1 Marc J. Zwillinger Elizabeth Banker Zwillinger Genetski LLP April 7, 2011

2  Understanding Universities obligations related to Law Enforcement and Civil Demands  Developments in privacy related litigation  Lawful Access issues on the horizon for Universities  Other issues for Universities related to security and privacy

3  Federal, state and local law enforcement issued subpoenas, court orders and warrants  National Security Requests issued under National Security Letter authority, FISA or the FAA  Civil subpoenas issued under DMCA subpoena provision  Civil subpoenas issued in private litigation  Requests without legal process: ◦ Deceased students ◦ Complaints

4  Family Educational Rights and Privacy Act of 1974, 20 U.S.C. § 1232g; 34 CFR Part 99.  Prohibits disclosure of certain student records without student or parental consent.  Universities may disclose educational records in response to a subpoena or court order with prior notice to the student or parents.  No notice is necessary if:  Grand jury subpoena with court order to not provide notice  Court order and told not to provide notice  AG terrorism court order (ex parte)  Emergencies

5  ECPA has two primary parts: ◦ The Wiretap Act (also know as Title III) governs real- time access to the contents of electronic communications  Codified at 18 U.S.C. § 2510 et seq. ◦ The Stored Communications Act (“SCA”) is the portion of ECPA that specifically governs stored records and communications  Codified at 18 U.S.C. § 2701et seq. ◦ Other parts of ECPA:  Pen Register Trap and Trace Statute, 18 U.S.C. § 3121

6  Governs real-time intercept of electronic and wire communications  Federal law prohibits intercept of communications unless an exception applies: ◦ Consent (one party) ◦ Title III Wiretap Order issued by law enforcement ◦ Protection of Rights and Property of Providers  State wiretaps laws are similar, except: ◦ Twelve states require two-party/all-party consent for a valid exception to the prohibition on intercept

7  Special Issues for Universities ◦ Students or School officials recording classes ◦ scanning for prohibited content/conduct ◦ Archiving chat, IM, or other conversations conducted through interactive webpages  How to deal with two-party/all-party consent requirements? ◦ Implied consent ◦ Affirmative consent

8  Covered entities defined in SCA are “Electronic Communications Services” (ECS) and “Remote Computing Services” (RCS) ◦ ECS defined as “any service which provides to users thereof the ability to send or receive wire or electronic communications” ◦ RCS defined as “the provision to the public of computer storage or processing services by means of an electronic communications system”  What does “to the public” mean?  What public services do you offer – just broadband access, or more?  Restrictions on voluntary disclosure of information (for ECS and RCS) turn on whether University offers services “to the public”  Restrictions on compelled disclosures do not.

9 Statutory DefinitionPlain Language 1) “contents of a communication while in electronic storage” 2) “contents of a communication which is carried or maintained on that service on behalf of, and received by means of electronic transmission from a subscriber or customer of the service” 3) “a record or other information pertaining to a subscriber to or customer of such service not including contents under A or B” 4) “name, address, telephone records, session times and duration, length of service, start date, types of service utilized, telephone number or other subscriber # or identity, network address, means and source of payment” 1) contents of messages or s 2) contents in stored files 3) any non-identity, non-content record kept about a subscriber 4) basic identity information about the subscriber

10  Can be obtained through trial, grand jury or administrative subpoena under § 2703(c)(2)  name & address  local and long distance billing records  telephone number or other account identifier (such as username or “screen name”)  length & type of service provided  Session times and duration  Temporarily assigned network address (IP Address)  Means and source of payment (cc# or bank acct)  Limited to specifically listed records

11  Scope: ◦ Not content, not basic subscriber  § 2703(c)(1)(B) ◦ Everything in between  identities of connections or correspondence  Subscriber info not specified in 2703 (c)(1)(c) (e.g., DOB, gender, DL #, etc)  Connection information  Obtainable with § 2703(d) court order ◦ Issued based on showing of “specific and articulable facts” of relevance to “criminal investigation” ◦ Intermediate standard between subpoena (relevance) and search warrant (probable cause)  Delayed Notice available under § 2705

12  “ Electronic storage” defined as 1) temporary, intermediate storage incidental to transmission (§2510(17)(A)); and 2) storage of such communication by an electronic communication service for purposes of backup protection of such communication  Beginning: DOJ view that a warrant was only required for unopened, received in user’s inbox for 180 days or less. A court order or subpoena used for sent, read, or s over 180 days old  After Theofel v. Farey-Jones (9 th Cir.): Read and saved was considered a “back up” and required a search warrant if 180 days or less old

13  Sixth Circuit Court of Appeals held in U.S. v. Warshak that the Fourth Amendment protects content from disclosure to law enforcement absent a search warrant  Court found that individuals have a “reasonable expectation of privacy” in their content ◦ Court left open possibility that provider or employer terms could eliminate the R.E.P.  Decisions about how to implement ◦ Restrict to district ◦ Implement nationwide

