Federal Privacy Laws How can government obtain emails and network account logs from ISPs? How can...

Federal Privacy Laws

How can government obtain emails and network account logs from ISP’s?

When does the government need to obtain a search warrant as opposed to a 2703(d) order or a subpoena?

When can providers disclose emails and records to the government voluntarily?

What remedies will courts impose when ECPA violated?

Federal Privacy Laws

ECPA - The Electronic Communications Privacy Act (18 U.S.C. 2510 et seq)

PPA - The Privacy Protection Act (42 U.S.C. 2000a)

CCPA - The Cable Communications Policy Act (47 U.S.C. 251 et seq)

Why do I care?

ECPA – No suppression remedyCivil damages, but you lose your job!

PPA – No suppression remedy Civil damages. Law

enforcement officers may be held personally liable !

ECPA

Extends wiretap laws to electronic communications

Regulates how investigators can obtain stored e-mail, account records or subscriber information from network service providers; IPS’s, phone co.’s, cell phone providers, and satellite services.

ECPA

ECPA seeks to provide certain privacy rights to network account holders by offering varying degrees of legal protection depending on the perceived value of the privacy interest involved

ECPA

What type of info is being sought?Basic subscriber info? Transactional records?Content in electronic storage?

How can you get it?Subpoena?2703(d) Order?Search warrant?

Basic Subscriber Information

Gives you onlyname & addresslocal and LD telephone toll billing

recordstelephone number or other account

identifier (such as username or “screen name”)

length & type of service providedCan get IP number & dates/times for IRCCan be obtained through subpoena Do not subpoena “all customer records”

Transactional Records

Not content & not basic subscriber§ 2703(c)(1)(B)

Everything in betweenfinancial information (e.g.,

credit card)audit trails/logsweb sites visitedidentities of e-mail

correspondentscell site data from cellular/PCS

carriersObtainable with § 2703(d) court

order

What are “contents”?

“Any information concerning the substance, purport, or meaning of that communication.”

Attached wp filesAttached picture filesSubject headers of e-mails

Section 2703(d) Orders

Articulable facts order “specific and articulable facts

showing that there are reasonable grounds to believe that [the requested records] are relevant and material to an ongoing criminal investigation”

Higher standard than a subpoena, lower than probable cause

ECPA permits service outside state of issuing district

Opened e-mail

Do you need a search warrant?Subpoena – served with prior notice2703(d) Order – served with notice to

subscriberSearch warrant – no notice to subscriberOther stored electronic communications

in “electronic storage” more than 180 days (unopened e-mail)

Notification

Investigators can delay notice for up to 90 days to avoid:flight from prosecutiondestruction of or tampering with

evidence intimidation of potential witnessesseriously jeopardizing an

investigation (§ 2705)

2703(d) Application and Orders will contain a request for delayed notice – must state why

Can extend delay additional 90 days

Unopened e-mail > 180 days

If unopened and in storage for less than 180 days, use search warrant (§ 2703(a))

Warrant operates like a subpoena

No notice requiredExcept 9th Circuit

Preservation Request

A provider of wire or electronic communication service or a remote computing service, upon request of a governmental entity, shall take all necessary steps to preserve records and other evidence in its possession pending the issuance of a court order or other process.

Voluntary Disclosure

Can you accept information voluntarily disclosed by ISP?

Providers may monitor and intercept real time communications for purposes of maintaining and protecting their equipment.

Is the ISP required to disclose such info?

Privacy Protection Act

“[I]t shall be unlawful . . . to search for or seize any work product materials possessed by a person reasonably believed to have a purpose to disseminate to the public a newspaper, book, broadcast, or similar form of public communication . . .”

• Prohibits use of a search warrant for such materials

42 USC 2000aa

Privacy Protection Act

Provides additional protection to media from law enforcement searches

Response to US Supreme Court decision Zurcher v. Stanford Daily, 436 U.S. 547(1978)

Newspaper sued saying LE search violated First Amendment rights of paper

Basic PPA Rule

Act requires law enforcement to rely on cooperation from Media

Must use a subpoenaLess intrusive means to

obtaining evidenceOffers better protection to

innocent parties

Exceptions

Contraband or fruits or instrumentalities of a crime

Immediate seizure of materials necessary to prevent death or serious bodily injury

Probable cause that person possessing such material has committed or is committing a criminal offenseExcept if mere possession offense

Except child pornography

Who is Protected?

