1

Legal Framework Regulatingoutside the box investigations

Thomas K. ClancyThomas K. Clancy

DirectorDirector

www.www.NCJRL.orgNCJRL.org

"inside the box, outside the box"

The Box Outside the box:network investigations

• Criminals exploit technology

– E‐mail– Chat rooms– Instant messaging– Message boards

network or internet crime

NCJRLNCJRL..orgorg

g– Web sites– Internet auction sites – Social networking sites– Voice over IP– Peer‐to‐Peer– ETC ......

2

three different legal frameworks for investigation

1 obtaining info that has no legal regulation

governmental responses:investigating on the internet /networks

1. obtaining info that has no legal regulation

2. Fourth Amendment applicability

3. statutory regulation

using publicly available tools: no legal regulation

search engines, public web sites, chat rooms, etc.

info a ailable sing ad anced Inte net toolsinfo available using advanced Internet tools

NS lookup, Whois, Finger, Traceroute, Ping

Domain names, IP addresses, networks, contact persons

protections mostly statutory

Fourth Amendment protections for data held by networks or in remote locations is unclear

Congress /states have enacted “gap fillers” Stored Communications Act Wiretap Act Pen Register / Trap and Trace

3

Sender (AOL)

obtaining evidence

AOL ServerTemporary Storage

Recipient (G Mail)

Google ServerTemporary Storage

Search Warrant

Search Warrant

Stored Communications Act

sender's ISP ServerTemporary Storage

Sender

Recipient

recipient's ISP ServerTemporary Storage

wiretap(content)

pen/trap(non content)

non-consensual interception of communications, etc, over the Internet to another party

example: email

possible analogies:

uncertain F/A applicability outside the box

possible analogies:

its like a letter in the mail

its like numbers dialed on a telephone

its like any info possessed by third party

4

Traditional F/A doctrine

No F/A Protection from 3rd Party Disclosures to Gov't

Rationale: Risk Analysis -- Voluntary Exposure

i l d b li f t h l t il fid ill t misplaced belief to whom voluntarily confides will not reveal secret

Miller

such risk “probably inherent in the conditions of human society"

Hoffa

Peer-to-Peer (P2P) Networks

file-sharing technology --- creates virtual networks

criminal activity:

Copyright Infringement

Computer Hacking Worms -- Viruses -- Theft of information

Child Exploitation and Pornography

How P2P Works

5

Considerations

User on Internet voluntarily

User decides, through software settings, what filessoftware settings, what files open to others

Every download exact duplicate of original

Law Enforcement Response

search file sharing networks for known childporn images

Questions:

“Search” w/in meaning of 4th Amendment?

Does user connected to Internet via P2P have reasonable expectation of privacy in files in shared folders?

6

Operation Fairplay

U.S. v. Ganoe, 538 F.3d 1117 (9th Cir. 2008)

"To argue that Ganoe lacked the technical d t fi Li Wi

no REP in P2P

savvy or good sense to configure Lime Wire to prevent access to his child pornography files is like saying that

he did not know enough to close his drapes."

connecting to local network

US v. King, 509 F.3d 1338 (11th Cir. 2007)

REP?

hard drive contents "akin to items stored in the

unsecured areas of a multi-unit apartment building or put in dumpster accessible to the public"

7

same principles applied --- No F/A protection against

1. disclosure of subscriber info by ISPs

2. Email recovered from recipient doctrines:

3. Internet chat rooms

4. Posting Info on a Website

doctrines:

voluntary exposure

assumption of risk

application of principles to --

1. Virtual worlds

2. cloud computing

3. web based datastorage

what are the relevant considerations?

virtual worlds

http://www.lively.com/html/landing.htmlhttp://www.lively.com/html/landing.html

create own virtual spacechat and interact with your friendsin rooms you create

express yourselfcustomize your avatar and stream personal videos and photos

add your room to your siteInvite your friends to chat and decorate

8

virtual worlds

virtual Porn

rooms in virtual world

9

getting more cloudy !

