THE PATRIOT ACT & ECPA – Week 5

download THE PATRIOT ACT & ECPA – Week 5

If you can't read please download the document

description

THE PATRIOT ACT & ECPA – Week 5. Lewis University **Legal Issues in Information Security Gary A Bannister FCMA, AICPA, CGEIT. Learning Objectives. Understanding of the Patriots Act & the issues of privacy How it relates to IT - PowerPoint PPT Presentation

Transcript of THE PATRIOT ACT & ECPA – Week 5

  • THE PATRIOT ACT & ECPA Week 5 Lewis University**Legal Issues in Information Security

    Gary A Bannister FCMA, AICPA, CGEIT

  • Learning ObjectivesUnderstanding of the Patriots Act & the issues of privacyHow it relates to ITAn understanding of the ECPA Electronic Communications & Privacy ActAn understanding of FATA, the Financial Anti Terrorism Act.An understanding of CALEA Communications Assistance for Law Enforcement.

  • Key Statutes

    CFAA (Computer Fraud & Abuse Act) 1986

    Electronic Communications Privacy Act (ECPA) 1986 (Updated the Federal Wiretap Act)

    Communications Assistance for Law Enforcement Act (CALEA) -1994 (Amended ECPA)

    PATRIOT ACT 2001

  • PATRIOT ACTUniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT ACT) Act of 2001Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act

  • PATRIOT ACT and PrivacyPresident Bush signed into law on October 26, 2001

    Passed into law just 45 days after the events of September 11, with virtually no debate.

    There are serious concerns that the PATRIOT Act threatens fundamental freedoms by giving the government the power to access medical records, tax records, information about the books bought or borrowed without probable cause, and the power to break into private homes and conduct secret searches . . . . without telling residents for weeks, months, or indefinitely.

  • PATRIOT ACT

    Comprised of 10 Titles

    Contains more than 150 sections and amends over 15 federal statutes, including laws governing criminal procedure, computer fraud, foreign intelligence, wiretapping, and immigration

  • Key SectionsThe PATRIOT Act amended a number of existing federal laws. 15 statutes were changed in some way.

    Enhancing domestic security against terrorism Enhanced surveillance procedures Detention of aliens engaged in terrorist activities Criminal law and procedure Provisions directed at halting financial support of terrorism Emergency authorizations

  • The USA PATRIOT ActIncreased the scope and penalties of the Computer Fraud and Abuse Act by:

    raising the maximum penalty for violations to 10 years (from 5) for a first offense and 20 years (from 10) for a second offense

    ensuring that violators only need to intend to cause damage generally, not intend to cause damage or other specified harm over the $5,000 statutory damage threshold

    allowing aggregation of damages to different computers over a year to reach the $5,000 threshold

  • The USA PATRIOT ActIncreased the scope and penalties of the Computer Fraud and Abuse Act

    enhancing punishment for violations involving any (not just $5,000) damage to a government computer involved in criminal justice or the military

    including damage to foreign computers involved in US interstate commerce

    including state law offenses as priors for sentencing expanding the definition of loss to expressly include time spent investigating and responding for damage assessment and for restoration.

  • PATRIOT ACTConstitutional ConcernsCivil Liberties Violations

    First Amendment intellectual freedom and privacy rights

    Fourth Amendment rights to be free of unreasonable searches and seizures

    Fifth Amendment protections of due process

    Sixth Amendment rights to a public trial by an impartial jury

    Fourteenth Amendment equal protection guarantees, or the constitutional assurance of the writ of habeas corpus.

  • PATRIOT ACT and PrivacyParticularly troubling to free speech and privacy advocates are four provisions:

    Section 206, which permits the use of "roving wiretaps" and secret court orders to monitor electronic communications to investigate terrorists

    Sections 214 and 216, which extend telephone monitoring authority to include routing and addressing information for Internet traffic relevant to any criminal investigation

  • PATRIOT ACT and PrivacySection 215 - grants unprecedented authority to the Federal Bureau of Investigation (FBI) and other law enforcement agencies to obtain search warrants for business, medical, educational, library, and bookstore records.

