Addressing Law
Enforcement Considerations
In This Chapter
✓ A look at the U.S. Constitution’s Fourth Amendment ✓ A brief primer on the Freedom of Information Act ✓ The pros and cons of dealing with law enforcement
✓ Information-sharing issues in computer crime investigations ✓ The role of the National Infrastructure Protection Center (NIPC) ✓ Understanding disclosure and discovery
✓ A brief overview of federal computer crimes and laws
THERE IS A GROWING CONCERNthat individuals, organizations, and governments around the globe are increasingly at risk when they choose to ignore the threats posed by hackers, intruders, and malicious code. The rash of malicious code outbreaks over the past several years are observable demonstrations of how an individual may cause widespread harm by infecting hundreds of thou- sands of computers within a matter of hours, and that he or she can locate targets even when vulnerabilities are well known, highly publicized, and could easily be protected. Whatever their motivation, the actions of these individuals are oftentimes impossible to distinguish from one another. From a law enforcement perspective, catching criminals, terrorists, and intelligence operatives has never been more difficult than in today’s cyber environment.
In today’s setting, attacks and intrusions are encrypted, broken into packets, and routed the world over, anonymously passing through Internet and telecommunications providers that are under no obligation to keep track of how their systems are used or, more importantly, how they may be misused. Law enforcement authorities must act carefully when conducting computer criminal investigations to catch the perpetrators while preserving the privacy rights and civil rights of others. This chapter focuses on the legal aspects concerning computer crimes and the role law enforcement plays in computer crime investigations.
A Look at the Fourth Amendment
The Fourth Amendment of the U.S. Constitution declares that “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.” In the early 1900s, the Supreme Court’s philosophy regarding the Fourth Amendment was geared mainly toward the safeguarding of property. The Court’s desire to protect property was evident in its 1928 decision in Olmsteadv. United States[277 U.S. 438 (1928)].
In Olmstead, the Supreme Court held that the use of a wiretap to intercept a private telephone conversation was not a “search” for purposes of the Fourth Amendment. One of the grounds on which the Court justified its result was that there had been no physical intrusion into the person’s home. Under Olmstead’s narrow view of the Fourth Amendment, the amendment was not applic- able in the absence of physical intrusion. Thus, without trespass or seizure of any material object, surveillance was deemed beyond the scope of the Fourth Amendment as interpreted by the Olmstead case.
In the landmark 1967 Supreme Court ruling Katzv. U.S., however, it was deemed that a search is constitutional if it does not violate a person’s “reasonable” or “legitimate” expectation of pri- vacy. Charles Katz was arrested for illegal gambling after he used a public telephone to transmit “gambling information.” The FBI had attached an electronic recording device onto the outside of the public phone booth that Katz habitually used. They argued that this constituted a legal action since they never actually entered the phone booth. The Court, however, ruled in favor of Katz, stating the Fourth Amendment allowed for the protection of a person and not just a person’s prop- erty against illegal searches. Whatever a citizen “seeks to preserve as private, even in an area accessible to the public, may be constitutionally protected.”
At the conclusion of the Katz case, the Court held that physical penetration of a constitution- ally protected area is not necessary before a search and seizure can be held to violate the Fourth Amendment. According to the Court in Katz, “once it is recognized that the Fourth Amendment protects people — and not simply ‘areas’ — against unreasonable searches and seizures it becomes clear that the reach of that Amendment cannot turn upon the presence or absence of a physical intrusion into any given enclosure.” Thus, although the government’s activities in Katzinvolved no physical intrusion, they were found to have violated the privacy on which the petitioner justi- fiably relied and thus constituted “search and seizure” within the meaning of the Fourth Amendment.
Changing technology precipitated the shift from protection of property to protection of privacy, and in 1968, just one year after Katz, Congress passed Title III of the Omnibus Crime Control and Safe Streets Act, authorizing microphone surveillance or wiretapping for law enforcement purposes, and requiring a warrant, based on probable cause, prior to such surveil- lance or wiretapping.
The most basic Fourth Amendment question, as it relates to federal computer cases, asks whether an individual enjoys a reasonable expectation of privacy in electronic information stored within computers (or other electronic storage devices) under the individual’s control. For example, do individuals have a reasonable expectation of privacy in the contents of their laptop computers, floppy disks, or pagers? If the answer is “yes,” then the government ordinarily must obtain a warrant before it accesses the information stored therein.
