Federal Privacy Laws How can government obtain emails and network account logs from ISPs? How can...
-
Upload
kendrick-twyman -
Category
Documents
-
view
219 -
download
5
Transcript of Federal Privacy Laws How can government obtain emails and network account logs from ISPs? How can...
Federal Privacy Laws
How can government obtain emails and network account logs from ISP’s?
When does the government need to obtain a search warrant as opposed to a 2703(d) order or a subpoena?
When can providers disclose emails and records to the government voluntarily?
What remedies will courts impose when ECPA violated?
Federal Privacy Laws
ECPA - The Electronic Communications Privacy Act (18 U.S.C. 2510 et seq)
PPA - The Privacy Protection Act (42 U.S.C. 2000a)
CCPA - The Cable Communications Policy Act (47 U.S.C. 251 et seq)
Why do I care?
ECPA – No suppression remedyCivil damages, but you lose your job!
PPA – No suppression remedy Civil damages. Law
enforcement officers may be held personally liable !
Why do I care?
ECPA – No suppression remedyCivil damages, but you lose your job!
PPA – No suppression remedy Civil damages. Law
enforcement officers may be held personally liable !
ECPA
Extends wiretap laws to electronic communications
Regulates how investigators can obtain stored e-mail, account records or subscriber information from network service providers; IPS’s, phone co.’s, cell phone providers, and satellite services.
ECPA
ECPA seeks to provide certain privacy rights to network account holders by offering varying degrees of legal protection depending on the perceived value of the privacy interest involved
ECPA
What type of info is being sought?Basic subscriber info? Transactional records?Content in electronic storage?
How can you get it?Subpoena?2703(d) Order?Search warrant?
Basic Subscriber Information
Gives you onlyname & addresslocal and LD telephone toll billing
recordstelephone number or other account
identifier (such as username or “screen name”)
length & type of service providedCan get IP number & dates/times for IRCCan be obtained through subpoena Do not subpoena “all customer records”
Transactional Records
Not content & not basic subscriber§ 2703(c)(1)(B)
Everything in betweenfinancial information (e.g.,
credit card)audit trails/logsweb sites visitedidentities of e-mail
correspondentscell site data from cellular/PCS
carriersObtainable with § 2703(d) court
order
What are “contents”?
“Any information concerning the substance, purport, or meaning of that communication.”
Attached wp filesAttached picture filesSubject headers of e-mails
Section 2703(d) Orders
Articulable facts order “specific and articulable facts
showing that there are reasonable grounds to believe that [the requested records] are relevant and material to an ongoing criminal investigation”
Higher standard than a subpoena, lower than probable cause
ECPA permits service outside state of issuing district
Opened e-mail
Do you need a search warrant?Subpoena – served with prior notice2703(d) Order – served with notice to
subscriberSearch warrant – no notice to subscriberOther stored electronic communications
in “electronic storage” more than 180 days (unopened e-mail)
Notification
Investigators can delay notice for up to 90 days to avoid:flight from prosecutiondestruction of or tampering with
evidence intimidation of potential witnessesseriously jeopardizing an
investigation (§ 2705)
2703(d) Application and Orders will contain a request for delayed notice – must state why
Can extend delay additional 90 days
Unopened e-mail > 180 days
If unopened and in storage for less than 180 days, use search warrant (§ 2703(a))
Warrant operates like a subpoena
No notice requiredExcept 9th Circuit
Preservation Request
A provider of wire or electronic communication service or a remote computing service, upon request of a governmental entity, shall take all necessary steps to preserve records and other evidence in its possession pending the issuance of a court order or other process.
Voluntary Disclosure
Can you accept information voluntarily disclosed by ISP?
Providers may monitor and intercept real time communications for purposes of maintaining and protecting their equipment.
Is the ISP required to disclose such info?
Privacy Protection Act
“[I]t shall be unlawful . . . to search for or seize any work product materials possessed by a person reasonably believed to have a purpose to disseminate to the public a newspaper, book, broadcast, or similar form of public communication . . .”
• Prohibits use of a search warrant for such materials
42 USC 2000aa
Privacy Protection Act
Provides additional protection to media from law enforcement searches
Response to US Supreme Court decision Zurcher v. Stanford Daily, 436 U.S. 547(1978)
Newspaper sued saying LE search violated First Amendment rights of paper
Basic PPA Rule
Act requires law enforcement to rely on cooperation from Media
Must use a subpoenaLess intrusive means to
obtaining evidenceOffers better protection to
innocent parties
Exceptions
Contraband or fruits or instrumentalities of a crime
Immediate seizure of materials necessary to prevent death or serious bodily injury
Probable cause that person possessing such material has committed or is committing a criminal offenseExcept if mere possession offense
Except child pornography
Who is Protected?