    Section 215 includes a "gag order" provision prohibiting any person or institution served with a search warrant from disclosing what has taken place.

    In conjunction with the passage of the USA PATRIOT Act, the U.S. Justice Department issued revised FBI guidelines in May 2002 that greatly increase the bureau's surveillance and data collection authority to access such information as an individual's Web surfing habits and search terms

  • PATRIOT ACT and Privacy Section 215Under the new reporting rule, Treasury Department's Financial Crimes Enforcement Network (FinCEN) can require a financial institution to search its records for a specific person or organization under investigation for terrorist or money laundering activities.

    The financial institution must ascertain whether the individual or group currently maintains or has maintained an account at the institution during the past twelve months, or whether the person or group has conducted any transactions with the institution during the past six months. Under the rule, if a match occurs, the financial institution must provide FinCEN with:

    the individual's or group's namethe individual's or group's account numbersthe individual's or group's identifying information given by the account holder when the account was opened or when the transaction occurredthe date and type of any transaction.

  • PATRIOT ACT and PrivacySection 215Section 215 allows the FBI to order any person or entity to turn over "any tangible things," so long as the FBI "specifies that the order is "for an authorized investigation . . . to protect against international terrorism or clandestine intelligence activities."

    Section 215 vastly expands the FBI's power to spy on ordinary people living in the United States, including United States citizens and permanent residents.

  • PATRIOT ACT and Privacy Section 215Those served with Section 215 orders are prohibited from disclosing the fact to anyone else. Those who are the subjects of the surveillance are never notified that their privacy has been compromised.

    If the government had been keeping track of what books a person had been reading, or what web sites she had been visiting, the person would never know.

  • PATRIOT ACT and Privacy Section 215Normally, the government cannot effect a search without obtaining a warrant and showing probable cause to believe that the person has committed or will commit a crime.

    Privacy advocates say Section 215 violates the Fourth Amendment by allowing the government to effect Fourth Amendment searches without a warrant and without showing probable cause.

    Privacy advocates say the provision violates the Fourth and Fifth Amendments by failing to require that those who are the subject of Section 215 orders be told that their privacy has been compromised.

  • Electronic Communications Privacy Act (ECPA)

    The ECPA was passed in the 1960s to give privacy protection to electronic transmissions. It prohibits owners and operators of Internet services from revealing information gathered in the course of business to third parties, and makes it illegal for third parties to intercept transmissions or access stored data.

    Law enforcement agencies could not access the data either, except under certain conditions. Some sections of the PATRIOT Act affect the ECPA by broadening the authority of law enforcement officials substantially.

  • Electronic Communications Privacy Act (ECPA)Under Section 210, the scope of subpoenas is expanded to cover electronic communications.

    Law enforcement officials can now obtain from ISPs information such as means and sources of payment, telephone records of sessions and their duration, and temporarily assigned network addresses.

    Section 212 permits service providers to disclose the content of stored e-mail messages and other customer information to a governmental entity, if the provider "reasonably believes that an emergency involving the immediate danger of death or serious physical injury" justifies disclosure of the information.

  • Schools must cope with Patriot ActAs a recipient of federal funds, Universities must comply with a federal law commonly referred to as either FERPA (the Family Educational Rights and Privacy Act) or the Buckley Amendment.

    FERPA makes most records maintained about students confidential and requires the students' permission before disclosing an "educational record" or any information it contains.

    When a school is served with a subpoena or other legal process requiring the production of a student's educational record, FERPA requires that the student be notified so that he or she may seek judicial protection.

  • Schools must cope with Patriot ActSection 507 was amended to allow educational institutions to disclose educational records without court order or student consent when relevant to a terrorism investigation.

    The institution is not liable for disclosures made in good faith and need not retain a record of the transaction.

  • IT departments must cope with Patriot ActThe USA PATRIOT Act eases the requirements for the government to obtain access to electronic communications or records.