on line storage

10

City of Ontario v. Quon, 130 S. Ct. 2619 (2010):some answers?

cop sent text messages to wife, mistress via gov't issued pager

agency reviewed printouts obtained from provider to determine if needed more capacity for police businessdetermine if needed more capacity for police business

issues:

1. Quon have REP in messages?

2. Wife / mistress have REP in messages?

3. Was search Reasonable ?

Formal Written Policy

explicitly said user had no REP could audit, monitor, or log all activity not for personal use Quon aware of and signed

police pager policies

Quon aware of and signed

"Informal Policy"

Lt. Duke: you pay overages, will not audit

Quon: NO answers

"case touches issues of far reaching significance," but disposed "by settled principles determining when a search is reasonable”

concern: "broad holding" on REP "vis-à-vis employer-provided technological equipment might p y p g q p ghave implications for future cases that cannot be predicted"

1. assumed Quon / women had REP

2. search reasonable - did not even decide if Scalia or plurality approaches in O'Connor v. Ortego proper !

11

Reasonable as to Quon because ...

had very "limited" REP

legitimate gov't purpose for search

scope of search reasonable

redacted transcripts -- on duty hours only 2 months examined rejected least intrusive means etc

Reasonable as to the Women ?

Respondents:

if S/ unreasonable as to Quon, unreasonable as to his correspondents

no argument: unreasonable as to women even if Q no argument: unreasonable as to women even if Q search was reasonable

Court:

"In light of this litigating position," since search reasonable as to Quon, "other respondents cannot prevail"

dicta on REP analysis -- some possible factors

whether Duke's statements change in OPD policy

did Duke have "fact or appearance" of authority to make change / guarantee REP

should public/ private employees be treated differently

gov't interests in review of messages, including performance evaluations, litigation on lawfulness of police actions, compliance with open records laws

12

Rapid changes in dynamics of communication and information transmission affects what society accepts as proper behavior -- makes predicting EP and REP difficult

many employers expect / tolerate personal use often increases worker efficiency

employer policies concerning communications will shape REP, "especially" when "clearly communicated

some recent state statutes require employers to notify when monitoring electronic communications

uncertain evolution of workplace norms / law's treatment

Cell phone / text messaging pervasive -- hence:

one view -- "essential means or necessary instruments for self-expression, even self-identification"

another view -- because of ubiquity / affordability employees can buy own

Scalia, concurring

Applicability discussion “unnecessary” and “exaggerated”

Court's implication that where electronic privacy is concerned we should decide less than we otherwise would (that is less than the principle of lawwould (that is, less than the principle of law necessary to resolve the case and guide private action)–or that we should hedge our bets by concocting case-specific standards or issuing opaque opinions–is in my view indefensible. The-times-they-are-a-changin' is a feeble excuse for disregard of duty.

13

courts/ litigants likely to use dicta as "heavy-handed hint about how they should proceed"

Standard unworkable:

"Any rule that requires evaluating whether a given gadget is a 'necessary instrument for self-expression, even self-identification,' on top of assessing the degree to which 'the law's treatment of workplace norms has evolved,' is (to put it mildly) unlikely to yield objective answers."

statutory regulation of obtaining digital evidence

Congress /states have enacted “gap fillers”

ECPA ECPA wiretap pen register / trap and trace

See outline in binder

Sender (AOL)

obtaining evidence

AOL ServerTemporary Storage

Recipient (Earthlink)

Earthlink ServerTemporary Storage

14

Sender (AOL)Stored CommunicationsAct

AOL ServerTemporary Storage

Recipient (Earthlink)

Earthlink ServerTemporary Storage

Search Warrant

Search Warrant

AOL ServerTemporary Storage

Sender

Recipient

Earthlink ServerTemporary Storage

wiretap (content)

pen/trap(non content)

1. type of surveillance

real time: monitoring of communications in transit

stored records

significant statutory considerations

2. what type of information is gov't seeking

content: communication itself

non-content: addressing information

15

Obtaining Digital Evidence

Content

Real-timeWiretap order

StoredSCA Fourth Amendment

StoredSCA

Real-timePen / trap & trace order

Non-Content

Roy Olmsteadwiretapping yesteryears

http://www.seattlechannel.org/videos/video.asp?ID=2591

hearing

Katz 1967

excluding the uninvited ear

16

wiretapping today !

wiretap?