Bulletin boardsWeb pagesTV stationsAuthorsPublishers of any medium whose intent
is to publish information to the publicIncludes publishers of legal
pornography
Commingled Evidence
What do you do when both protected material under PPA and contraband are found on same hard drive?
Can you take computer?Once you realize that you have
protected material what do you do?Do you have an affirmative duty to
return protected material?
Cell Phones
THE CLOCK IS TICKING!!
EVERY SECOND YOU WAIT TO COLLECT EVIDENCE, THE MORE YOU LOSE!!
Cell Phones
Once you get the phone number:
Call the carrier ask whether the number was active and billable on their network during the time in question.
That one phone call will save hours
Cell Phones
If so, send preservation letter.
Follow up call to insure receipt.
Search Warrant to carrier.
Cell Phones
Search warrant for the following:
Billing Records
Carrier Key
CDR’S
Cell-Site information
Billing Records
Records the customer receives from carrier.
BR show ONLY completed and billable calls
BR show ONLY date, time, duration and number called or received from.
BR are incomplete for your investigation!!
Carrier Key
Must specifically request to receive
Provides acronyms, and any special instructions for interpreting their records.
Call Detail Records
Have to specifically ask for these.
WAY more information.
Date, time, duration, number called, calling party, call reference code, text, data, cell-site, sector.
Not all carriers give all this info.
Search Warrants
Include “text messages and MMS including all numbers sent to and received from, date, time, duration and all content related to each message”
Porting—remember a number that starts on AT&T can move to another service.
Tracfone—a booster phone. When sending search warrant, ask for “Notes and Footnotes.” Notes and Footnotes will tell you where device purchased, where payments were made and how.
Booster phones—generally operated by Sprint/Nextel
CELL TOWER DUMP
All activity on a particular cell-site for a specific time
TIME SENSITIVE!!
Each carrier has their own network of Cell-Sites
Need “Carrier Key”
TOWER DUMP
Recommended verbiage:
“Requesting a “Tower Dump” from all cell sites in the immediate area of (address or lat/long of your incident) that would support any and all communication including but not limited to calls, text messaging, data, walkie-talkie, push to talk…”
Tower Dump
ATT—90 days only 75$ per cell site 2 week turnaround
Metro—6 mos $50/site 2 weeks
Sprint/Nextel/Boost up to 24 months 0-50$ 2 weeks---special verbiage—”any tower in the area that would support communication…” that way you get all three
Tmobile—6 mos $100/per 2 weeks NO exigency
Verizon 90 days no charge 2 weeks
Electronic Evidence
Writings/Documents Documents Give me a RASHRelevance AuthenticitySecondary Evidence/Best Evidence Hearsay
Computer Evidence
3 Types
1. Those records generated by process
2. Those records generated by persons
3. Commingled
Evidence Developed by Process
Remember the definition
Statement or assertion or non verbal conduct
Of a PERSON
If not by a person, NOT hearsay
Examples
GPS data Cell Tower data Telephone toll
records Email header info Ip tracing Electronic banking
Log in records from ISP
Pin entries Phone numbers
called
U. S. v. Bellomo 176 F.3d 580
Not Hearsay
IP address is automatically generated by computer hosting newsgroup. No statement by person, thus not hearsay.
U. S. v. Hamilton 413 F. 3d 1138
Examples Persons (Hearsay)
Personal letter
Memo
Bookkeeping records
Records of business transactions inputted by persons
Hearsay Records
803(6). Business Records not for litigation
902(11) Certification
803(8) Police Computer Records
Computer Chat logs may include admissions. 801(d)(2) witnesses side of conversation gives context to D’s. U.S. v. Burt 496 F.3d 733
801D(2)(e) co conspirator Statements
Bullcoming v. New Mexico
Computer generated records MAY violate Confrontation Clause.
If the computer record is dependent upon human conduct that must be testified to to make the record valid, that witness must testify.
Examples Mixed
Email content and header
File with both written data and creation, access and modified dates
Chat logs that id participants with dates and times
Spreadsheets
Foundation
901(a) Lowest standard in law
Computer records are judged by same standard
901(b)(4) Distinctive characteristics
901(b) (9) Describing a process
902 Self Authentication
902(8) Acknowledged Docs—emails, texts, chats
Foundation
Ultimately just has to be person who “has knowledge that a matter is what it is claimed to be.”
