logging in or signing up kurt-bootcamp-presentation sarmateja Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 12 Category: Science & Tech.. License: All Rights Reserved Like it (0) Dislike it (0) Added: March 17, 2011 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Best Practices for OSPs: Law Enforcement Information Requests : Best Practices for OSPs: Law Enforcement Information Requests Kurt Opsahl, Senior Staff Attorney Kevin Bankston, Staff AttorneyWhat kind of best practices?: What kind of best practices? Intermediaries that enable online speech can also become chokepoints to cut off that speech Best practices for responding to Law enforcement information requests Civil subpoenas in a manner that protects ISPs and usersOverview: Responding to Legal Information Requests: Overview: Responding to Legal Information Requests How is your ISP classified under the law? What information does your ISP have and what may be sought? What legal process must be provided? What procedures should your ISP employ in responding to requests?Best Practices: Best Practices Best practices: Require proper legal process minimize logging develop policy for user notice establish record retention policy internal trainingWhat type is your ISP under ECPA?: What type is your ISP under ECPA? The Electronic Communications Privacy Act defined two types of ISPs: Electronic Communications Service to the extent you permit users to communicate with each other Remote Computing Service to the extent you permit users to store communications or other informationWhat Information Do You Have?: What Information Do You Have? Some things are obvious like Log Files, but not what they contain May also store Email, User ID, Connection Info, Search Queries, URLs, Cookies, Unique Identifiers and IP Addresses Other things?Do You Need the Logs?: Do You Need the Logs? If you don’t have it, you can’t be forced to produce it Can reduce compliance costs by minimizing information retained Keep minimum logs for needs, and regularly delete unneeded informationBackground: ECPA, SCA, Title III and FISA: Background: ECPA, SCA, Title III and FISA Electronic Communications Privacy Act Stored Communications Act Title III is the Wiretap Act Foreign Intelligence Surveillance ActBackground: ECPA: Background: ECPA Electronic Communications Privacy Act amended the Wiretap Act to cover electronic communications (i.e. email) SCA is part of ECPABackground: SCA: Background: SCA The Stored Communications Act, regulates when an electronic communication service provider may disclose the contents of or other information about a customer’s emails and other electronic communications to third parties. Contents of communications may not be disclosed to civil litigants even when presented with a civil subpoena.Background: Title III: Background: Title III Title III makes it unlawful to listen to or observe the contents of a private communication without the permission of at least one party to the communication and regulates real-time electronic surveillance in federal criminal investigations. Many states require all party consentBackground: FISA: Background: FISA The Foreign Intelligence Surveillance Act authorizes federal agents to conduct electronic surveillance, as part of a foreign intelligence or counterintelligence investigation, without obtaining a traditional, probable-cause search warrant Classification of Information: Classification of Information Basic Subscriber Information (name, address, equipment identifier such as temporary IP address, and means and source of payment) Other Information (clickstream, location) Wiretap, Pen Register or Trap and Trace Content - Real Time and StoredRecords of Videos Watched: Records of Videos Watched The most highly protected piece of personal information under the law: “information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider” Not limited to “tapes”, includes a/v material Must be destroyed “as soon as practicable, but no later than one year from the date the information is no longer necessary” Contact your legal counsel before disclosure pursuant to legal processLocation Information: Location Information Majority of courts require probable cause warrants for disclosure of real-time or prospective location information DOJ asserts a lower standard Contact your legal counsel before disclosureLegal Standards: Legal Standards Basic Subscriber Information: Subpoena or better (Gov’t may not use civil subpoena) Other Information: 2703(d) order or better Dialed digits: Pen Register or better Real Time Content: Title III order Stored Content < 180 days: search warrant Stored Content > 180 days: subpoena or better Video records: Warrant or court orderException: Emergency Cases: Exception: Emergency Cases Customer Information/Content Standard: ISP reasonably believes that an emergency involving immediate death or serious physical injury to any person requires disclosure of contents or justifies disclosure of records Get the justification in writingNational Security Letters: National