Slide 1

Paul Ohm Associate Professor, CU Law Initiative Director, Silicon Flatirons December 4, 2009 Slide 2 Background and History Wiretap Act and Pen Register and Trap and Trace Act Stored Communications Act Slide 3 Background and History Wiretap Act and Pen Register and Trap and Trace Act Stored Communications Act Slide 4 1928: Olmstead v. United States 1934: Communications Act 1967: Katz v. United States 1968: Omnibus Crime Control and Safe Street Acts: Title IIIWiretap Act 1986: Electronic Communications Privacy Act 2001: USA PATRIOT Act Slide 5 Privacy on telephone and data networks Rules for government access Rules for sharing by providers Criminalizes certain privacy invasions Slide 6 Background and History Wiretap Act and Pen Register and Trap and Trace Act Stored Communications Act Slide 7 The Wiretap Act governs monitoring in real-time Traditional telephone wiretaps Internet packet sniffers Slide 8 The Wiretap Act prohibits the interception of wire or electronic communications Five-year felony Unless an exception applies Slide 9 Dozens Several used commonly in criminal investigations Court order Consent of a party to the communication Provider self defense Slide 10 Wiretap order permits interception Many hurdles Super warrant Probable cause Limited time Minimization Necessity Slide 11 Interception allowed if a party to the communication has given prior consent to such interception Possible sources: Banner Terms of service Employment agreements Slide 12 Provider can monitor to protect the rights or property of the provider Provider can share results of past monitoring with law enforcement Slide 13 The Pen Register and Trap and Trace Act governs real-time collection of non- content information about a user such as: Addresses on inbound/outbound email Internet addresses for websites visited by a user List of addresses from which visitors to website originate Does not include content Almost no hurdle for government whatsoever Slide 14 Background and History Wiretap Act and Pen Register and Trap and Trace Act Stored Communications Act Slide 15 The Stored Communications Act governs stored information held by certain communications providers Slide 16 Type of Provider To the public versus only non-public Providing communications versus storage/processing services Providing those services versus other services For Content Fresh versus stale Unopened email versus opened email For Non-content Detailed transactional records versus basic subscriber information Slide 17 Electronic Communications Services Email Phone IM Text messages Remote Computing Services Computer storage Online backup services, photo hosting Processing services Amazons EC2 Slide 18 Google search Google books CNN.com Amazon / eBay Slide 19 Slide 20 Basic Subscriber Information can be obtained with a mere subpoena Means Name & address Local and LD telephone toll billing records Telephone number or other account identifier (such as username or screen name) Length & type of service provided Session times and duration Temporarily assigned network address Means and source of payment Slide 21 Everything that is not basic subscriber information but is also not content Means Audit trails / logfiles Identities of e-mail correspondents Can be obtained with a court order 2703(d) order specific and articulable facts showing that there are reasonable grounds to believe that [the requested records] are relevant and material to an ongoing criminal investigation Slide 22 Rules are somewhat in flux due to Theofel v. Farey-Jones, 341 F.3d 978 (9th Cir. 2003) Some contents require a search warrant Pre-Theofel: Unopened email Theofel: All email Slide 23 Some contents obtainable with mere subpoena Pre-Theofel: Opened email Theofel: Almost no email Also: Non-email stored files, stale email Subpoena must include notice to subscriber May be delayed 90 days Slide 24 Providers not to the public may disclose anything to anyone. Unregulated by SCA Providers to the public must look to statutory exceptions Slide 25 Public providers may voluntarily share non-content with any non-governmental party for any reason Slide 26 Public providers may voluntarily share non-content and content with government only when: Consent to do so exists (terms of service) To protect rights and property If provider, in good faith, believes that an emergency involving danger of death or serious physical injury to any person requires disclosure Slide 27 Three panels Two on ECPA reform