901(b)(4) Distinctive characteristics of email include the “@” symbol, email addresses with the person’s name connected to the email, and people’s name on To and From or signature line. U.S. v. Siddiqui 235 F.3d 1318
Objection IP Address
“Objection hearsay!”Hearsay is an out of court statement by a PERSONNOT HEARSAY--Admissible with authentication
E-mail headersSecurity logsBilling recordsHash value/date and time stamps
The Objections
You get the local AOL Security Officer to testify to records:
(1) “Your honor, this person is only a security guard without any formal background or training. She’s not qualified to testify to the records systems.”
(2) “All she knows is what she sees on the screen. She doesn’t know anything about how the hardware and software run. So she’s incompetent to testify about the mode of preparation.”
(3) “She only learned what she learned from talking to others. Her testimony is based on hearsay and objectionable.”
Your response: “Oh %&*&!!! I have a RASH!
The Objections
As to the Identifying information: (6) “How do we know that these entries
were made at or near the time of the event? All we have are these computer entries!”
(7) “This is a print-out of the database, not the database itself. How do we know the print-out is accurate? You know those crazy printers.”
(8) “This witness didn’t gather the record. She only brought it to court.”.
The Objections
As to the Internet Tracing:(9) “What do we really know about the Internet? It’s just a collection of wires. How do we know this Who-Is service is accurate? Maybe there are hundreds of domain names and hundreds of e-mail accounts that are the same as this.”(10) “It would take an expert to tell us about the Internet. This cop is no expert, just a flat foot with a laptop.”
The Objections
As to the ISP e-mail account:(11) “This is more information that is
unreliable. The source isn’t the company, it’s the person who opened the account. It’s not a business record.”
The Objections
As to all of the information: (12) “Who put the numbers on the
machines? The computer. It’s the declarant. I should have the right to cross-examine the computer itself.”
ICAC Training & Technical Assistance Program
The Objections
(13) “Where’s the custodian? I have an absolute right to cross-examine the custodian!”
The Objections
“They cannot show that the electronic record has not bedn tampered with or changed, so there is no authenticity.”
The Objections
The possibility of alteration is not sufficient to exclude electronic evidence. As with paper documents, the mere possibility of alteration is not sufficient to exclude electronic evidence. It is a weight, not admissibility issue.
U.S. v. Bonallo 858 F.2d 1427 (9th)
Objections
“We don’t know who actually sent this email/was on this chat etc.”
Objections
Circumstantial evidence establishes authorship. Email addresses, IP addresses, signature blocks and content can get past authenticity. U.S. v. Simpson 152 F.3d 1241
Website Authentication
Printouts of website are not self authenticating. U.S. v. Jackson 208 F. 3d 633
Need to call someone who is familiar with the site or viewed it contemporaneously to your crime.
ICAC Training & Technical Assistance Program
The Objections
AOL responds to subpoena duces tecum by copies of identifying information and billing records They also send e-mail, along with an FRE 902(11) declaration.But there is no custodian present.Admissible?
ICAC Training & Technical Assistance Program
Relevance
401 Simple
ICAC Training & Technical Assistance Program
Authentication
803(6) Report/Record/data compilation 902 Self Authentication “Do you recognize Court Exhibit # 1?”“What is it?”“Where did it come from?”
ICAC Training & Technical Assistance Program
The Basic § 803(6) Requirements
The writing was made in the regular course of business.The writing was made at or near the time of the act, condition, or eventThe custodian or other representative testifies to its identity and mode of preparation; andThe sources of information and method and time of preparation were such as to indicate its trustworthiness.No Crawford implications
ICAC Training & Technical Assistance Program
The Object of the Exercise
. . . Is to show how the computer generated records satisfy all four of these requirements.
OR – alternatively
How the computer generated document is authenticated as a document and relevant as such without reference to its hearsay content.
ICAC Training & Technical Assistance Program
Practice Point
Write a trial brief on these issuesThe defense will focus on “the perils of unknown information.” Court is uncomfortable with electronic evidence.Acquaint the Court with the issues and authorities before you start.
ICAC Training & Technical Assistance Program
The Forest Before the Trees – the Right Metaphor
FRE 104 foundation is not rigid or formalistic.Could a reasonable jury find by a preponderance of the evidenceIt is NOT a checklist, each item of which must be marked off before the item is admittedThe Right Metaphor is topics in a theme, each of which must be addressed in the showing
ICAC Training & Technical Assistance Program
The Forest Before the Trees – Weight v. Admissibility
Case authority repeatedly emphasizes reliability is NOT the same as infallibility.