    Law enforcement officials do not need wiretap authorization to gain access to voice mails; a search warrant is sufficient.

    Law enforcement officials are authorized to install devices to intercept and track Internet activity.

    The statute increases penalties for certain computer hacking crimes.

  • IT departments must cope with Patriot Act The USA Patriot Act remains not just a political but also a technological issue

    Unprepared business, schools, etc can find themselves facing network problems, service disruptions, and in the worse case FBI agents armed with subpoenas, who haul off PCs, servers, and computer log data.

  • IT departments must cope with Patriot ActInvestigations under the act often require a complete information blackout.

    IT groups are forbidden to tell the subjects they're being investigated, or even acknowledge that an investigation is under way.

    Law enforcement agencies may direct IT groups to take certain actions or to not take actions, either leading to network problems. They may be ordered to leave compromised or damaged computers and networks untouched while the investigation is under way. "This can disrupt work patterns,"A given subnet could be taken offline or required to stay online and you can't explain why to the affected users."

    Investigators could require some network or computer log data to be preserved up to 180 days. But what if parts or all of that data is, by IT policy, automatically deleted every 10 days?

  • The Financial Anti-Terrorism Act (FATA)A major component of the PATRIOT legislation was the International Money Laundering Abatement and Financial Anti-Terrorism Act of 2001, a collection of powerful new anti-money laundering measures designed to help stem the flow of money to terrorists and other criminals.

  • FATA Provisions that Impact Financial Privacy

    Authorizes the Treasury Department to create new record-keeping and reporting requirements.

    Requires closer scrutiny of private banking accounts opened for anyone who is not a U.S. citizen or a legal permanent U.S. resident.

    Requires financial institutions to verify the identity of customers opening accounts and maintain records.

    Requires investment firms and futures and commodities traders to file Suspicious Activity Reports (SARs).

    Creates new currency reporting requirements for transactions over $10,000

    Requires a consumer reporting agency (CRA) to provide consumer credit reports to a government agency for terrorism investigations.

  • Communications Assistance for Law Enforcement (CALEA)In October 1994, Congress took action to protect public safety and ensure national security by enacting the Communications Assistance for Law Enforcement Act

    The law further defines the existing statutory obligation of telecommunications carriers to assist law enforcement in executing electronic surveillance pursuant to court order or other lawful authorization.

    The objective of CALEA implementation is to preserve law enforcement's ability to conduct lawfully-authorized electronic surveillance while preserving public safety, the public's right to privacy, and the telecommunications industry's competitiveness.

    Who must be CALEA-compliant? All telecommunications carriers as defined by Section 102(8) of CALEA. Basically, this includes all entities engaged in the transmission or switching of wire or electronic communications as a common carrier for hire.

  • What is CALEA?CALEA is the Communications Assistance for Law Enforcement Act. It was originally enacted in 1994. It requires providers of commercial voice services to engineer their networks in such a way as to assist law enforcement agencies in executing wiretap orders.

    Until August 5, 2005 that is..

  • CALEA: New Report and OrderOn August 5, 2005, in response to a request by law enforcement, the FCC voted to extend CALEA to include facilities-based Internet service providers.

    Facilities-based Internet service providers are defined as: "entities that provide transmission or switching over their own facilities between the end user and the Internet Service Provider."

  • Arguments for/against extending CALEA to ISPs Law EnforcementThe Internet is increasingly the communication of choice for criminal activityLegal intercepts need to be easier and less expensive for LEAn exempt system is a magnet for criminal activityEducation and LibrariesCongress should decide not the FCC or DoJLE has sufficient access nowCost to comply cant be justifiedWill slow innovation

  • Questions?

