic storage more than 180 days Contents in electronic storage more than 180 days
Must show:
specific and articulable facts that info sought is relevant and material to ongoing criminal investigation
Compelling Content Production: warrants
Search Warrant: gets everything !
may always be needed when content sought
safer course: Get warrant for any content
SCA remedies
No exclusion of evidence
Criminal penalties for violations
Civil remedies for violations
25
minimum paper gov't needs depends on:
Has email been opened? If yes, then subpoena
If not opened, how long in storage?
Contents of email
180 days or more: subpoena less than 180 days: search warrant
Is email protected by the Fourth Amendment?
Smiling Bob meets the 6th Circuit
Warshak #1, 532 F.3d 521 (6th Cir. 2008) (en banc)
Does use of "d" order to get W's emails violate 4th Amendment?
Q not ripe:Q o p
privacy expectations "may well shift over time, that assuredly shifts from internet-service agreement to internet-service agreement and that requires considerable knowledge about ever-evolving technologies"
26
variety of internet-service agreements
Service providers ....
will "not ... read or disclose subscribers' e-mail to anyone except authorized users"
"will not intentionally monitor or disclose any private email message" but "reserves the right" to do so in some cases
reserves right "to pre-screen, refuse or move any Content that is available via the Service"
e-mails will be provided to government on request
other individuals will have access to email and will be entitled to use information in it
user has no REP in any communications
U.S. v. Warshak (#2),__ F.3d __, 2010 WL 5071766 (Dec. 14, 2010)
Use of SCA subpoena to get emails from ISP violates violates 4th Amend
(but get good faith reliance)
analogy to letters / phone calls analogy to letters / phone calls ISP = post office / telephone company
subscriber agreement limited ISP access to emails only to protect ISP
not holding that subscriber agreement will never be broad enough to snuff out REP .... if ISP expresses intention to “audit, inspect, and monitor” emails, that might be enough