Docstoc

kurt-bootcamp-presentation

Document Sample
kurt-bootcamp-presentation Powered By Docstoc
					  EFF 2009     May 11, 2009
Bootcamp 2.0   Golden Gate University




     Best Practices for OSPs:
        Law Enforcement
      Information Requests


          Kurt Opsahl, Senior Staff Attorney
             Kevin Bankston, Staff Attorney
  EFF 2009     May 11, 2009
Bootcamp 2.0   Golden Gate University




       What kind of best practices?

 • Intermediaries that enable online
   speech can also become chokepoints to
   cut off that speech
 • Best practices for responding to
    – Law enforcement information requests
    – Civil subpoenas
 in a manner that protects ISPs and users
  EFF 2009     May 11, 2009
Bootcamp 2.0   Golden Gate University



       Overview: Responding to Legal
           Information Requests
 •   How is your ISP classified under the
     law?
 •   What information does your ISP have
     and what may be sought?
 •   What legal process must be provided?
 •   What procedures should your ISP
     employ in responding to requests?
  EFF 2009     May 11, 2009
Bootcamp 2.0   Golden Gate University




                Best Practices
 Best practices:
    – Require proper legal process
    – minimize logging
    – develop policy for user notice
    – establish record retention policy
    – internal training
  EFF 2009     May 11, 2009
Bootcamp 2.0   Golden Gate University




   What type is your ISP under ECPA?
 • The Electronic Communications Privacy Act
   defined two types of ISPs:
 • Electronic Communications Service to the
   extent you permit users to communicate with
   each other
 • Remote Computing Service to the extent you
   permit users to store communications or
   other information
  EFF 2009     May 11, 2009
Bootcamp 2.0   Golden Gate University




    What Information Do You Have?

 • Some things are obvious like Log Files,
   but not what they contain
 • May also store Email, User ID,
   Connection Info, Search Queries, URLs,
   Cookies, Unique Identifiers and IP
   Addresses
 • Other things?
  EFF 2009     May 11, 2009
Bootcamp 2.0   Golden Gate University




          Do You Need the Logs?

 • If you don’t have it, you can’t be forced
   to produce it
 • Can reduce compliance costs by
   minimizing information retained
 • Keep minimum logs for needs, and
   regularly delete unneeded information
  EFF 2009     May 11, 2009
Bootcamp 2.0   Golden Gate University



  Background: ECPA, SCA, Title
         III and FISA
 •   Electronic Communications Privacy Act
 •   Stored Communications Act
 •   Title III is the Wiretap Act
 •   Foreign Intelligence Surveillance Act
  EFF 2009     May 11, 2009
Bootcamp 2.0   Golden Gate University




          Background: ECPA
 • Electronic Communications Privacy Act
   amended the Wiretap Act to cover
   electronic communications (i.e. email)
    – SCA is part of ECPA
  EFF 2009     May 11, 2009
Bootcamp 2.0   Golden Gate University




            Background: SCA
 • The Stored Communications Act, regulates
   when an electronic communication service
   provider may disclose the contents of or other
   information about a customer’s emails and
   other electronic communications to third
   parties.
    – Contents of communications may not be disclosed
      to civil litigants even when presented with a civil
      subpoena.
  EFF 2009     May 11, 2009
Bootcamp 2.0   Golden Gate University




        Background: Title III
 • Title III makes it unlawful to listen to or
   observe the contents of a private
   communication without the permission
   of at least one party to the
   communication and regulates real-time
   electronic surveillance in federal
   criminal investigations.
    – Many states require all party consent
  EFF 2009     May 11, 2009
Bootcamp 2.0   Golden Gate University




          Background: FISA
 • The Foreign Intelligence Surveillance
   Act authorizes federal agents to conduct
   electronic surveillance, as part of a
   foreign intelligence or
   counterintelligence investigation,
   without obtaining a traditional,
   probable-cause search warrant
  EFF 2009     May 11, 2009
Bootcamp 2.0   Golden Gate University




         Classification of Information
 • Basic Subscriber Information (name, address,
   equipment identifier such as temporary IP
   address, and means and source of payment)
 • Other Information (clickstream, location)
 • Wiretap, Pen Register or Trap and Trace
 • Content - Real Time and Stored
  EFF 2009      May 11, 2009
Bootcamp 2.0    Golden Gate University