    *****The Act has extraordinary breadth and affects more than fifteen existing statutory schemes. Much of the legislation is directed at expanding the resources available to law enforcement officials to investigate and prevent terrorism and has no direct effect on institutions of higher education. *****Particularly troubling to free speech and privacy advocates are four provisions:

    Section 206, which permits the use of "roving wiretaps" and secret court orders to monitor electronic communications to investigate terrorists

    Sections 214 and 216, which extend telephone monitoring authority to include routing and addressing information for Internet traffic relevant to any criminal investigation

    Section 215, which grants unprecedented authority to the Federal Bureau of Investigation (FBI) and other law enforcement agencies to obtain search warrants for business, medical, educational, library, and bookstore records merely by claiming that the desired records may be related to an ongoing terrorism investigation or intelligence activities -- a very relaxed legal standard which does not require any actual proof or even reasonable suspicion of terrorist activity. Equally troubling, section 215 includes a "gag order" provision prohibiting any person or institution served with a search warrant from disclosing what has taken place. In conjunction with the passage of the USA PATRIOT Act, the U.S. Justice Department issued revised FBI guidelines in May 2002 that greatly increase the bureau's surveillance and data collection authority to access such information as an individual's Web surfing habits and search terms

    *Particularly troubling to free speech and privacy advocates are four provisions:

    Section 206, which permits the use of "roving wiretaps" and secret court orders to monitor electronic communications to investigate terrorists

    Sections 214 and 216, which extend telephone monitoring authority to include routing and addressing information for Internet traffic relevant to any criminal investigation

    Section 215, which grants unprecedented authority to the Federal Bureau of Investigation (FBI) and other law enforcement agencies to obtain search warrants for business, medical, educational, library, and bookstore records merely by claiming that the desired records may be related to an ongoing terrorism investigation or intelligence activities -- a very relaxed legal standard which does not require any actual proof or even reasonable suspicion of terrorist activity. Equally troubling, section 215 includes a "gag order" provision prohibiting any person or institution served with a search warrant from disclosing what has taken place. In conjunction with the passage of the USA PATRIOT Act, the U.S. Justice Department issued revised FBI guidelines in May 2002 that greatly increase the bureau's surveillance and data collection authority to access such information as an individual's Web surfing habits and search terms

    *******The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. *FERPA already contained an emergency provision allowing for such disclosure if "necessary to protect the health and safety of the student or other persons."

    **while the Patriot Act is new, it doesn't actually introduce new legal instruments or actions. "Every component of the Patriot Act was present in previous law," he said. "But just not often used. Now, it's more likely that a Patriot Act incident will start or end or, especially, go through your campus." Siegel said the act does, however, lower the bar on judicial oversight on searches and seizures. But oversight is still required: seizing records or doing electronic surveillance requires a subpoena issued by a judge. Schools for example may find themselves drawn into a Patriot Act investigation even if those being investigated are not actually students or employees of the school. The school's network and computers may be hijacked by someone halfway around the world to attack a third location *Investigations under the act often require a complete information blackout. IT groups are forbidden to tell the subjects they're being investigated, or even acknowledge that an investigation is under way. One result is that you can't call network colleagues at another school and ask them how they handled a similar event. Law enforcement agencies may direct IT groups to take certain actions or to not take actions, either leading to network problems. They may be ordered to leave compromised or damaged computers and networks untouched while the investigation is under way. "This can disrupt work patterns," Siegel warned. "A given subnet could be taken offline or required to stay online and you can't explain why to the [affected] users." Investigators could require some network or computer log data to be preserved up to 180 days. But what if parts or all of that data is, by IT policy, automatically deleted every 10 days, Siegel asked. *FATA adds new record-keeping and reporting requirements including requiring additional types of companies to report certain transactions and increasing the penalties for money laundering crimes.

    After the devastating terrorist attacks of September 11, 2001 on the United States, Congress enacted legislation aimed at providing the law enforcement and intelligence communities with additional tools to investigate and fight the newly perceived terrorist threats. (FATA) Imposes new record keeping and government reporting requirements on banks, certain other financial institutions and non-financial businesses for specified financial transactions and customer financial records. Added to the Bank Secrecy Act as an attempt to help combat terrorism and money laundering. (International Money Laundering Abatement and Financial Anti-Terrorism Act of 2001, Title III of the USA PATRIOT Act of 2001, Pub. L. 107-56, Title III (October 26, 2001).)

