200 likes | 321 Views
Working Effectively with Law Enforcement: How to Protect the Privacy of Your University Community Without Going to Jail. Michael Corn Director, Security Services and Information Privacy University of Illinois at Urbana-Champaign Office of the CIO. Presentation Topics.
E N D
Working Effectively with Law Enforcement: How to Protect the Privacy of Your University Community Without Going to Jail Michael Corn Director, Security Services and Information Privacy University of Illinois at Urbana-Champaign Office of the CIO
Presentation Topics • Working effectively with LEAs protects privacy • You are not alone: it takes a team to respond to a subpoena • What knowing your environment means • Advise on handling an investigation • References 2
Themes and Assumptions • Working with law enforcement is no longer exceptional but typical • We have a legal obligation to comply with valid documents • Proper handling of law enforcement requests enhances the privacy accorded members of your campus community 3
It Takes a Team • Develop a firm and clear understanding of responsibilities and roles • There are three critical positions that can handle 100% of most incidents and 95% of the rest Security Officer, Legal Counsel, Campus Police 4
Campus Police • Validate credentials • Have deep contacts in Law Enforcement • Bring a level of comfort to agents of LEAs • Partners in a variety of incidents: • Harassment • Laptop theft • Identity theft / SSN disclosures Consider whether they are internal or external to Institution 5
Campus Counsel • Validate all legal documents • Interpret type of request: subpoena, preservation request, search warrant, NSL, etc… • Interpret request elements: data, dates/times, identities, etc… Should be highly familiar with relevant campus policies, such as your Appropriate/Acceptable Use and Infosec 6
Security Officer • Advises on technical capabilities / hurdles • Advises on impact and visibility • Advises on what is available • Collection of evidence / information 7
Words of Advice to Security Officers • Keep judicial, legislative, investigative and interpretive roles separate • Regulation != Common Sense • Having a law degree does not make you the University’s Counsel 8
Know your Environment • Focus on those elements of your environment that are likely to be relevant to a request for information: • Log files • Email (and email traffic logs) • s/Flow data • Authn/z logs • Technical contacts in units • Which units provide their own IT services? • How long are backup stored and how much work is it to do a restore? “If you can’t count something you don’t control it” Mike’s dictum 9
Know your Environment (cont.) • Discuss the possibility of confidential investigations with your service managers and their supervisors (i.e., middle managers) • Emphasize that you’re helping to insulate them from crises • Buy your network engineers lunch. Regularly 10
Handling an Investigation - confidentiality • Confidentiality • Understand your obligations with regard to confidentiality. “In accordance with 18 U.S.C. section 2709(c) (1), I certify that a disclosure of the fact that the FBI has sought or obtained access to the information sought by this letter may endanger the national security of the United States...and (2) prohibits you, or any officer, employee, or agent of yours, from disclosing this letter, other than to those to whom disclosure is necessary to comply with the letter or to an attorney to obtain legal advice...” National Security Letter (NSL) quote found via Google search. ACLU: http://www.aclu.org/natsec/warpowers/21261prs20051107.html FBI: http://www.fbi.gov/pressrel/pressrel07/nsl030907.htm 11
Confidentiality (cont.) • Discuss with the agent(s) in charge of an investigation whom you wish to inform of the investigation and why. This includes, • your supervisor • campus/University Officers (Provost, Chancellor, etc..) • unit heads • technical staff • Develop internal procedures that control the materials and information of legally restricted documentation. Buy a safe for storing legal documents and evidence. 12
Handling the Investigation – impact • Minimizing the impact of the investigation • Work with the agent(s) in charge of an investigation to review what they are looking for and what will not be useful to them. • Work with law enforcement agents to better understand your environment and narrow the scope of information requests. 13
Narrowing the Scope of a Request I Original “Provide all records, logs, transaction records, connection records, email headers and IP numbers for the account and computers associated with Bullwinkle J. Moose and the account bullwinkle@whatsamattau.edu from Jan 1st 2007 to present.” 14
Narrowing the Scope of a Request II • Bullwinkle@whatsamattau.edu redirects to bullwinkle@physics.whatsamattau.edu • Physics.whatsamattau.edu not centrally provided (do they log sendmail at physics?) • Bullwinkle@whatsamattau.edu also exists as bullwinkle@centralIT.whatsamattau.edu • Email accounts accessible from any IP on campus • Bullwinkle reads most of his mail from a multi-user machine • Flow logs from that machine show traffic from multiple users • Bullwinkle has logged into any number of campus services in the last 8 months 15
Narrowing the Scope of a Request III • Discuss with agent: • Email redirection • And Legal if bullwinkle@physics… is covered by document • Flow logs don’t help with email • Central IT account is unused • Campus authentication records • Capturing multi-user machine will endanger confidentiality of investigation • Multi-month restore will endanger confidentiality of investigation • Need to work with departmental IT staff • May require working with unit head or IT staff supervisors 16
None of this will matter if the LE agent doesn’t trust and have confidence in you. 17
Narrowing the Scope of a Request IV New Preservation Request “Please retain all existing email and backups of the email account associated with the email address bullwinkle@physics.whatsamattau.edu from the period Jan 1st 2007 to present.” New Data Request “Please provide all email headers from existing email from the account associated with the email address bullwinkle@physics.whatsamattau.edu from the period Jan 1st 2007 to present.” 18
Summary • Create a policy to address the handling of all legal documents. • Form a team consisting of the security officer, legal counsel, and campus police. • Put campus legal counsel on your telephone speed-dial. • Meet with provost and/or chancellor to discuss law enforcement requests and investigations. • Review and document the salient features of your environment, including your institutional policies on data release and retention. • Understand your obligations with regard to confidentiality. • Discuss with the agent(s) in charge of an investigation whom you wish to inform of the investigation and why. • Work with the agent(s) in charge of an investigation to review what they are looking for and what will not be useful to them. • Work with law enforcement agents to better understand your environment and narrow the scope of information requests • Develop internal procedures that control the materials and information of legally restricted information. Buy a safe for storing legal materials. 19
References & Contact • Guidelines for Working with Law Enforcement Agencies. Michael Corn. Educause Quarterly, Vol. 30 No. 3. http://www.educause.edu/apps/eq/eqm07/eqm0738.asp • Educause Policy and Law Constituent Group http://www.educause.edu/groups/icpl/ • Contact: Michael Corn, mcorn@uiuc.edu 20