Working Effectively with Law Enforcement: How to Protect the Privacy of Your University Community Without Going to

Jail

Michael CornDirector, Security Services and Information PrivacyUniversity of Illinois at Urbana-ChampaignOffice of the CIO

2

Presentation Topics

Working effectively with LEAs protects privacy You are not alone: it takes a team to respond to a

subpoena What knowing your environment means Advise on handling an investigation References

3

Themes and Assumptions

Working with law enforcement is no longer exceptional but typical

We have a legal obligation to comply with valid documents

Proper handling of law enforcement requests enhances the privacy accorded members of your campus community

4

It Takes a Team

Develop a firm and clear understanding of responsibilities and roles

There are three critical positions that can handle 100% of most incidents and 95% of the rest

Security Officer, Legal Counsel, Campus Police

5

Campus Police

Validate credentials Have deep contacts in Law Enforcement Bring a level of comfort to agents of LEAs

Partners in a variety of incidents:– Harassment– Laptop theft– Identity theft / SSN disclosures

Consider whether they are internal or external to Institution

6

Campus Counsel

Validate all legal documents Interpret type of request: subpoena, preservation

request, search warrant, NSL, etc… Interpret request elements: data, dates/times,

identities, etc…

Should be highly familiar with relevant campus policies, such as your Appropriate/Acceptable Use and Infosec

7

Security Officer

Advises on technical capabilities / hurdles Advises on impact and visibility Advises on what is available Collection of evidence / information

8

Words of Advice to Security Officers

Keep judicial, legislative, investigative and interpretive roles separate

Regulation != Common Sense Having a law degree does not make you the

University’s Counsel

9

Know your Environment

Focus on those elements of your environment that are likely to be relevant to a request for information:

– Log files– Email (and email traffic logs)– s/Flow data– Authn/z logs– Technical contacts in units– Which units provide their own IT services?– How long are backup stored and how much work is it to do a restore?

“If you can’t count something you don’t control it”Mike’s dictum

10

Know your Environment (cont.)

Discuss the possibility of confidential investigations with your service managers and their supervisors (i.e., middle managers)

Emphasize that you’re helping to insulate them from crises

Buy your network engineers lunch. Regularly

11

Handling an Investigation - confidentiality

Confidentiality– Understand your obligations with regard to

confidentiality.

“In accordance with 18 U.S.C. section 2709(c) (1), I certify that a disclosure of the fact that the FBI has sought or obtained access to the information sought by this letter may endanger the national security of the United States...and (2) prohibits you, or any officer, employee, or agent of yours, from disclosing this letter, other than to those to whom disclosure is necessary to comply with the letter or to an attorney to obtain legal advice...”

ACLU: http://www.aclu.org/natsec/warpowers/21261prs20051107.htmlFBI: http://www.fbi.gov/pressrel/pressrel07/nsl030907.htm

National Security Letter (NSL) quote found via Google search.

12

Confidentiality (cont.)

Discuss with the agent(s) in charge of an investigation whom you wish to inform of the investigation and why. This includes, – your supervisor– campus/University Officers (Provost, Chancellor, etc..)– unit heads– technical staff

Develop internal procedures that control the materials and information of legally restricted documentation. Buy a safe for storing legal documents and evidence.

13

Handling the Investigation – impact

Minimizing the impact of the investigation

– Work with the agent(s) in charge of an investigation to review what they are looking for and what will not be useful to them.

– Work with law enforcement agents to better understand your environment and narrow the scope of information requests.

14

Narrowing the Scope of a Request I

Original

“Provide all records, logs, transaction records, connection records, email headers and IP numbers for the account and computers associated with Bullwinkle J. Moose and the account bullwinkle@whatsamattau.edu from Jan 1st 2007 to present.”

15

Narrowing the Scope of a Request II

Bullwinkle@whatsamattau.edu redirects to bullwinkle@physics.whatsamattau.edu

Physics.whatsamattau.edu not centrally provided (do they log sendmail at physics?)

Bullwinkle@whatsamattau.edu also exists as bullwinkle@centralIT.whatsamattau.edu

Email accounts accessible from any IP on campus Bullwinkle reads most of his mail from a multi-user machine Flow logs from that machine show traffic from multiple

users Bullwinkle has logged into any number of campus services

in the last 8 months

16

Narrowing the Scope of a Request III

Discuss with agent:

– Email redirection – And Legal if bullwinkle@physics… is covered by document – Flow logs don’t help with email– Central IT account is unused– Campus authentication records– Capturing multi-user machine will endanger confidentiality of

investigation– Multi-month restore will endanger confidentiality of investigation– Need to work with departmental IT staff

May require working with unit head or IT staff supervisors

17

None of this will matter if the LE agent doesn’ttrust and have confidence in you.

18

Narrowing the Scope of a Request IV

New Preservation Request

“Please retain all existing email and backups of the email account associated with the email address bullwinkle@physics.whatsamattau.edu from the period Jan 1st 2007 to present.”

New Data Request

“Please provide all email headers from existing email from the account associated with the email address bullwinkle@physics.whatsamattau.edu from the period Jan 1st 2007 to present.”

19

Summary

Create a policy to address the handling of all legal documents. Form a team consisting of the security officer, legal counsel, and campus police. Put campus legal counsel on your telephone speed-dial. Meet with provost and/or chancellor to discuss law enforcement requests and

investigations. Review and document the salient features of your environment, including your

institutional policies on data release and retention. Understand your obligations with regard to confidentiality. Discuss with the agent(s) in charge of an investigation whom you wish to inform of

the investigation and why. Work with the agent(s) in charge of an investigation to review what they are looking

for and what will not be useful to them. Work with law enforcement agents to better understand your environment and narrow

the scope of information requests Develop internal procedures that control the materials and information of legally

restricted information. Buy a safe for storing legal materials.

20

References & Contact

Guidelines for Working with Law Enforcement Agencies. Michael Corn. Educause Quarterly, Vol. 30 No. 3. http://www.educause.edu/apps/eq/eqm07/eqm0738.asp

Educause Policy and Law Constituent Group http://www.educause.edu/groups/icpl/

Contact: Michael Corn, mcorn@uiuc.edu