   Records of Videos Watched
 • The most highly protected piece of personal
   information under the law:
    – “information which identifies a person as having
      requested or obtained specific video materials or
      services from a video tape service provider”
       • Not limited to “tapes”, includes a/v material
       • Must be destroyed “as soon as practicable, but no later
         than one year from the date the information is no longer
         necessary”
 • Contact your legal counsel before disclosure
   pursuant to legal process
  EFF 2009     May 11, 2009
Bootcamp 2.0   Golden Gate University




         Location Information
 • Majority of courts require probable cause
   warrants for disclosure of real-time or
   prospective location information
    – DOJ asserts a lower standard
 • Contact your legal counsel before disclosure
  EFF 2009     May 11, 2009
Bootcamp 2.0   Golden Gate University




                 Legal Standards
 • Basic Subscriber Information: Subpoena or
   better (Gov’t may not use civil subpoena)
 • Other Information: 2703(d) order or better
 • Dialed digits: Pen Register or better
 • Real Time Content: Title III order
 • Stored Content < 180 days: search warrant
 • Stored Content > 180 days: subpoena or
   better
 • Video records: Warrant or court order
  EFF 2009     May 11, 2009
Bootcamp 2.0   Golden Gate University




  Exception: Emergency Cases
 • Customer Information/Content Standard: ISP
   reasonably believes that an emergency
   involving immediate death or serious physical
   injury to any person requires disclosure of
   contents or justifies disclosure of records
    – Get the justification in writing
  EFF 2009     May 11, 2009
Bootcamp 2.0   Golden Gate University




     National Security Letters
 • FBI may compel the production of
   "subscriber information and toll billing
   records information, or electronic
   communication transactional records"
   through National Security Letters.
    – Generally NSLs must be kept secret
    – May contact legal counsel.
  EFF 2009     May 11, 2009
Bootcamp 2.0   Golden Gate University




                  FISA Orders
 • Pursuant to FISA, the gov’t may provide
   FISA court order or other process under
   the FISA Amendments Act
    – Contact legal counsel
    – EFF would love to challenge the FAA
  EFF 2009     May 11, 2009
Bootcamp 2.0   Golden Gate University




   A visit by Suits with Shades
 • If you get a personal visit from Law
   Enforcement, call your company’s
   lawyer.
    – Often, just an informal request for
      assistance
    – Safest course is to get legal counsel early
  EFF 2009     May 11, 2009
Bootcamp 2.0   Golden Gate University




      Provide Notice to Users
 • Best practice is to provide notice where
   possible - let user move to quash
 • LEAs need an order to prevent notice
   on subpoenas
 • Notice may be delayed under ECPA
  EFF 2009     May 11, 2009
Bootcamp 2.0   Golden Gate University




        Backup Preservation
 • Any LEA can request by any means
 • Notify LEA, but do not deliver info
 • LEA notifies user - starts 14 day clock
   for user objection
 • Absent objection, must provide data
   upon receipt of proper process
  EFF 2009     May 11, 2009
Bootcamp 2.0   Golden Gate University




               Reimbursement
 • Yes for subpoenas
 • Yes for technical assistance (not
   required to redesign, just help)
 • Yes for special requirements, backup
   preservation, etc
 • Yes for all civil requests
  EFF 2009     May 11, 2009
Bootcamp 2.0   Golden Gate University




          Provider Exception
 • Provider exception grants service
   providers the right "to intercept and
   monitor [communications] placed over
   their facilities in order to combat fraud
   and theft of service."
  EFF 2009     May 11, 2009
Bootcamp 2.0   Golden Gate University




          Accessible to Public
 • Privacy laws have an exception for electronic
   communication made through a system "that
   is configured so that . . . [the] communication
   is readily accessible to the general public.”
    – If information sought by LEA is publicly available,
      you can tell them to get it themselves
    – In some cases authentication may be required
  EFF 2009     May 11, 2009
Bootcamp 2.0   Golden Gate University




   Penalties and Safe Harbors
 • May face lawsuits for improper
   disclosure
 • You are protected from civil actions if
   you rely in “good faith” upon
   appropriate legal process
 • Do not disclose information without
   being sure you have the right process
  EFF 2009     May 11, 2009
Bootcamp 2.0   Golden Gate University




           Parting Thoughts
 • Always get it in writing to preserve
   immunities
 • Your ISP is not the agent of an LEA
 • State and Local rules may be more
   strict
 • If in doubt, ask the lawyers
  EFF 2009     May 11, 2009
Bootcamp 2.0   Golden Gate University




           Help Us Help You
 • Let us know when you receive questionable
   over-reaching requests

                      415.436.9333
                  information@eff.org

                   http://www.eff.org
                    http://ilt.eff.org