1 / 27

A Gentle Introduction to the Electronic Communications Privacy Act

A Gentle Introduction to the Electronic Communications Privacy Act. Paul Ohm Associate Professor, CU Law Initiative Director, Silicon Flatirons December 4, 2009. Roadmap. Background and History Wiretap Act and Pen Register and Trap and Trace Act Stored Communications Act. Roadmap.

gerik
Download Presentation

A Gentle Introduction to the Electronic Communications Privacy Act

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Gentle Introduction to the Electronic Communications Privacy Act Paul Ohm Associate Professor, CU Law Initiative Director, Silicon Flatirons December 4, 2009

  2. Roadmap Background and History Wiretap Act and Pen Register and Trap and Trace Act Stored Communications Act

  3. Roadmap Background and History Wiretap Act and Pen Register and Trap and Trace Act Stored Communications Act

  4. History 1928: Olmstead v. United States 1934: Communications Act 1967: Katz v. United States 1968: Omnibus Crime Control and Safe Street Acts: Title III—Wiretap Act 1986: Electronic Communications Privacy Act 2001: USA PATRIOT Act

  5. ECPA Regulates Privacy Privacy on telephone and data networks Rules for government access Rules for sharing by providers Criminalizes certain privacy invasions

  6. Roadmap Background and History Wiretap Act and Pen Register and Trap and Trace Act Stored Communications Act

  7. Real-Time Monitoring • The Wiretap Act governs monitoring in real-time • Traditional telephone wiretaps • Internet packet sniffers

  8. Prohibition The Wiretap Act prohibits the interception of wire or electronic communications Five-year felony Unless an exception applies

  9. Exceptions • Dozens • Several used commonly in criminal investigations • Court order • Consent of a party to the communication • Provider self defense

  10. Court Order • Wiretap order permits interception • Many hurdles • “Super warrant” • Probable cause • Limited time • Minimization • Necessity

  11. Consent • Interception allowed if a “party to the communication has given prior consent to such interception” • Possible sources: • Banner • Terms of service • Employment agreements

  12. Provider Self Defense Provider can monitor to “protect the rights or property of the provider” Provider can share results of past monitoring with law enforcement

  13. Transactional Surveillance • The Pen Register and Trap and Trace Act governs real-time collection of non-content information about a user such as: • Addresses on inbound/outbound email • Internet addresses for websites visited by a user • List of addresses from which visitors to website originate • Does not include content • Almost no hurdle for government whatsoever

  14. Roadmap Background and History Wiretap Act and Pen Register and Trap and Trace Act Stored Communications Act

  15. Stored Communications Act The Stored Communications Act governs stored information held by certain communications providers

  16. Dichotomies • Type of Provider • To the public versus only non-public • Providing communications versus storage/processing services • Providing those services versus other services • For Content • Fresh versus stale • Unopened email versus opened email • For Non-content • Detailed transactional records versus basic subscriber information

  17. Which Providers? • “Electronic Communications Services” • Email • Phone • IM • Text messages • “Remote Computing Services” • Computer storage • Online backup services, photo hosting • Processing services • Amazon’s EC2

  18. Unregulated? Google search Google books CNN.com Amazon / eBay

  19. The SCA Chart

  20. CompellingBasic Subscriber Information • Basic Subscriber Information can be obtained with a mere subpoena • Means • Name & address • Local and LD telephone toll billing records • Telephone number or other account identifier (such as username or “screen name”) • Length & type of service provided • Session times and duration • Temporarily assigned network address • Means and source of payment

  21. CompellingOther Non-Content Information • Everything that is not basic subscriber information but is also not content • Means • Audit trails / logfiles • Identities of e-mail correspondents • Can be obtained with a court order • 2703(d) order • “specific and articulable facts showing that there are reasonable grounds to believe that [the requested records] are relevant and material to an ongoing criminal investigation”

  22. Compelling Content • Rules are somewhat in flux due to Theofel v. Farey-Jones, 341 F.3d 978 (9th Cir. 2003) • Some contents require a search warrant • Pre-Theofel: Unopened email • Theofel: All email

  23. Compelling Content 2 • Some contents obtainable with mere subpoena • Pre-Theofel: Opened email • Theofel: Almost no email • Also: Non-email stored files, stale email • Subpoena must include notice to subscriber • May be delayed 90 days

  24. Voluntary Disclosure: Default Rules Providers not to the public may disclose anything to anyone. Unregulated by SCA Providers to the public must look to statutory exceptions

  25. Voluntary Disclosure: Exceptions for Public Providers Public providers may voluntarily share non-content with any non-governmental party for any reason

  26. Voluntary Disclosure: Exceptions for Public Providers 2 • Public providers may voluntarily share non-content and content with government only when: • Consent to do so exists (terms of service) • To protect rights and property • If provider, in good faith, believes that an emergency involving danger of death or serious physical injury to any person requires disclosure

  27. Previewing the Conference Three panels Two on ECPA reform

More Related