    *Requires close scrutiny of "correspondent accounts" opened for anyone who is not a U.S. citizen or a legal permanent U.S. resident. Grants authority to federal banking agencies to require a financial institution to provide requested information related to money laundering investigations. Grants authority to federal banking agencies to require a financial institution to provide requested information related to money laundering investigations, including customer account information, within five days of the agency's request.Requires financial institutions to verify the identity of customers opening accounts, to maintain records that include the customer's name, address and other identifying information, and to consult lists of known or suspected terrorists or terrorist organizations. Federal agencies recently proposed regulations to implement these requirements

    Requires investment firms and futures and commodities traders to file Suspicious Activity Reports (SARs). Creates new currency reporting requirements for transactions over $10,000 involving currency or coins (applicable to all businesses, not just financial institutions) and makes it a crime to structure any transaction to avoid the reporting requirementsRequires a consumer reporting agency (CRA) to provide consumer credit reports (see consumer report) to a government agency for terrorism investigations.Regarding disclosures to the government by a CRA, the government agency requesting the credit reports must provide the CRA with a certificate signed by the head of the federal agency, stating that the requested information is necessary for a terrorism investigation. The CRA cannot inform the person under investigation. This provision shields a CRA from any liability when it relies in good faith on the government certification

    Prohibits foreign shell accounts, or accounts at banks that do not have a physical presence.

    FATA's Provisions that Impact Financial Privacy FATA authorizes the Treasury Department and the federal banking agencies to establish new regulations to implement its provisions. The Financial Anti-Terrorism Act: Authorizes the Treasury Department to create new record-keeping and reporting requirements related to foreign transactions, jurisdictions, institutions, or accounts determined to be linked to money laundering; records must include the identities and addresses of the parties involved in the transaction and the identity of the owner of the funds involved. Requires closer scrutiny of private banking accounts opened for anyone who is not a U.S. citizen or a legal permanent U.S. resident. A private banking account is defined as an account with at least $1 million in deposits that are managed by a bank or financial institution on behalf of the account holder. At a minimum, a financial institution must know the identity of the account holder and the source of funds and must report any suspicious activity related to the account.Requires close scrutiny of "correspondent accounts" opened for anyone who is not a U.S. citizen or a legal permanent U.S. resident. These accounts are defined as those set up to receive deposits from or make payments to foreign financial institutions.Prohibits foreign shell accounts, or accounts at banks that do not have a physical presence. Civil and criminal penalties for violations of the above provisions can be as high as twice the amount of the transaction involved, up to a maximum of $1 million.

    **Legally authorized wiretaps have been available as a tool for LE since the 1960s. Internet communications can be wiretapped legally, and are tapped today. CALEA has nothing to do with whether or not LE can wiretap. It makes it mandatory for communications providers to design their systems so that they can be easily wiretapped.**Other arguments:1.FCC has gone beyond its purview in extending CALEA to the Internet when Congress specifically exempted it in 1994. 2. Creates a backdoor that is susceptible to hacking and a danger to privacy; *


ECPA input - European Food Safety Authority · ECPA input Initial Experience ... (e.g. field trials, feeding studies, analytical methods, storage stability); triggering of any other

ECPA input - European Food Safety Authority · ECPA input Initial Experience ... (e.g. field trials, feeding studies, analytical methods, storage stability); triggering of any other

ECPA Annual Report 2006 - 2007

ECPA Annual Report 2006 - 2007

Presentation de la société ECPA Pearson France

Presentation de la société ECPA Pearson France

ECPA CEO Synposium Wrap-up

ECPA CEO Synposium Wrap-up

ECPA Event In Rio

ECPA Event In Rio

ECPA Anti-counterfeit Project - CEUREGceureg.com/13/docs/presentations/IV_6_RRowe_Counterfeit_PPPs.pdf · ECPA Anti-counterfeit Project Background Growth in counterfeit and illegal