Bulletin boardsWeb pagesTV stationsAuthorsPublishers of any medium whose intent

is to publish information to the publicIncludes publishers of legal

pornography

Commingled Evidence

What do you do when both protected material under PPA and contraband are found on same hard drive?

Can you take computer?Once you realize that you have

protected material what do you do?Do you have an affirmative duty to

return protected material?

Cell Phones

THE CLOCK IS TICKING!!

EVERY SECOND YOU WAIT TO COLLECT EVIDENCE, THE MORE YOU LOSE!!

Cell Phones

Once you get the phone number:

Call the carrier ask whether the number was active and billable on their network during the time in question.

That one phone call will save hours

Cell Phones

If so, send preservation letter.

Follow up call to insure receipt.

Search Warrant to carrier.

Cell Phones

Search warrant for the following:

Billing Records

Carrier Key

CDR’S

Cell-Site information

Billing Records

Records the customer receives from carrier.

BR show ONLY completed and billable calls

BR show ONLY date, time, duration and number called or received from.

BR are incomplete for your investigation!!

Carrier Key

Must specifically request to receive

Provides acronyms, and any special instructions for interpreting their records.

Call Detail Records

Have to specifically ask for these.

WAY more information.

Date, time, duration, number called, calling party, call reference code, text, data, cell-site, sector.

Not all carriers give all this info.

Search Warrants

Include “text messages and MMS including all numbers sent to and received from, date, time, duration and all content related to each message”

Porting—remember a number that starts on AT&T can move to another service.

Tracfone—a booster phone. When sending search warrant, ask for “Notes and Footnotes.” Notes and Footnotes will tell you where device purchased, where payments were made and how.

Booster phones—generally operated by Sprint/Nextel

CELL TOWER DUMP

All activity on a particular cell-site for a specific time

TIME SENSITIVE!!

Each carrier has their own network of Cell-Sites

Need “Carrier Key”

TOWER DUMP

Recommended verbiage:

“Requesting a “Tower Dump” from all cell sites in the immediate area of (address or lat/long of your incident) that would support any and all communication including but not limited to calls, text messaging, data, walkie-talkie, push to talk…”

Tower Dump

ATT—90 days only 75$ per cell site 2 week turnaround

Metro—6 mos $50/site 2 weeks

Sprint/Nextel/Boost up to 24 months 0-50$ 2 weeks---special verbiage—”any tower in the area that would support communication…” that way you get all three

Tmobile—6 mos $100/per 2 weeks NO exigency

Verizon 90 days no charge 2 weeks

Electronic Evidence

Writings/Documents Documents Give me a RASHRelevance AuthenticitySecondary Evidence/Best Evidence Hearsay

Computer Evidence

3 Types

1. Those records generated by process

2. Those records generated by persons

3. Commingled

Evidence Developed by Process

Remember the definition

Statement or assertion or non verbal conduct

Of a PERSON

If not by a person, NOT hearsay

Examples

GPS data Cell Tower data Telephone toll

records Email header info Ip tracing Electronic banking

Log in records from ISP

Pin entries Phone numbers

called

U. S. v. Bellomo 176 F.3d 580

Not Hearsay

IP address is automatically generated by computer hosting newsgroup. No statement by person, thus not hearsay.

U. S. v. Hamilton 413 F. 3d 1138

Examples Persons (Hearsay)

Personal letter

Memo

Bookkeeping records

Records of business transactions inputted by persons

Hearsay Records

803(6). Business Records not for litigation

902(11) Certification

803(8) Police Computer Records

Computer Chat logs may include admissions. 801(d)(2) witnesses side of conversation gives context to D’s. U.S. v. Burt 496 F.3d 733

801D(2)(e) co conspirator Statements

Bullcoming v. New Mexico

Computer generated records MAY violate Confrontation Clause.

If the computer record is dependent upon human conduct that must be testified to to make the record valid, that witness must testify.

