Field Guidance on New Authorities That Relate to Computer Crime and Electronic Evidence Enacted in the USA Patriot Act of 2001
Date: October 15, 2003Source: Computer Crime Research Center
Next(202-514-6809) or the Computer Crime and Intellectual Property Section
in the computer context (202-514-1026).
Further, because the pen register or trap and trace "device"
often cannot be physically "attached" to the target facility,
Section 216 makes two other related changes. First, in recognition of
the fact that such functions are commonly performed today by software
instead of physical mechanisms, the amended statute allows the pen register
or trap and trace device to be "attached or applied" to the
target facility. Likewise, Section 216 revises the definitions of "pen
register" and "trap and trace device" in section 3127 to
include an intangible "process" (such as a software routine)
which collects the same information as a physical device.
Previous law: Under previous law, a court could only authorize
the installation of a pen/trap device "within the jurisdiction of
the court." Because of deregulation in the telecommunications industry,
however, a single communication may be carried by many providers. For
example, a telephone call may be carried by a competitive local exchange
carrier, which passes it to a local Bell Operating Company, which passes
it to a long distance carrier, which hands it to a local exchange carrier
elsewhere in the U.S., which in turn may finally hand it to a cellular
carrier. If these carriers do not pass source information with each call,
identifying that source may require compelling information from a string
of providers located throughout the country – each requiring a separate
order.
Moreover, since, under previous law, a court could only authorize the
installation of a pen/trap device within its own jurisdiction, when one
provider indicated that the source of a communication was a different
carrier in another district, a second order in the new district became
necessary. This order had to be acquired by a supporting prosecutor in
the new district from a local federal judge – neither of whom had
any other interest in the case. Indeed, in one case investigators needed
three separate orders to trace a hacker’s communications. This duplicative
process of obtaining a separate order for each link in the communications
chain has delayed or – given the difficulty of real-time tracing
– completely thwarted important investigations.
Amendment: Section 216 of the Act divides section 3123 of title
18 into two separate provisions. New subsection (a)(1) gives federal courts
the authority to compel assistance from any provider of communication
services in the United States whose assistance is appropriate to effectuate
the order.
For example, a federal prosecutor may obtain an order to trace calls
made to a telephone within the prosecutor’s local district. The order
applies not only to the local carrier serving that line, but also to other
providers (such as long-distance carriers and regional carriers in other
parts of the country) through whom calls are placed to the target telephone.
In some circumstances, the investigators may have to serve the order on
the first carrier in the chain and receive from that carrier information
identifying the communication’s path to convey to the next carrier
in the chain. The investigator would then serve the same court order on
the next carrier, including the additional relevant connection information
learned from the first carrier; the second carrier would then provide
the connection information in its possession for the communication. The
investigator would repeat this process until the order has been served
on the originating carrier who is able to identify the source of the communication.
When prosecutors apply for a pen/trap order using this procedure, they
generally will not know the name of the second or subsequent providers
in the chain of communication covered by the order. Thus, the application
and order will not necessarily name these providers. The amendments to
section 3123 therefore specify that, if a provider requests it, law enforcement
must provide a "written or electronic certification" that the
order applies to that provider.
The amendments in Section 216 of the Act also empower courts to authorize
the installation and use of pen/trap devices in other districts. Thus,
for example, if a terrorism or other criminal investigation based in Virginia
uncovers a conspirator using a phone or an Internet account in New York,
the Virginia court can compel communications providers in New York to
assist investigators in collecting information under a Virginia pen/trap
order.
Consistent with the change above, Section 216 of the Act modifies section
3123(b)(1)(C) of title 18 to eliminate the requirement that federal pen/trap
orders specify their geographic limits. However, because the new law gives
nationwide effect for federal pen/trap orders, an amendment to section
3127(2)(A) imposes a "nexus" requirement: the issuing court
must have jurisdiction over the particular crime under investigation.
C. Reports for use of law enforcement pen/trap devices on computer
networks
Section 216 of the Act also contains an additional requirement for the
use of pen/trap devices in a narrow class of cases. Generally, when law
enforcement serves a pen/trap order on a communication service provider
that provides Internet access or other computing services to the public,
the provider itself should be able to collect the needed information and
provide it to law enforcement. In certain rare cases, however, the provider
may be unable to carry out the court order, necessitating installation
of a device (such as Etherpeek or the FBI’s DCS1000) to collect the
information. In these infrequent cases, the amendments in section 216
require the law enforcement agency to provide the following information
to the court under seal within thirty days: (1) the identity of the officers
who installed or accessed the device; (2) the date and time the device
was installed, accessed, and uninstalled; (3) the configuration of the
device at installation and any modifications to that configuration; and
(4) the information collected by the device. 18 U.S.C. ยง 3123(a)(3).
Prior law: Although the wiretap statute allows computer owners
to monitor the activity on their machines to protect their rights and
property, until Section 217 of the Act was enacted it was unclear whether
computer owners could obtain the assistance of law enforcement in conducting
such monitoring. This lack of clarity prevented law enforcement from assisting
victims to take the natural and reasonable steps in their own defense
that would be entirely legal in the physical world. In the physical world,
burglary victims may invite the police into their homes to help them catch
burglars in the act of committing their crimes. The wiretap statute should
not block investigators from responding to similar requests in the computer
context simply because the means of committing the burglary happen to
fall within the definition of a "wire or electronic communication"
according to the wiretap statute. Indeed, because providers often lack
the expertise, equipment, or financial resources required to monitor attacks
themselves, they commonly have no effective way to exercise their rights
to protect themselves from unauthorized attackers. This anomaly in the
law created, as one commentator has noted, a "bizarre result,"
in which a "computer hacker’s undeserved statutory privacy right
trumps the legitimate privacy rights of the hacker’s victims."
Orin S. Kerr, Are We Overprotecting Code? Thoughts on First-Generation
Internet Law, 57 Wash. &Lee L. Rev. 1287, 1300 (2000).
Amendment: To correct this problem, the amendments in Section
217 of the Act allow victims of computer attacks to authorize persons
"acting under color of law" to monitor trespassers on their
computer systems. Under new section 2511(2)(i), law enforcement may intercept
the communications of a computer trespasser transmitted to, through,...
Add comment
Email to a Friend
| Discussion is closed - view comments archieve |
| 2005-09-02 05:27:51 - Very nice Anelia |
| Total 1 comments |