A business record may be trustworthy and still be found to contain errors.
ICAC Training & Technical Assistance Program
The Forest Before the Trees – The Fundamental Authority
People v. Lugashi (1988), 205 Cal. App 3rd 632Case involved the use of stolen credit card numbers to post phony sales transactions. Wells Fargo Bank was the victim.
The transactions were posted by telephone.
Proof of the records involved a description of Wells Fargo’s entire data processing system, which involved transfers from phone records to magnetic tape, dump to computer, software processing, etc.
ICAC Training & Technical Assistance Program
The Forest Before the Trees – The Fundamental Authority (con’t.)
The witness providing the foundational showing was a Loss Prevention Offc.LPO knew the system and case cold, but lacked any formal computer trainingFoundation was attacked on appeal.Case affirmed with great language.
ICAC Training & Technical Assistance Program
The Objections Revisited
“Your honor, this person is only a security guard without any formal background or training. She’s not qualified to testify to the records systems.”
Response – anyone who knows the system can serve as an adequate company representative. Do not have to have written the computer programU.S. v. Salgado 250 F3d. 438
ICAC Training & Technical Assistance Program
The Objections Revisited
(2) “All she knows is what she sees on the screen. She doesn’t know anything about how the hardware and software run. So she’s incompetent to testify about the mode of preparation”
Response –Don’t need an expert.
A person who generally understands the system's operation and possesses sufficient knowledge and skill to properly use the system and explain the resultant data is a qualified witness. Lugashi.
ICAC Training & Technical Assistance Program
The Objections Revisited
(3) “She only learned what she learned from talking to others. Her testimony is based on hearsay and objectionable.”Response – This objection has been considered and dismissed. Most people have learned what they learned listening to others.
ICAC Training & Technical Assistance Program
A Final Comment on the Hearsay Objection
The point of §1271/803(6) is to eliminate the necessity of calling multiple witnesses for one transaction.
“The object of Evidence Code section 1271/803(6) is to eliminate the calling of each witness involved in preparation of the record and substitute the record of the transaction instead [cit. omit].” County of Sonoma v. Grant W. (1986), 187 Cal. App. 3d 1439 at 1451. Accord, People v. Matthews (1991) 229 Cal. App. 3rd 930 at 940 – and of course Lugashi
ICAC Training & Technical Assistance Program
The Objections Revisited (Internet Trace)
“(10) It would take an expert to tell us about the Internet. This cop is no expert, just a flat foot with a laptop.”
Response – Evidence Code §702 indicates the specialized knowledge of an expert can be based on `skill, experience, and training’ as well as education.
Query whether basic `Internetology’ requires anything more than lay opinion these days. 701
It almost certainly will not in the near future.
ICAC Training & Technical Assistance Program
The Objections Revisited (internet Trace)
“What do we really know about the Internet? It’s just a collection of wires. How do we know this Who-Is service is accurate? Maybe there are hundreds of domain names and hundreds of e-mail accounts that are the same as this.”
Response – no case law this time, but there is a dead on statuteEvidence Code §803(17) – the “phone book” exception
ICAC Training & Technical Assistance Program
Evidence Code §803(17)
Evidence of a statement, other than an opinion, contained in a tabulation, list, directory, register, or other published compilation is not made inadmissible by the hearsay rule if the compilation is generally used and relied upon by persons in particular occupations. Dead on to the directories of business and TSP sites maintained by Network Solutions, Who Is, Sam Spade, and so on.Literally the same as the phone book
ICAC Training & Technical Assistance Program
Pushing the Envelope (Practice Tip)
What is Today’s Expertise is Tomorrow’s Common KnowledgeRemind the Judge that there was a time when the operations of the telephone, television, radio, and so forth, were esoteric and the subject of expertise. Although some of these still are, the basics are not and jurors follow them easily.Most foundational matter with respect to computer operations are very basic and increasingly understood as a matter of everyday experience.The threshold showing of reliability thus becomes easier to make, as it has with other technology.
