1 / 27

Lawful Access Issues and Challenges for University Networks

Lawful Access Issues and Challenges for University Networks. Marc J. Zwillinger Elizabeth Banker Zwillinger Genetski LLP April 7, 2011. Agenda. Understanding Universities obligations related to Law Enforcement and Civil Demands Developments in privacy related litigation

Download Presentation

Lawful Access Issues and Challenges for University Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Lawful Access Issues and Challenges for University Networks Marc J. Zwillinger Elizabeth Banker Zwillinger Genetski LLP April 7, 2011

  2. Agenda Understanding Universities obligations related to Law Enforcement and Civil Demands Developments in privacy related litigation Lawful Access issues on the horizon for Universities Other issues for Universities related to security and privacy

  3. Types of Requests for Records • Federal, state and local law enforcement issued subpoenas, court orders and warrants • National Security Requests issued under National Security Letter authority, FISA or the FAA • Civil subpoenas issued under DMCA subpoena provision • Civil subpoenas issued in private litigation • Requests without legal process: • Deceased students • Complaints

  4. FERPA: Does It Affect This? • Family Educational Rights and Privacy Act of 1974, 20 U.S.C. § 1232g; 34 CFR Part 99. • Prohibits disclosure of certain student records without student or parental consent. • Universities may disclose educational records in response to a subpoena or court order with prior notice to the student or parents. • No notice is necessary if: • Grand jury subpoena with court order to not provide notice • Court order and told not to provide notice • AG terrorism court order (ex parte) • Emergencies

  5. The Electronic Communications Privacy Act: Core Requirements for Lawful Access • ECPA has two primary parts: • The Wiretap Act (also know as Title III) governs real-time access to the contents of electronic communications • Codified at 18 U.S.C. § 2510 et seq. • The Stored Communications Act (“SCA”) is the portion of ECPA that specifically governs stored records and communications • Codified at 18 U.S.C. § 2701et seq. • Other parts of ECPA: • Pen Register Trap and Trace Statute, 18 U.S.C. § 3121

  6. The Wiretap Act • Governs real-time intercept of electronic and wire communications • Federal law prohibits intercept of communications unless an exception applies: • Consent (one party) • Title III Wiretap Order issued by law enforcement • Protection of Rights and Property of Providers • State wiretaps laws are similar, except: • Twelve states require two-party/all-party consent for a valid exception to the prohibition on intercept

  7. Avoiding Potential Intercept Liability • Special Issues for Universities • Students or School officials recording classes • Email scanning for prohibited content/conduct • Archiving chat, IM, or other conversations conducted through interactive webpages • How to deal with two-party/all-party consent requirements? • Implied consent • Affirmative consent

  8. The Stored Communications Act: How does it apply to Universities? • Covered entities defined in SCA are “Electronic Communications Services” (ECS) and “Remote Computing Services” (RCS) • ECS defined as “any service which provides to users thereof the ability to send or receive wire or electronic communications” • RCS defined as “the provision to the public of computer storage or processing services by means of an electronic communications system” • What does “to the public” mean? • What public services do you offer – just broadband access, or more? • Restrictions on voluntary disclosure of information (for ECS and RCS) turn on whether University offers services “to the public” • Restrictions on compelled disclosures do not.

  9. SCA Categories of Information: What Types of Data are Protected by the SCA? 1) “contents of a communication while in electronic storage” 2) “contents of a communication which is carried or maintained on that service on behalf of, and received by means of electronic transmission from a subscriber or customer of the service” 3) “a record or other information pertaining to a subscriber to or customer of such service not including contents under A or B” 4) “name, address, telephone records, session times and duration, length of service, start date, types of service utilized, telephone number or other subscriber # or identity, network address, means and source of payment” 1) contents of messages or emails 2) contents in stored files 3) any non-identity, non-content record kept about a subscriber 4) basic identity information about the subscriber Statutory Definition Plain Language

  10. Basic Subscriber Information • Can be obtained through trial, grand jury or administrative subpoena under § 2703(c)(2) • name & address • local and long distance billing records • telephone number or other account identifier (such as username or “screen name”) • length & type of service provided • Session times and duration • Temporarily assigned network address (IP Address) • Means and source of payment (cc# or bank acct) • Limited to specifically listed records

  11. Transactional Records • Scope: • Not content, not basic subscriber • § 2703(c)(1)(B) • Everything in between • identities of connections or email correspondence • Subscriber info not specified in 2703 (c)(1)(c) (e.g., DOB, gender, DL #, etc) • Connection information • Obtainable with § 2703(d) court order • Issued based on showing of “specific and articulable facts” of relevance to “criminal investigation” • Intermediate standard between subpoena (relevance) and search warrant (probable cause) • Delayed Notice available under § 2705

  12. Content of Communications: The Evolving Standard for Email • “Electronic storage” defined as 1) temporary, intermediate storage incidental to transmission (§2510(17)(A)); and 2) storage of such communication by an electronic communication service for purposes of backup protection of such communication • Beginning: DOJ view that a warrant was only required for unopened, received email in user’s inbox for 180 days or less. A court order or subpoena used for sent, read, or emails over 180 days old • After Theofel v. Farey-Jones (9th Cir.): Read and saved email was considered a “back up” and required a search warrant if 180 days or less old

