EFF: EFF bootcamp KO BestPracLEA

8/14/2019 EFF: EFF bootcamp KO BestPracLEA

http://slidepdf.com/reader/full/eff-eff-bootcamp-ko-bestpraclea 1/28



October 10, 2007

Fenwick & West Conference Center

EFF 2007Bootcamp 2.0

What kind of best practices?

• Intermediaries that enable

online speech can also become

chokepoints to cut off that

speech

• Best practices for responding

to

– Law enforcement information

requests

– Civil subpoenas



October 10, 2007



Overview: Responding to Legal

Information Requests

• How is your ISP classified

under the law?

• What information does your

ISP have and what may be

sought?

• What legal process must be

provided?

• What procedures should your

ISP employ in responding to



October 10, 2007



Best Practices

Best practices:

– Require proper legal process

– minimize logging

– develop policy for user notice

– establish record retention

policy

– internal training



October 10, 2007



What type is your ISP under

ECPA?

• The Electronic Communications

Privacy Act defined two types of

ISPs:• Electronic Communications Service

to the extent you permit users to

communicate with each other

• Remote Computing Service to the

extent you permit users to store

communications or other

information



October 10, 2007



What Information Do You Have?

• Some things are obvious like

Log Files, but not what they

contain

• May also store Email, User

ID, Connection Info, Search

Queries, URLs, Cookies,

Unique Identifiers and IP

Addresses

• Other things?



October 10, 2007



Do You Need the Logs?

• If you don’t have it, you

can’t be forced to produce it

• Can reduce compliance costs

by minimizing information

retained

• Keep minimum logs for needs,

and regularly delete unneeded

information



October 10, 2007



Background: ECPA, SCA,

Title III and FISA

• Electronic Communications

Privacy Act

• Stored Communications Act

• Title III is the Wiretap Act

• Foreign IntelligenceSurveillance Act



October 10, 2007



Background: ECPA

• Electronic Communications

Privacy Act amended the

Wiretap Act to cover

electronic communications

(i.e. email)

– SCA is part of ECPA



October 10, 2007



Background: SCA• The Stored Communications Act,

regulates when an electronic

communication service providermay disclose the contents of or

other information about a

customer’s emails and other

electronic communications tothird parties.

– Contents of communications may not be

disclosed to civil litigants even

when presented with a civil subpoena.



October 10, 2007



Background: Title III• Title III makes it unlawful

to listen to or observe the

contents of a privatecommunication without the

permission of at least one

party to the communicationand regulates real-time

electronic surveillance in

federal criminal

investigations.



October 10, 2007



Background: FISA• The Foreign Intelligence

Surveillance Act authorizes

federal agents to conductelectronic surveillance, as

part of a foreign

intelligence orcounterintelligence

investigation, without

obtaining a traditional,

probable-cause search warrant



October 10, 2007



Records of Videos

Watched• The most highly protected piece

of personal information under the

law:

– “information which identifies a

person as having requested or

obtained specific video materials or

services from a video tape service

provider”

• Not limited to “tapes”, includes a/v

material

• Must be destroyed “as soon as practicable,

but no later than one year from the date

the information is no longer necessary”

• Contact your legal counsel before



October 10, 2007



Legal Standards• Basic Subscriber Information:

Subpoena or better (Gov’t may not

use civil subpoena)

• Other Information: 2703(d) orderor better

• Dialed digits: Pen Register or

better

• Real Time Content: Title III

order

• Stored Content < 180 days: search

warrant

• Stored Content > 180 da s:



October 10, 2007



National Security

Letters• FBI may compel the production

of "subscriber information

and toll billing records

information, or electronic

communication transactional

records" through NationalSecurity Letters.

– Generally NSLs must be kept

secret–



October 10, 2007



A visit by Suits with

Shades• If you get a personal visit

from Law Enforcement, call

your company’s lawyer.

– Often, just an informal request

for assistance

– Safest course is to get legalcounsel early



October 10, 2007



Provide Notice to Users

• Best practice is to provide

notice where possible - let

user move to quash

• LEAs need an order to prevent

notice on subpoenas

• Notice may be delayed under

ECPA



October 10, 2007



Reimbursement

• Yes for subpoenas

• Yes for technical assistance

(not required to redesign,

just help)

• Yes for special requirements,

backup preservation, etc

• Yes for all civil requests



October 10, 2007



Provider Exception

• Provider exception grants

service providers the right

"to intercept and monitor

[communications] placed over

their facilities in order to

combat fraud and theft ofservice."



October 10, 2007



Accessible to Public• Privacy laws have an exception

for electronic communication made

through a system "that isconfigured so that . . . [the]

communication is readily

accessible to the general

public.”– If information sought by LEA is

publicly available, you can tell them

to get it themselves

– In some cases authentication may be



October 10, 2007



Penalties and Safe

Harbors• May face lawsuits for

improper disclosure

• You are protected from civil

actions if you rely in “good

faith” upon appropriate legal

process

• Do not disclose information

without being sure you have

the right process



October 10, 2007



Help Us Help You• Let us know when you receive

questionable over-reaching

requests

415.436.9333

[email protected], [email protected]

http://www.eff.org

http://ilt.eff.org

EFF: EFF bootcamp KO BestPracLEA

Documents

Transcript of EFF: EFF bootcamp KO BestPracLEA