Security Letters FBI may compel the production of "subscriber information and toll billing records information, or electronic communication transactional records" through National Security Letters. Generally NSLs must be kept secret May contact legal counsel.FISA Orders: FISA Orders Pursuant to FISA, the gov’t may provide FISA court order or other process under the FISA Amendments Act Contact legal counsel EFF would love to challenge the FAAA visit by Suits with Shades: A visit by Suits with Shades If you get a personal visit from Law Enforcement, call your company’s lawyer. Often, just an informal request for assistance Safest course is to get legal counsel earlyProvide Notice to Users: Provide Notice to Users Best practice is to provide notice where possible - let user move to quash LEAs need an order to prevent notice on subpoenas Notice may be delayed under ECPABackup Preservation: Backup Preservation Any LEA can request by any means Notify LEA, but do not deliver info LEA notifies user - starts 14 day clock for user objection Absent objection, must provide data upon receipt of proper processReimbursement: Reimbursement Yes for subpoenas Yes for technical assistance (not required to redesign, just help) Yes for special requirements, backup preservation, etc Yes for all civil requestsProvider Exception: Provider Exception Provider exception grants service providers the right "to intercept and monitor [communications] placed over their facilities in order to combat fraud and theft of service."Accessible to Public: Accessible to Public Privacy laws have an exception for electronic communication made through a system "that is configured so that . . . [the] communication is readily accessible to the general public.” If information sought by LEA is publicly available, you can tell them to get it themselves In some cases authentication may be requiredPenalties and Safe Harbors: Penalties and Safe Harbors May face lawsuits for improper disclosure You are protected from civil actions if you rely in “good faith” upon appropriate legal process Do not disclose information without being sure you have the right processParting Thoughts: Parting Thoughts Always get it in writing to preserve immunities Your ISP is not the agent of an LEA State and Local rules may be more strict If in doubt, ask the lawyersHelp Us Help You: Help Us Help You Let us know when you receive questionable over-reaching requests 415.436.9333 information@eff.org http://www.eff.org http://ilt.eff.org You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
kurt-bootcamp-presentation sarmateja Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 12 Category: Science & Tech.. License: All Rights Reserved Like it (0) Dislike it (0) Added: March 17, 2011 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Best Practices for OSPs: Law Enforcement Information Requests : Best Practices for OSPs: Law Enforcement Information Requests Kurt Opsahl, Senior Staff Attorney Kevin Bankston, Staff AttorneyWhat kind of best practices?: What kind of best practices? Intermediaries that enable online speech can also become chokepoints to cut off that speech Best practices for responding to Law enforcement information requests Civil subpoenas in a manner that protects ISPs and usersOverview: Responding to Legal Information Requests: Overview: Responding to Legal Information Requests How is your ISP classified under the law? What information does your ISP have and what may be sought? What legal process must be provided? What procedures should your ISP employ in responding to requests?Best Practices: Best Practices Best practices: Require proper legal process minimize logging develop policy for user notice establish record retention policy internal trainingWhat type is your ISP under ECPA?: What type is your ISP under ECPA? The Electronic Communications Privacy Act defined two types of ISPs: Electronic Communications Service to the extent you permit users to communicate with each other Remote Computing Service to the extent you permit users to store communications or other informationWhat Information Do You Have?: What Information Do You Have? Some things are obvious like Log Files, but not what they contain May also store Email, User ID, Connection Info, Search Queries, URLs, Cookies, Unique Identifiers and IP Addresses Other things?Do You Need the Logs?: Do You Need the Logs? If you don’t have it, you can’t be forced to produce it Can reduce compliance costs by minimizing information retained Keep minimum logs for needs, and regularly delete unneeded informationBackground: ECPA, SCA, Title III and FISA: Background: ECPA, SCA, Title III and FISA Electronic Communications Privacy Act Stored Communications Act Title III is the Wiretap Act Foreign Intelligence Surveillance ActBackground: ECPA: Background: ECPA Electronic Communications Privacy Act amended the Wiretap Act to cover electronic communications (i.e. email) SCA is part of ECPABackground: SCA: Background: SCA The Stored Communications Act, regulates when