  13. Today: Email Privacy Post-Warshak • Sixth Circuit Court of Appeals held in U.S. v. Warshak that the Fourth Amendment protects email content from disclosure to law enforcement absent a search warrant • Court found that individuals have a “reasonable expectation of privacy” in their email content • Court left open possibility that provider or employer terms could eliminate the R.E.P. • Decisions about how to implement • Restrict to district • Implement nationwide

  14. Voluntary Disclosure to the Government: Content and Non-Content • Public provider prohibited from voluntarily disclosing any subscriber records (§ 2702) • Exceptions • Consent of originator or addressee/intended recipient • To an addressee or intended recipient • to law enforcement if contents inadvertently obtained & pertain to commission of a crime • to person employed or authorized or whose facilities are used to forward such communication • As necessary to protect provider rights and property • To NCMEC in child pornography report • To government if provider in good faith believes an emergency exists threatening death or serious physical injury

  15. Voluntary Disclosure to Non-Government: Content and Non-Content • Public provider prohibited from voluntarily disclosing any contents of communications (§ 2702) • Exceptions • Consent of originator or addressee/intended recipient • To an addressee or intended recipient • To person employed or authorized or whose facilities are used to forward such communication • As necessary to protect rights and property • No prohibition on disclosing records to civil litigant (§ 2702 (c)(6)) • Subpoena is generally sufficient

  16. FERPA & ECPA: Harmonizing Obligations • FERPA allows disclosure of educational records when legal process is issued. • If not prohibited by law, notice must be given to the student or parents • When is notice forbidden? A court order prohibits notice (e.g., an order for delayed notice under Section 2705) or statute under which the legal process was issued prohibits notice (e.g. NSLs). • When in doubt? Advise law enforcement of plan to provide notice • FERPA allows disclosure of information in response to a civil subpoena with notice, but ECPA prohibits disclosure of email content to private litigants • Disclosure could be allowed if account holder consents • FERPA & ECPA both allow disclosure of records and email content when there is an emergency that puts the physical safety of a person at risk • ECPA only allows emergency disclosures to law enforcement. • Be sure to document the nature of the emergency, how the requested information will help LE and the requesting individual and agency. • Also helpful: Emergency disclosure form, Emergency disclosure policy

  17. Other Access Issues Deceased Users and stored content Freedom of Information Act requests Complaints and requests to identify users without legal process Internal, on-campus investigations State schools and status as a “governmental entity” National security process and non-disclosure requirements

  18. The Future of Lawful Access Issues ECPA Litigation ECPA Reform CALEA Updates Data Retention Mandates

  19. ECPA Litigation Plaintiffs lawyers are now suing for improper disclosure of records based on claims that the legal process used was illegitmate Entities sued: Yahoo!, Myspace, Windstream, Comcast Theory – recipient must insist on proper service of process to make legal process valid – i.e, no out-of-state faxes. Prediction – not going to be successful, but may not be worth the risk

  20. ECPA Reform • Initially proposed by the Digital Due Process Coalition (DDP), which includes: CDT, Amazon, Google, Facebook, AOL, Microsoft, AT&T SalesForce, Loopt, and others • Need for ECPA reform: • Definitions are archaic and hard to apply to Web 2.0 • Different law enforcement agencies use it and have different interpretations • Different jurisdictions have different interpretations • Volume makes it impossible to operate with anything less than bright lines rules • Litigation develops over areas of friction • Many, many issues do not seem to be answered by ECPA

  21. General Principles for ECPA Reform 1. Technology and platform neutrality 2. All content should be protected under the 4th Amendment standard – regardless of how old it is or whether it has been “opened” or not 3. Data should receive same protection whether it is in transit or in storage 4. Recognize sensitivity of data that deserves 4th Amendment protection

  22. Specific Proposals by DDP Coalition • All content should be protected under the 4th Amendment standard and probable cause should be required – regardless of how old it is or whether it has been “opened” or not • Location data, whether historical or prospective should be produced only pursuant to a Warrant • The standard for pen registers/trap and trace devices should be heightened • Information requests made pursuant to a subpoena should be particularized to an individual or group of individuals, otherwise a 2703(d) Order or greater should be required

  23. ECPA Reform Status • At least 4 hearings held in 2010 before House Judiciary Committee and at least one in the Senate. • Hill meetings and DOJ meetings have been occurring with increased frequency • DOJ has proposal for reform of NSL provisions (18 USC 2709) which may get linked to these efforts • Proposal would clear up uncertainty regarding ability of FBI to get access to electronic communication transactional records

  24. CALEA Reform • Communications Assistance to Law Enforcement Act (“CALEA”) originally passed in 1994 • Mandates that covered providers build capability to intercept communications if presented with a wiretap order • Currently covers telecommunications and broadband • FBI “Going Dark” Initiative seeks to expand coverage • Potential Model- Section 12 of UK’s RIPA

  25. Data Retention • Lamar Smith (R), House Judiciary Chairman, has had several bills in past and currently working on a new bill • Hearing held in January 2011 • Potential scope of data retention obligation: • 6 months to 2 years of retention • IP address assignment logs, IP log-in records, communications transactional records, upload IP information • EU Data Retention Directive implementation • Problematic and still controversial in EU, but provides potential model

  26. Other Network-related Liability Considerations • Child pornography reporting requirements applicable to ECS and RCS under 18 U.S.C. §2258A. • Content complaints and Section 230 • Security Breach notice requirements • Required security to protect sensitive personal information • E.g. Social Security Numbers

  27. ?? ?? ?? ?? ?? ?? Questions? ?? ?? ?? marc@zwillgen.com elizabeth@zwillgen.com ??

More Related