Examples Mixed

Email content and header

File with both written data and creation, access and modified dates

Chat logs that id participants with dates and times

Spreadsheets

Foundation

901(a) Lowest standard in law

Computer records are judged by same standard

901(b)(4) Distinctive characteristics

901(b) (9) Describing a process

902 Self Authentication

902(8) Acknowledged Docs—emails, texts, chats

Foundation

Ultimately just has to be person who “has knowledge that a matter is what it is claimed to be.”

901(b)(4) Distinctive characteristics of email include the “@” symbol, email addresses with the person’s name connected to the email, and people’s name on To and From or signature line. U.S. v. Siddiqui 235 F.3d 1318

Objection IP Address

“Objection hearsay!”Hearsay is an out of court statement by a PERSONNOT HEARSAY--Admissible with authentication

E-mail headersSecurity logsBilling recordsHash value/date and time stamps

The Objections

You get the local AOL Security Officer to testify to records:

(1) “Your honor, this person is only a security guard without any formal background or training. She’s not qualified to testify to the records systems.”

(2) “All she knows is what she sees on the screen. She doesn’t know anything about how the hardware and software run. So she’s incompetent to testify about the mode of preparation.”

(3) “She only learned what she learned from talking to others. Her testimony is based on hearsay and objectionable.”

Your response: “Oh %&*&!!! I have a RASH!

The Objections

As to the Identifying information: (6) “How do we know that these entries

were made at or near the time of the event? All we have are these computer entries!”

(7) “This is a print-out of the database, not the database itself. How do we know the print-out is accurate? You know those crazy printers.”

(8) “This witness didn’t gather the record. She only brought it to court.”.

The Objections

As to the Internet Tracing:(9) “What do we really know about the Internet? It’s just a collection of wires. How do we know this Who-Is service is accurate? Maybe there are hundreds of domain names and hundreds of e-mail accounts that are the same as this.”(10) “It would take an expert to tell us about the Internet. This cop is no expert, just a flat foot with a laptop.”

The Objections

As to the ISP e-mail account:(11) “This is more information that is

unreliable. The source isn’t the company, it’s the person who opened the account. It’s not a business record.”

The Objections

As to all of the information: (12) “Who put the numbers on the

machines? The computer. It’s the declarant. I should have the right to cross-examine the computer itself.”

ICAC Training & Technical Assistance Program

The Objections

(13) “Where’s the custodian? I have an absolute right to cross-examine the custodian!”

The Objections

“They cannot show that the electronic record has not bedn tampered with or changed, so there is no authenticity.”

The Objections

The possibility of alteration is not sufficient to exclude electronic evidence. As with paper documents, the mere possibility of alteration is not sufficient to exclude electronic evidence. It is a weight, not admissibility issue.

U.S. v. Bonallo 858 F.2d 1427 (9th)

Objections

“We don’t know who actually sent this email/was on this chat etc.”

Objections

Circumstantial evidence establishes authorship. Email addresses, IP addresses, signature blocks and content can get past authenticity. U.S. v. Simpson 152 F.3d 1241

Website Authentication

Printouts of website are not self authenticating. U.S. v. Jackson 208 F. 3d 633

Need to call someone who is familiar with the site or viewed it contemporaneously to your crime.


The Objections

AOL responds to subpoena duces tecum by copies of identifying information and billing records They also send e-mail, along with an FRE 902(11) declaration.But there is no custodian present.Admissible?


Relevance

401 Simple


Authentication

803(6) Report/Record/data compilation 902 Self Authentication “Do you recognize Court Exhibit # 1?”“What is it?”“Where did it come from?”


The Basic § 803(6) Requirements

The writing was made in the regular course of business.The writing was made at or near the time of the act, condition, or eventThe custodian or other representative testifies to its identity and mode of preparation; andThe sources of information and method and time of preparation were such as to indicate its trustworthiness.No Crawford implications


The Object of the Exercise

. . . Is to show how the computer generated records satisfy all four of these requirements.

OR – alternatively

How the computer generated document is authenticated as a document and relevant as such without reference to its hearsay content.


Practice Point

Write a trial brief on these issuesThe defense will focus on “the perils of unknown information.” Court is uncomfortable with electronic evidence.Acquaint the Court with the issues and authorities before you start.