ICAC Training & Technical Assistance Program
The Objections Revisited (E-Mail Account)
“(11) This is more information that is unreliable. The source isn’t the company, it’s the person who opened the account. It’s not a business record.”Response – the document is being admitted not as the record of an `act, condition, or event’, but as a document, i.e, the account information on the account just happens to be the personal information of the defendant.Ascertainable from the `face’ of the document, as it were.The record is thus subject to the liberal authentication procedures of Evidence Code §901/ 902
ICAC Training & Technical Assistance Program
The Objections Revisited
(12) “Who put the numbers on the machines? The computer. It’s the declarant. I should have the right to cross-examine the computer itself.” Response – as farcical as this sounds, the objection has been made in practice.People v. Hawkins (2002) 98 Cal. App 3d. 1428 is dispositive. `Mechanical’ computer functions are proved up by showing that the machine was working properly.
ICAC Training & Technical Assistance Program
The Objections Revisited (Absence of Custodian)
(13) “Where’s the custodian? I have an absolute right to cross-examine the custodian!”
Response: Does he? Really? Think about it He has no statutory right, because Evidence C.
803(6) §902(11) provides that the affidavit is sufficient
So he must be talking about a Constitutional right. Does the right to confront and cross-examine
witnesses really extend to bare bones foundational showings provided by affidavit?
Crawford says no.
ICAC Training & Technical Assistance Program
The Objections Revisited (Absence of Custodian)
However, if this seems a bit too audacious to you: (1) All Evidence C. §803(6) requires is an
authorized representative. (2) If the hotel is a national chain, use a
local (3) If not, it almost certainly uses the
services of an accounting firm with national affiliations.
(4) A member of the local branch of the accounting firm who has familiarized him- or herself with accounting practices, should do fine.
ICAC Training & Technical Assistance Program
Common Areas for Digital Evidence
Warrants Subscriber account info
InterNIC/WhoIS
Sources of Evidence Web pages
IRC/Chat
Computer Forensic Exams File structure
Recovery of deleted files
Recovery of text and images
Our Approach What you get
How to get it admitted
How to present it
Working with Your Forensic Examiner
ICAC Training & Technical Assistance Program
Evidence Code Section 1001(3)-(4)
Printed Representation of Computer Information
A printed representation of computer information or a computer program is presumed to be accurate
The presumption is rebuttable
If rebutted by evidence, accuracy must be established by a preponderance of the evidence
ICAC Training & Technical Assistance Program
Authentication/Best Evidence
Now what?
EC 1003 - Secondary Evidence Rule
Content of a writing may be proved by otherwise admissible secondary evidence
Unless a genuine question is raised as to the authenticity of the original
or unfair to admit the copy
ICAC Training & Technical Assistance Program
A printed representation of images stored on video or digital media is presumed accurate
The presumption is rebuttable
If rebutted by evidence, accuracy must be proven by a preponderance of the evidence
Evidence Code Section 1001(3)(4);
1003 Printed Representation of Images Stored on Video
or Digital Medium
ICAC Training & Technical Assistance Program
Oral testimony is admissible if: The writing is excessive and would
consume court time Evidence sought is general result of
whole
Can use charts, summaries, diagramsConsider using for: Log files Summary of files or applications on examined drive Web browsing history Timeline for who was home when access to files
occurred
Admissibility of Oral EvidenceRule 1006
ICAC Training & Technical Assistance Program
ISP Warrant Results
Subscriber Account InformationAccount HistoryLogs Format Letter from ISP summarizing results Computer generated printout
ICAC Training & Technical Assistance Program
Admissibility of ISP Warrant Return
Authentication
Hearsay
Presentation
ICAC Training & Technical Assistance Program
Hearsay and ISP Warrant Return
How to we get the warrant results admitted?Business records
Where is your custodian?
SDTDo the records still exist?
Computer-generated record not hearsay? Basis for expert opinion
* Evidence not actually admitted
Safe practice - Immediately follow warrant with SDT
ICAC Training & Technical Assistance Program
Authentication
Evidence sufficient to show what you claim it is (EC 901)
Have receiving officer authenticate warrant return Originator’s testimony not necessary - EC 903
Received in response to communication to author - EC 901(b)(4)
Content - EC 901(b)(4)
EASY-902(11) with Sw return
ICAC Training & Technical Assistance Program
IRC/Chat Room Conversations
Authentication? Officer/victim who preserved text Forensic examiner who recovered text Must establish ID of suspect’s screen nameHearsay? Non Hearsay: Motive, ID, intent, state of
mind EC 801(d)(2)(a) - Statement of a Party EC 801(d)(2)(e)- Co-Conspirator Statements EC 801(d)(1)(a) - Prior Inconsistent
Statement EC - Past Recollection Recorded