an electronic communication service provider may disclose the contents of or other information about a customer’s emails and other electronic communications to third parties. Contents of communications may not be disclosed to civil litigants even when presented with a civil subpoena.Background: Title III: Background: Title III Title III makes it unlawful to listen to or observe the contents of a private communication without the permission of at least one party to the communication and regulates real-time electronic surveillance in federal criminal investigations. Many states require all party consentBackground: FISA: Background: FISA The Foreign Intelligence Surveillance Act authorizes federal agents to conduct electronic surveillance, as part of a foreign intelligence or counterintelligence investigation, without obtaining a traditional, probable-cause search warrant Classification of Information: Classification of Information Basic Subscriber Information (name, address, equipment identifier such as temporary IP address, and means and source of payment) Other Information (clickstream, location) Wiretap, Pen Register or Trap and Trace Content - Real Time and StoredRecords of Videos Watched: Records of Videos Watched The most highly protected piece of personal information under the law: “information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider” Not limited to “tapes”, includes a/v material Must be destroyed “as soon as practicable, but no later than one year from the date the information is no longer necessary” Contact your legal counsel before disclosure pursuant to legal processLocation Information: Location Information Majority of courts require probable cause warrants for disclosure of real-time or prospective location information DOJ asserts a lower standard Contact your legal counsel before disclosureLegal Standards: Legal Standards Basic Subscriber Information: Subpoena or better (Gov’t may not use civil subpoena) Other Information: 2703(d) order or better Dialed digits: Pen Register or better Real Time Content: Title III order Stored Content < 180 days: search warrant Stored Content > 180 days: subpoena or better Video records: Warrant or court orderException: Emergency Cases: Exception: Emergency Cases Customer Information/Content Standard: ISP reasonably believes that an emergency involving immediate death or serious physical injury to any person requires disclosure of contents or justifies disclosure of records Get the justification in writingNational Security Letters: National Security Letters FBI may compel the production of "subscriber information and toll billing records information, or electronic communication transactional records" through National Security Letters. Generally NSLs must be kept secret May contact legal counsel.FISA Orders: FISA Orders Pursuant to FISA, the gov’t may provide FISA court order or other process under the FISA Amendments Act Contact legal counsel EFF would love to challenge the FAAA visit by Suits with Shades: A visit by Suits with Shades If you get a personal visit from Law Enforcement, call your company’s lawyer. Often, just an informal request for assistance Safest course is to get legal counsel earlyProvide Notice to Users: Provide Notice to Users Best practice is to provide notice where possible - let user move to quash LEAs need an order to prevent notice on subpoenas Notice may be delayed under ECPABackup Preservation: Backup Preservation Any LEA can request by any means Notify LEA, but do not deliver info LEA notifies user - starts 14 day clock for user objection Absent objection, must provide data upon receipt of proper processReimbursement: Reimbursement Yes for subpoenas Yes for technical assistance (not required to redesign, just help) Yes for special requirements, backup preservation, etc Yes for all civil requestsProvider Exception: Provider Exception Provider exception grants service providers the right "to intercept and monitor [communications] placed over their facilities in order to combat fraud and theft of service."Accessible to Public: Accessible to Public Privacy laws have an exception for electronic communication made through a system "that is configured so that . . . [the] communication is readily accessible to the general public.” If information sought by LEA is publicly available, you can tell them to get it themselves In some cases authentication may be requiredPenalties and Safe Harbors: Penalties and Safe Harbors May face lawsuits for improper disclosure You are protected from civil actions if you rely in “good faith” upon appropriate legal process Do not disclose information without being sure you have the right processParting Thoughts: Parting Thoughts Always get it in writing to preserve immunities Your ISP is not the agent of an LEA State and Local rules may be more strict If in doubt, ask the lawyersHelp Us Help You: Help Us Help You Let us know when you receive questionable over-reaching requests 415.436.9333 information@eff.org http://www.eff.org http://ilt.eff.org