The Forest Before the Trees – the Right Metaphor

FRE 104 foundation is not rigid or formalistic.Could a reasonable jury find by a preponderance of the evidenceIt is NOT a checklist, each item of which must be marked off before the item is admittedThe Right Metaphor is topics in a theme, each of which must be addressed in the showing


The Forest Before the Trees – Weight v. Admissibility

Case authority repeatedly emphasizes reliability is NOT the same as infallibility.

A business record may be trustworthy and still be found to contain errors.


The Forest Before the Trees – The Fundamental Authority

People v. Lugashi (1988), 205 Cal. App 3rd 632Case involved the use of stolen credit card numbers to post phony sales transactions. Wells Fargo Bank was the victim.

The transactions were posted by telephone.

Proof of the records involved a description of Wells Fargo’s entire data processing system, which involved transfers from phone records to magnetic tape, dump to computer, software processing, etc.


The Forest Before the Trees – The Fundamental Authority (con’t.)

The witness providing the foundational showing was a Loss Prevention Offc.LPO knew the system and case cold, but lacked any formal computer trainingFoundation was attacked on appeal.Case affirmed with great language.


The Objections Revisited

“Your honor, this person is only a security guard without any formal background or training. She’s not qualified to testify to the records systems.”

Response – anyone who knows the system can serve as an adequate company representative. Do not have to have written the computer programU.S. v. Salgado 250 F3d. 438



(2) “All she knows is what she sees on the screen. She doesn’t know anything about how the hardware and software run. So she’s incompetent to testify about the mode of preparation”

Response –Don’t need an expert.

A person who generally understands the system's operation and possesses sufficient knowledge and skill to properly use the system and explain the resultant data is a qualified witness. Lugashi.



(3) “She only learned what she learned from talking to others. Her testimony is based on hearsay and objectionable.”Response – This objection has been considered and dismissed. Most people have learned what they learned listening to others.


A Final Comment on the Hearsay Objection

The point of §1271/803(6) is to eliminate the necessity of calling multiple witnesses for one transaction.

“The object of Evidence Code section 1271/803(6) is to eliminate the calling of each witness involved in preparation of the record and substitute the record of the transaction instead [cit. omit].” County of Sonoma v. Grant W. (1986), 187 Cal. App. 3d 1439 at 1451. Accord, People v. Matthews (1991) 229 Cal. App. 3rd 930 at 940 – and of course Lugashi


The Objections Revisited (Internet Trace)

“(10) It would take an expert to tell us about the Internet. This cop is no expert, just a flat foot with a laptop.”

Response – Evidence Code §702 indicates the specialized knowledge of an expert can be based on `skill, experience, and training’ as well as education.

Query whether basic `Internetology’ requires anything more than lay opinion these days. 701

It almost certainly will not in the near future.


The Objections Revisited (internet Trace)

“What do we really know about the Internet? It’s just a collection of wires. How do we know this Who-Is service is accurate? Maybe there are hundreds of domain names and hundreds of e-mail accounts that are the same as this.”

Response – no case law this time, but there is a dead on statuteEvidence Code §803(17) – the “phone book” exception


Evidence Code §803(17)

Evidence of a statement, other than an opinion, contained in a tabulation, list, directory, register, or other published compilation is not made inadmissible by the hearsay rule if the compilation is generally used and relied upon by persons in particular occupations. Dead on to the directories of business and TSP sites maintained by Network Solutions, Who Is, Sam Spade, and so on.Literally the same as the phone book


Pushing the Envelope (Practice Tip)

What is Today’s Expertise is Tomorrow’s Common KnowledgeRemind the Judge that there was a time when the operations of the telephone, television, radio, and so forth, were esoteric and the subject of expertise. Although some of these still are, the basics are not and jurors follow them easily.Most foundational matter with respect to computer operations are very basic and increasingly understood as a matter of everyday experience.The threshold showing of reliability thus becomes easier to make, as it has with other technology.


