Monday, October 13, 2003

Understanding Legal Issues of Network Monitoring

While reading the recently published second edition of Incident Response and Computer Forensics, I noticed the legal material hadn't been updated. I visited the Electronic Privacy Information Center (EPIC) to get their take on legal restrictions on monitoring. Their USA PATRIOT Act page is extremely useful. To actually read the PATRIOT ACT, I suggest going to a .gov source like the Government Printing Office. Search for "public law 107-56" (PATRIOT was passed by the "107th Congress") and you'll find the law (text or .pdf).

From the EPIC PATRIOT report, I found these extracts applicable to network security monitoring. First, EPIC discusses watching "headers":

"Section 216 of the Act significantly expanded law enforcement authority to use trap and trace and pen register devices. Prior law relating to the use of such devices was written to apply to the telephone industry, therefore the language of the statute referred only to the collection of "numbers dialed" on a "telephone line" and the "originating number" of a telephone call. The new legislation redefined a pen register as "a device or process which records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted." A trap and trace device is now "a device or process which captures the incoming electronic or other impulses which identify the originating number or other dialing, routing, addressing, and signaling information reasonably likely to identify the source or a wire or electronic communication."

By expanding the nature of the information that can be captured, the new law clearly expanded pen register capacities to the Internet, covering electronic mail, Web surfing, and all other forms of electronic communications.

...The USA PATRIOT does contain a provision requiring law enforcement to file under seal with the court a record of installations of pen register/trap and trace devices. This amendment may provide some measure of judicial oversight of the use of this enhanced surveillance authority."

You may remember stories on wiretaps from 2002. You can read the original evidence here. Next, EPIC discusses full content monitoring:

"Prior law prohibited anyone from intentionally intercepting or disclosing the contents of any intercepted communications without complying with the requirements of the wiretap statute, unless such interception and disclosure fell within one of several statutory exceptions. The USA PATRIOT Act, Section 217, creates a new exception, permitting government interception of the "communications of a computer trespasser" if the owner or operator of a "protected computer" authorizes the interception. The new exception has broad implications, given that a "protected computer" includes any "which is used in interstate or foreign commerce or communication" (which, with the Internet, includes effectively any computer). The "authorization" assistance permits wiretapping of the intruder's communications without any judicial oversight, in contrast to most federal communication-intercept laws that require objective oversight from someone outside the investigative chain.

The new law places the determination solely in the hands of law enforcement and the system owner or operator. In those likely instances in which the interception does not result in prosecution, the target of the interception will never have an opportunity to challenge the activity (through a suppression proceeding). Indeed, such targets would never even have notice of the fact that their communications were subject to warrantless interception. However, the USA PATRIOT Act does include an exception prohibiting surveillance of someone who is known by the owner of the protected computer "to have an existing contractual relationship with the owner or operator of the protected computer for access to all or part of the protected computer."

At this point you may want to know more about PATRIOT by reading applicable laws. Remember that PATRIOT amended existing laws. To see the amended laws, you need to know the title and sections affected. For example, the EPIC article links directly to Cornell's US Code archive, e.g., Pen Register and Trap and Trace Statute or Interception and disclosure of wire, oral, or electronic communications prohibited, aka "The Wiretap Act." Alternatively, visit the Office of the Law Revision Counsel of the House of Representatives and search to find 18USC3121 or 18USC2511. Notice these laws don't just apply to the government -- they affect everyone.

Another resouce is part 3 of Slate's 4 part story on PATRIOT. The Electronic Frontier Foundation offers its views too.

Remember that state laws restrict monitoring. The Reporters Committee for Freedom of the Press offers an excellent guide to taping phone calls, with state-by-state summaries and an article on surreptitious recording. Use the state guide as a pointer to specific laws in each state, since the RCFP's focus is recording voice conversations and not electronic monitoring.

To validate the RCFP results I checked out the Code of Virginia and searched for "pen register" to get my bearings. I found Title 19.2, Criminal Procedure contains Chapter 6, Interception of Wire, Electronic or Oral Communications. 19.2-62, Interception, disclosure, etc., of wire, electronic or oral communications unlawful; penalties; exceptions is very similar to the Federal statute. The section below seems to give the only cover to perform monitoring:

"It shall not be a criminal offense under this chapter for any person... (f) Who is a provider of electronic communication service to record the fact that a wire or electronic communication was initiated or completed in order to protect such provider, another provider furnishing service toward the completion of the wire or electronic communication, or a user of that service, from fraudulent, unlawful or abusive use of such service. "

Finding California's laws was a little more difficult. I visited the state's search page, and after not getting useful hits on "pen register" I tried "interception." That yielded Section 629.50-629.98, INTERCEPTION OF WIRE, ELECTRONIC DIGITAL PAGER, OR ELECTRONIC CELLULAR TELEPHONE COMMUNICATIONS of the Penal Code. Since this pertains to law enforcement actions, I used the information from the RCFP site to check Section 630-637.9, INVASION OF PRIVACY. Here I found that interception and recording is illegal, unless:

"(b) This section shall not apply (1) to any public utility engaged in the business of providing communications services and facilities, or to the officers, employees or agents thereof, where the acts otherwise prohibited herein are for the purpose of construction, maintenance, conduct or operation of the services and facilities of
the public utility..."

Let's conclude this research with a check on Texas' laws. The Texas Penal Code offers CHAPTER 16. CRIMINAL INSTRUMENTS, INTERCEPTION OF WIRE OR ORAL COMMUNICATION, AND INSTALLATION OF TRACKING DEVICE. Looking at Section 16.02 we read:

"A person commits an offense if the person:

(1) intentionally intercepts, endeavors to intercept, or procures another person to intercept or endeavor to intercept a wire, oral, or electronic communication...

c) It is an affirmative defense to prosecution under Subsection (b) that:

(1) an operator of a switchboard or an officer, employee, or agent of a communication common carrier whose facilities are used in the transmission of a wire or electronic communication intercepts a communication or discloses or uses an intercepted communication in the normal course of employment while engaged in an activity that is a necessary incident to the rendition of service or to the protection of the rights or property of the carrier of the communication, unless the interception results from the communication common carrier's use of service observing or random monitoring for purposes other than mechanical or service quality control checks..."

Again we see language that mirrors the Federal statutes. Note I have avoided citing statutes which offer consent as a defense for doing monitoring. Consent can be obtained when intruders use "bannerable" services like telnet or FTP to access a victim. If an intruder doesn't access an interactive service, there's no way to obtain the intruder's consent and thereby use consent exceptions to justify monitoring.

For more information, read Dorothy Denning's latest. The Constitution Project released a survey of state wiretap laws last month.