14  Public provider prohibited from voluntarily disclosing any subscriber records (§ 2702)  Exceptions ◦ Consent of originator or addressee/intended recipient ◦ To an addressee or intended recipient ◦ to law enforcement if contents inadvertently obtained & pertain to commission of a crime ◦ to person employed or authorized or whose facilities are used to forward such communication ◦ As necessary to protect provider rights and property ◦ To NCMEC in child pornography report ◦ To government if provider in good faith believes an emergency exists threatening death or serious physical injury

15  Public provider prohibited from voluntarily disclosing any contents of communications (§ 2702)  Exceptions ◦ Consent of originator or addressee/intended recipient ◦ To an addressee or intended recipient ◦ To person employed or authorized or whose facilities are used to forward such communication ◦ As necessary to protect rights and property  No prohibition on disclosing records to civil litigant (§ 2702 (c)(6)) ◦ Subpoena is generally sufficient

16  FERPA allows disclosure of educational records when legal process is issued. ◦ If not prohibited by law, notice must be given to the student or parents ◦ When is notice forbidden? A court order prohibits notice (e.g., an order for delayed notice under Section 2705) or statute under which the legal process was issued prohibits notice (e.g. NSLs). ◦ When in doubt? Advise law enforcement of plan to provide notice  FERPA allows disclosure of information in response to a civil subpoena with notice, but ECPA prohibits disclosure of content to private litigants ◦ Disclosure could be allowed if account holder consents  FERPA & ECPA both allow disclosure of records and content when there is an emergency that puts the physical safety of a person at risk ◦ ECPA only allows emergency disclosures to law enforcement. ◦ Be sure to document the nature of the emergency, how the requested information will help LE and the requesting individual and agency. ◦ Also helpful: Emergency disclosure form, Emergency disclosure policy

17  Deceased Users and stored content  Freedom of Information Act requests  Complaints and requests to identify users without legal process  Internal, on-campus investigations  State schools and status as a “governmental entity”  National security process and non-disclosure requirements

18  ECPA Litigation  ECPA Reform  CALEA Updates  Data Retention Mandates

19  Plaintiffs lawyers are now suing for improper disclosure of records based on claims that the legal process used was illegitmate  Entities sued: Yahoo!, Myspace, Windstream, Comcast  Theory – recipient must insist on proper service of process to make legal process valid – i.e, no out-of-state faxes.  Prediction – not going to be successful, but may not be worth the risk

20  Initially proposed by the Digital Due Process Coalition (DDP), which includes: CDT, Amazon, Google, Facebook, AOL, Microsoft, AT&T SalesForce, Loopt, and others  Need for ECPA reform: ◦ Definitions are archaic and hard to apply to Web 2.0 ◦ Different law enforcement agencies use it and have different interpretations ◦ Different jurisdictions have different interpretations ◦ Volume makes it impossible to operate with anything less than bright lines rules ◦ Litigation develops over areas of friction ◦ Many, many issues do not seem to be answered by ECPA

21 1.Technology and platform neutrality 2.All content should be protected under the 4 th Amendment standard – regardless of how old it is or whether it has been “opened” or not 3.Data should receive same protection whether it is in transit or in storage 4.Recognize sensitivity of data that deserves 4 th Amendment protection

22 1. All content should be protected under the 4 th Amendment standard and probable cause should be required – regardless of how old it is or whether it has been “opened” or not 2. Location data, whether historical or prospective should be produced only pursuant to a Warrant 3. The standard for pen registers/trap and trace devices should be heightened 4. Information requests made pursuant to a subpoena should be particularized to an individual or group of individuals, otherwise a 2703(d) Order or greater should be required

23  At least 4 hearings held in 2010 before House Judiciary Committee and at least one in the Senate.  Hill meetings and DOJ meetings have been occurring with increased frequency  DOJ has proposal for reform of NSL provisions (18 USC 2709) which may get linked to these efforts ◦ Proposal would clear up uncertainty regarding ability of FBI to get access to electronic communication transactional records

24  Communications Assistance to Law Enforcement Act (“CALEA”) originally passed in 1994  Mandates that covered providers build capability to intercept communications if presented with a wiretap order ◦ Currently covers telecommunications and broadband  FBI “Going Dark” Initiative seeks to expand coverage  Potential Model- Section 12 of UK’s RIPA

25  Lamar Smith (R), House Judiciary Chairman, has had several bills in past and currently working on a new bill  Hearing held in January 2011  Potential scope of data retention obligation: ◦ 6 months to 2 years of retention ◦ IP address assignment logs, IP log-in records, communications transactional records, upload IP information  EU Data Retention Directive implementation ◦ Problematic and still controversial in EU, but provides potential model

26  Child pornography reporting requirements applicable to ECS and RCS under 18 U.S.C. §2258A.  Content complaints and Section 230  Security Breach notice requirements  Required security to protect sensitive personal information ◦ E.g. Social Security Numbers

27 ??