ECPA Anti-counterfeit Project - CEUREGceureg.com/13/docs/presentations/IV_6_RRowe_Counterfeit_PPPs.pdf · ECPA Anti-counterfeit Project Background Growth in counterfeit and illegal

Download Patriot Catalog - Patriot Electric Fence Chargers

Download Patriot Catalog - Patriot Electric Fence Chargers

ECPA Affirmative - Northwestern 2015 6WS

ECPA Affirmative - Northwestern 2015 6WS

Patriot Patriot, Patriot Plus LecternsSS3040 Patriot Lectern with Sound System 195 lbs 325 lbs $5,212.00 SN3040 Patriot Lectern 175 lbs 300 lbs $4,538.00 SW3045 Wireless Patriot Plus

Patriot Patriot, Patriot Plus LecternsSS3040 Patriot Lectern with Sound System 195 lbs 325 lbs $5,212.00 SN3040 Patriot Lectern 175 lbs 300 lbs $4,538.00 SW3045 Wireless Patriot Plus

ECPA #PubU12 October 2012

ECPA #PubU12 October 2012

PATRIOT™ WIRELESS - Polhemus · patriot™ wireless . patriot™ wireless . user manual . urm07ph207 rev. c . november 2013

PATRIOT™ WIRELESS - Polhemus · patriot™ wireless . patriot™ wireless . user manual . urm07ph207 rev. c . november 2013

ECPA view on the implementation and the adaptation of … · 2018-09-19 · ECPA view on the implementation and the adaptation of Regulation 1107/2009 ECPA ECCA Conference Brussels

ECPA view on the implementation and the adaptation of … · 2018-09-19 · ECPA view on the implementation and the adaptation of Regulation 1107/2009 ECPA ECCA Conference Brussels

ECPA Webinar Slides

ECPA Webinar Slides

Ecpa 2013-Assessment Of Salespeople

Ecpa 2013-Assessment Of Salespeople

Patriot Press - d2y1pz2y630308.cloudfront.net€¦ · 2017-12-12  · Patriot Press The first week of Advent calls us to have Hope. 6:00 Upcoming Events December 11th: Afternoon dismissal

Patriot Press - d2y1pz2y630308.cloudfront.net€¦ · 2017-12-12  · Patriot Press The first week of Advent calls us to have Hope. 6:00 Upcoming Events December 11th: Afternoon dismissal

Covering: Lawrence, Methuen ... - The Valley Patriot · Valley Patriot *Editorial* OPINIONS 2006 Valley Patriot Ad Rates2006 Valley Patriot Ad Rates Color Pages add $100.00 - Insert

Covering: Lawrence, Methuen ... - The Valley Patriot · Valley Patriot *Editorial* OPINIONS 2006 Valley Patriot Ad Rates2006 Valley Patriot Ad Rates Color Pages add $100.00 - Insert

Jeep Patriot

Jeep Patriot

Jueves ecpa

Jueves ecpa

European Crime Prevention Award (ECPA)eucpn.org/sites/default/files/document/files/GP_ECPA_2012_LU_Self... · 1 European Crime Prevention Award (ECPA) LUXEMBOURG Please answer the

European Crime Prevention Award (ECPA)eucpn.org/sites/default/files/document/files/GP_ECPA_2012_LU_Self... · 1 European Crime Prevention Award (ECPA) LUXEMBOURG Please answer the

The ECPA, ISPs & Obtaining E-mailndaa.org/pdf/ecpa_isps_obtaining_email_05.pdfSPECIAL TOPICS SERIES American Prosecutors Research Institute The ECPA, ISPs & Obtaining E-mail: A Primer

The ECPA, ISPs & Obtaining E-mailndaa.org/pdf/ecpa_isps_obtaining_email_05.pdfSPECIAL TOPICS SERIES American Prosecutors Research Institute The ECPA, ISPs & Obtaining E-mail: A Primer