On July 24, 2000, Kevin V. DiGregory, deputy assistant attorney general for the U.S. Department of Justice, made the following statement before the Subcommittee on the Constitution regarding the Fourth Amendment and its application in the information age:
It is beyond dispute that the Fourth Amendment protects the rights of Americans while they work and play on the Internet just as it does in the physical world. The goal is a long-honored and noble one: to preserve our privacy while protecting the safety of our citizens. Our founding fathers recognized that in order for our democratic society to remain safe and our liberty intact, law enforcement must have the ability to investigate, apprehend and prosecute people for criminal conduct. At the same time, however, our founding fathers held in disdain the government’s disregard and abuse of privacy in England. The founders of this nation adopted the Fourth Amendment to address the tension that can at times arise between privacy and public safety. Under the Fourth Amendment, the government must demonstrate probable cause before obtaining a warrant for a search, arrest, or other significant intrusion on privacy.
Congress and the courts have also recognized that lesser intrusions on privacy should be permitted under a less exacting threshold. The Electronic Communications Privacy Act (ECPA) establishes a three-tier system by which the government can obtain stored information from electronic communi- cation service providers. In general, the government needs a search warrant to obtain the content of unretrieved communications (like e-mail), a court order to obtain transactional records, and a subpoena to obtain information identifying the subscriber. See 18 U.S.C. §§ 2701–11.
In addition, in order to obtain source and destination information in real time, the government must obtain a “trap and trace” or “pen register” court order authorizing the recording of such infor- mation. See 18 U.S.C. 3121, et seq.
Because of the privacy values it protects, the wiretap statute, 18 U.S.C. §§ 2510–22, commonly known as Title III, places a higher burden on the real-time interception of oral, wire and electronic communications than the Fourth Amendment requires. In the absence of a statutory exception, the government needs a court order to wiretap communications. To obtain such an order, the government must show that normal investigative techniques for obtaining the information have or are likely to fail or are too dangerous, and that any interception will be conducted so as to ensure that the intrusion is minimized.
The safeguards for privacy represented by the Fourth Amendment and statutory restrictions on government access to information do not prevent effective law enforcement. Instead, they provide boundaries for law enforcement, clarifying what is acceptable evidence gathering and what is not. At the same time, those who care deeply about protecting individual privacy must also acknowledge that law enforcement has a critical role to play in preserving privacy. When law enforcement investigates, successfully apprehends, and prosecutes a criminal who has stolen a citizen’s personal information from a computer system, for example, law enforcement is undeniably working to protect privacy and deter further privacy violations. The same is true when law enforcement apprehends a hacker who compromised the financial records of a bank customer.
As we move into the 21st century, we must ensure that the needs of privacy and public safety remain in balance and are appropriately reflected in the new and emerging technologies that are changing the face of communications. Although the primary mission of the Department of Justice is law enforcement, Attorney General Reno and the entire Department understand and share the legiti- mate concerns of all Americans with regard to personal privacy. The Department has been and will remain committed to protecting the privacy rights of individuals. We look forward to working with Congress and other concerned individuals to address these important matters in the months ahead.
According to the U.S. Department of Justice, to determine whether an individual has a reason- able expectation of privacy of information stored in a computer, it helps to treat the computer like a closed container such as a briefcase or file cabinet. The Fourth Amendment generally prohibits law enforcement from accessing and viewing information stored in a computer without a warrant if law enforcement would be prohibited from opening a closed container and examining its contents in the same situation (under the same circumstances).
While a “reasonable expectation of privacy” applies to law enforcement investigations, it does not offer any protection to individuals from searches by their employers, parents, and spouses.
A Brief Primer on the Freedom
of Information Act
The U.S. Freedom of Information Act (FOIA) is a law ensuring public access to U.S. government records. Under the Freedom of Information Act all federal agencies are required to disclose records requested in writing by any person. However, agencies may withhold information pur- suant to nine exemptions contained in the statute.
The FOIA applies only to federal agencies and does not create a right of access to records held by Congress, the courts, or by state or local government agencies. Each state has its own public access laws that must be consulted prior to accessing to state and local records. While the FOIA has opened the door to the sharing of information between government and the private sector, it has also become one of the biggest roadblocks in getting the private sector to disclose cyber-crime information to government agencies such as the FBI.
In his March 2000 testimony before the Senate Subcommittee on Technology, Terrorism and Government Information, Harris N. Miller, president of the Information Technology Association of America, stated, “Companies worry that if information sharing with government really becomes a two-way street, FOIA requests for information they have provided to an agency could prove embarrassing and probably costly. Many in industry believe that freedom from FOIA con- cerns is the most formidable obstacle, and that an exemption for this type of information sharing is the only option.”
Reporting Security Breaches
to Law Enforcement
The reluctance of victims of network intrusions to report such intrusions to authorities poses a considerable threat to the future of network security. Upon finding a hacker in their system, for example, network administrators sometimes consider it sufficient to close the intruder’s account and patch the vulnerability that originally allowed the hacker to gain entry. This is akin to kicking
the hacker out, then locking the door. Unfortunately, this does little to help with overall security. Not only is the intruder free to attempt the same exploit on another company’s network, he or she may have been savvy enough to leave behind a backdoorthrough which to return to the exploited system later, undetected. In addition, others with malicious intent may learn of the exploit through the hacker community and because of the lack of law enforcement response, join in compromising computer systems.