The Objections Revisited (E-Mail Account)

“(11) This is more information that is unreliable. The source isn’t the company, it’s the person who opened the account. It’s not a business record.”Response – the document is being admitted not as the record of an `act, condition, or event’, but as a document, i.e, the account information on the account just happens to be the personal information of the defendant.Ascertainable from the `face’ of the document, as it were.The record is thus subject to the liberal authentication procedures of Evidence Code §901/ 902



(12) “Who put the numbers on the machines? The computer. It’s the declarant. I should have the right to cross-examine the computer itself.” Response – as farcical as this sounds, the objection has been made in practice.People v. Hawkins (2002) 98 Cal. App 3d. 1428 is dispositive. `Mechanical’ computer functions are proved up by showing that the machine was working properly.


The Objections Revisited (Absence of Custodian)

(13) “Where’s the custodian? I have an absolute right to cross-examine the custodian!”

Response: Does he? Really? Think about it He has no statutory right, because Evidence C.

803(6) §902(11) provides that the affidavit is sufficient

So he must be talking about a Constitutional right. Does the right to confront and cross-examine

witnesses really extend to bare bones foundational showings provided by affidavit?

Crawford says no.


The Objections Revisited (Absence of Custodian)

However, if this seems a bit too audacious to you: (1) All Evidence C. §803(6) requires is an

authorized representative. (2) If the hotel is a national chain, use a

local (3) If not, it almost certainly uses the

services of an accounting firm with national affiliations.

(4) A member of the local branch of the accounting firm who has familiarized him- or herself with accounting practices, should do fine.


Common Areas for Digital Evidence

Warrants Subscriber account info

InterNIC/WhoIS

Sources of Evidence Web pages

IRC/Chat

Computer Forensic Exams File structure

Recovery of deleted files

Recovery of text and images

Our Approach What you get

How to get it admitted

How to present it

Working with Your Forensic Examiner


Evidence Code Section 1001(3)-(4)

Printed Representation of Computer Information

A printed representation of computer information or a computer program is presumed to be accurate

The presumption is rebuttable

If rebutted by evidence, accuracy must be established by a preponderance of the evidence


Authentication/Best Evidence

Now what?

EC 1003 - Secondary Evidence Rule

Content of a writing may be proved by otherwise admissible secondary evidence

Unless a genuine question is raised as to the authenticity of the original

or unfair to admit the copy


A printed representation of images stored on video or digital media is presumed accurate

The presumption is rebuttable

If rebutted by evidence, accuracy must be proven by a preponderance of the evidence

Evidence Code Section 1001(3)(4);

1003 Printed Representation of Images Stored on Video

or Digital Medium


Oral testimony is admissible if: The writing is excessive and would

consume court time Evidence sought is general result of

whole

Can use charts, summaries, diagramsConsider using for: Log files Summary of files or applications on examined drive Web browsing history Timeline for who was home when access to files

occurred

Admissibility of Oral EvidenceRule 1006


ISP Warrant Results

Subscriber Account InformationAccount HistoryLogs Format Letter from ISP summarizing results Computer generated printout


Admissibility of ISP Warrant Return

Authentication

Hearsay

Presentation


Hearsay and ISP Warrant Return

How to we get the warrant results admitted?Business records

Where is your custodian?

SDTDo the records still exist?

Computer-generated record not hearsay? Basis for expert opinion

* Evidence not actually admitted

Safe practice - Immediately follow warrant with SDT


Authentication

Evidence sufficient to show what you claim it is (EC 901)

Have receiving officer authenticate warrant return Originator’s testimony not necessary - EC 903

Received in response to communication to author - EC 901(b)(4)

Content - EC 901(b)(4)

EASY-902(11) with Sw return


IRC/Chat Room Conversations

Authentication? Officer/victim who preserved text Forensic examiner who recovered text Must establish ID of suspect’s screen nameHearsay? Non Hearsay: Motive, ID, intent, state of

mind EC 801(d)(2)(a) - Statement of a Party EC 801(d)(2)(e)- Co-Conspirator Statements EC 801(d)(1)(a) - Prior Inconsistent

Statement EC - Past Recollection Recorded

Federal Privacy Laws How can government obtain emails and network account logs from ISPs? How can...

Documents

Transcript of Federal Privacy Laws How can government obtain emails and network account logs from ISPs? How can...