Wiretap Stats – 2003(FISA stats not included)

• 1,442 wire taps approved

• 864 State applications for intercept• 578 Federal applications for intercept• States: 23 reported use of Wiretap• Locations:

• Electronic wiretaps: 49

• electronic pagers – 32

• computers - 12

• others /fax – 5

•Total WT Arrests = 3,674• Personal residence – 118• Businesses – 35• Portable devices (cells/pagers) –

1,165

• Types:• Wire (phone & cell) – 1271• Oral – 24• Electronic (pagers, computers) – 49

Drugs & Racketeeringmost prevalent investigations

17

Wiretap Act – “Title III”18 U.S.C. §§ 2510-2522

Regulates interception of content of communications in real time (not "stored")

Applies to everybody (not just gov’t actors)

Establishes floor:

state laws can be more restrictive, not less

Wiretap Orders requirements include:

need probable cause of specified felonies

must show less intrusive techniques “reasonably appear unlikely to succeed”

short time period (30 days)

minimization requirements: avoid communications not subject to order

Wiretap Order Exceptions

Consent by one party

example: implied consent

landlady said all calls recorded y

System banner announcing that “all communications may be monitored” may create “implied” consent

example: prison phones

Some states require consent of both–or all–parties

18

wiretap remedies

statutory exclusion of evidence for

oral communications

types of Communications:

Oral -- in person recording of human voiceWire -- containing human voice“Electronic” -- others, including email

wire communications

Criminal penalties for violations

Civil remedies for violations

obtaining non-content

Pen Registers: Outgoing

Trap & Trace: Incoming

records numbers dialed by telephone

Fourth Amendment does not apply

Smith v. MD , 442 U.S. 735 (1979) -- robber kept calling victim

pen registers

no REP in numbers dialed

voluntarily conveyed info to 3rd party

assumed risk of disclosure

19

Pen Register / Trap & Trace18 U.S.C. §§ 3121-3127

get “dialing, routing, addressing, or signaling information”

Not a search under 4th Amendment Not a search under 4th Amendment

U.S. v. Forrester , 512 F.3d 500 (9th Cir. 2008)

to/from addresses

IP addresses of websites visited

volume of info to/from his account

Info in Real Time with Pen/Trap: only non-content

“To”, “From”

dd

get most e-mail header information

IP address & port

For both source & destination

But not

“Subject” line of e-mails

Content of downloaded file

Post-Cut Through Dialed Digits

numbers dialed after call initially set up

includes acct #s, pin numbers, ID #s, social security #, credit card #s

Content or Non-content?

In re Application, 515 F. Supp. 2d 325 (E.D.N.Y. 2007):

"functional equivalent of the human voice"

20

URLs (uniform resource locators)

Content or not?

www biosupplies com /mailorder /Anthrax htmwww.biosupplies.com /mailorder /Anthrax.htm

path or "file path"host

In re application, 396 F. Supp. 2d 45 (D. Mass. 2005):

same as post-cut through digit extraction

Legal requirements for Pen / Traps

18 U.S.C. § 3123

gov't can get order when

1. authorized attorney applies under oath for order and

2. asserts “information likely to be obtained is relevant to an ongoing criminal investigation”

no independent judicial determination of 2In re application

pen /trap remedies

no exclusion in criminal cases See Forester

C i i l l i f i l i Criminal penalties for violations

Civil remedies for violations

21

Controls disclosure of stored data on networked computers of --

non content

Stored Communications Act (SCA) 18 U.S.C. §§ 2701-2712

basic subscriber information transactional records

content of stored data & communications

Stored Communications Act18 U.S.C. §§ 2701-2712

Prohibits unauthorized access by non-providers of stored communications

Governs:

Voluntary disclosure of communications or account records [§ 2702]

Compelled disclosure of communications or account records to government [§ 2703]

Types of Providers Regulated

Electronic communication services

Remote computing services

not covered

Information in someone’s home computer not in possession of provider -- access not governed by Act

22

Electronic Communication Service (ECS)

Any service that provides users ability to send or receive wire or electronic communications

18 U.S.C. § 2510 (15)

covers public and private providers

Examples:

AOL, Earthlink, Hotmail

Private company

State government

Remote Computing Service (RCS)

Any service that provides “to the public ... computer storage or processing services by means of an electronic communications system”

18 U.S.C. § 2711(2)

Only public providers

Examples:

payroll processing company off site data bank services (medical file storage, etc) on line storage service Andersen: consultants used UOP's internal email

system -- not public

Compelled Production –types of process

Subpoenas

Subpoenas with notice

applies to public andnonpublic providers

"d" orders [§ 2703(d)]

"d" orders w/notice

Search warrants

more process = more info

23

Compelled Production – subpoenas

Subpoenas: get basic subscriber info

name and address session records (time, duration)

no prior notice tosubscriber needed

( , )

telephone number

length of service, including starting date types of services used dynamic IP addresses connection and session logs means of payment (credit card, bank account numbers)

Compelled Production – subpoenas with notice to subscriber

get

contents in Electronic Storage more than 180 days contents in RCS, including open emails all info could have got w/ mere subpoena

exception: 9th Circuit need warrant for opened email

Theofel v. Farey-Jones

Compelled Production – "d" orders

"d" orders [§ 2703(d)]: get account logs, transactional records

all info could have got w/ lesser process Historical data involving past activity on account E-mail addresses of correspondents E mail addresses of correspondents Web sites visited Cell-site data for cellular phone calls buddy lists

Must show: specific and articulable facts that info sought is

relevant and material to ongoing criminal investigation

24

Compelled Production –"d" orders w/ notice

all info could have got w/ lesser process

Contents in RCS storage (including opened email)Contents in electronic storage more than 180 days Contents in electronic storage more than 180 days

Must show:

specific and articulable facts that info sought is relevant and material to ongoing criminal investigation

Compelling Content Production: warrants

Search Warrant: gets everything !

may always be needed when content sought

safer course: Get warrant for any content

SCA remedies

No exclusion of evidence

Criminal penalties for violations

Civil remedies for violations

25

minimum paper gov't needs depends on:

Has email been opened? If yes, then subpoena

If not opened, how long in storage?

Contents of email

180 days or more: subpoena less than 180 days: search warrant

Is email protected by the Fourth Amendment?

Smiling Bob meets the 6th Circuit

Warshak #1, 532 F.3d 521 (6th Cir. 2008) (en banc)

Does use of "d" order to get W's emails violate 4th Amendment?

Q not ripe:Q o p

privacy expectations "may well shift over time, that assuredly shifts from internet-service agreement to internet-service agreement and that requires considerable knowledge about ever-evolving technologies"

26

variety of internet-service agreements

Service providers ....

will "not ... read or disclose subscribers' e-mail to anyone except authorized users"

"will not intentionally monitor or disclose any private email message" but "reserves the right" to do so in some cases

reserves right "to pre-screen, refuse or move any Content that is available via the Service"

e-mails will be provided to government on request

other individuals will have access to email and will be entitled to use information in it

user has no REP in any communications

U.S. v. Warshak (#2),__ F.3d __, 2010 WL 5071766 (Dec. 14, 2010)

Use of SCA subpoena to get emails from ISP violates violates 4th Amend

(but get good faith reliance)

analogy to letters / phone calls analogy to letters / phone calls ISP = post office / telephone company

subscriber agreement limited ISP access to emails only to protect ISP

not holding that subscriber agreement will never be broad enough to snuff out REP .... if ISP expresses intention to “audit, inspect, and monitor” emails, that might be enough