To believe that a hacker is motivated solely by the desire to show off computing prowess with no real intention to damage, steal, or defraud is naive. What may appear to be a simple hack with no real risk of damage can, in fact, be a part of a larger scheme to launch a very destructive attack against other sensitive machines. Intruders may compromise numerous systems, collecting them like trading cards. Some hackers use the “stolen” computers as springboards to launch attacks against other computers, shutting down the next victim, taking information from the system, and using the stolen data in extortion schemes, or to engage in countless other types of illegal conduct. With each compromise, the security of all networks is weakened. If victims do not report such incidents, law enforcement cannot provide an effective and appropriate response.
Industry experts claim that there is a wide variety of reasons for the reluctance to report com- puter security incidents. There is the perception on the part of some businesses that there is little upside to reporting network intrusions. According to Richard P. Salgado, Trial Attorney for the Computer Crime and Intellectual Property Section of the U.S Department of Justice, the rationale for not reporting an intrusion includes the following:
✓ “The victim company does not know which law enforcement entity to call. Surely, the victim reasons, the local or state police will not be able to comprehend the crime, and the FBI and Secret Service would have no interest in my system.
✓ If the victim company does report the intrusion to an appropriate agency, law enforce- ment will not act. Instead, the fact of the intrusion will become public knowledge, irreparably shaking investor confidence and driving current and potential customers to competitors who elect not to report intrusions.
✓ If law enforcement does act on the report and conducts an investigation, law enforce- ment will not find the intruder. In the process, however, the company will lose control of the investigation. Law enforcement agents will seize critical data and perhaps entire computers, damage equipment and files, compromise private information belonging to customers and vendors, and seriously jeopardize the normal operations of the company. Only competitors will benefit as customers flee and stock value drops.
✓ If law enforcement finds the intruder, the intruder likely will be a juvenile, reside in a foreign country, or both, and the prosecutor will decline or be unable to pursue the case. ✓ If the intruder is not a minor, the prosecutor will conclude that the amount of damage
inflicted by the intruder is too small to justify prosecution.
✓ If law enforcement successfully prosecutes the intruder, the intruder will receive proba- tion or at most insignificant jail time, only to use his or her hacker experience to find fame and a lucrative job in network security.”
Salgado states further that while the preceding list of excuses may appear startling, barriers to reporting can be overcome by better-informed computer network owners and operators, and skillful investigatory and prosecutorial practices. The risk presented by failing to report intrusions is enormous. For the foreseeable future, computer networks are only going to become more com- plex, more interconnected, and therefore more vulnerable to intrusions. Networks are also going to command more importance in our private lives, our nation’s defense, and the world’s economy. For these reasons, it is imperative that organizations and individuals understand the importance of reporting intrusions.
One of the more noticeable benefits of cooperation between private sector organizations and law enforcement agencies is the faster distribution of information about threats and the ways to counter them. Conversely, organizations in the private sector sometimes find that calling in law enforcement to investigate a computer crime may lead to the following:
✓ Loss of privacy of their personal information ✓ Loss of consumer confidence
✓ Retaliatory attacks by the intruder
✓ A shutdown of the business as the law enforcement agents seize and review evidence While there have been attempts to alleviate the aforementioned fears and foster cooperative ventures between law enforcement and the private sector, victims of computer intrusion are still hesitant to call in law enforcement when an intrusion has occurred. In her opening speech at the April 5, 2000 Cybercrime summit, Attorney General Janet Reno addressed these issues. Following is an excerpt from her speech:
Law enforcement, like industry, has its duties, its tools and its constraints. As a prosecutor for almost 15 years in Miami, I can tell you that I know how intrusive a criminal investigation can be. I have heard from bankers long before they talked in terms of cyber tools about why they didn’t report an embezzle- ment, why they didn’t want to put up with a criminal investigation. I want your opinions, your sugges- tions about what we can do in law enforcement to design investigations that achieve the truth, that do it according to principles of the Constitution and do it with the least disruption to your undertakings. We ask industry to recognize that law enforcement has much to offer to make the Internet a secure place for their businesses and customers. But I also recognize that it is hard for government to attract a sufficient number of people who have both the technical and the legal expertise to deal with the criti- cal issues that we face. I have been so proud of those in the Department of Justice who have done so much with limited resources, limited equipment. And we want to work with you to understand better how we can attract people, what we can do to retain them, how we can work with you in public-private partnerships to achieve new goals. Senior officials from the Department’s Computer Crime Section meet regularly with representatives from Internet service providers, telecommunications carriers, and others through information industry group. The FBI’s National Infrastructure Protection Center and its Computer Crime Squads have worked to develop the Infragard Program in communities around the