 My talk today is working with law enforcement. Now, that's kind of a problematic title. There's really two ways to interpret it. One is working with law enforcement when they show up and say, we need to work with you. The others are more collaborative arrangement, and sometimes the two can work together. And anything I say here, obviously I'm going to expand upon later. You know, there's kind of really wish I had the PowerPoints. Oh, well. My background is as a trial attorney with the Federal Trade Commission. You know, it's a civil law enforcement agency. On the criminal side, it would be called a prosecutor. After that, I established and I ran the Internet Lab, which was the FTC's Internet Operations Center. So I come at the subject of working with law enforcement from a certain perspective. On the other hand, way back when I was on the government presidential campaign staff, I still have my armband from marching on Washington after Kent State. So I'm kind of schizophrenic on this whole routine of working with law enforcement. No matter what I say here, and some of it's going to involve cooperating, keep this in mind, I am not suggesting at any point that you give up your rights. I'm not going to suggest at any point that you decide not to help, not to stand up for somebody else's rights. For example, a customer who's got data on your systems and you get a visit. This talk is about how to work through the process constructively to everybody's advantage. There are certain basics that go with this. You're going to run into a whole variety of laws. The laws are going to vary, the regulations are going to change. You're going to be dealing with different people, with different agencies. Your tactics are going to vary, but there are a couple of things that are not going to change. In any dealing with law enforcement, you need to do two things. You need to show respect, and you need to avoid playing games. If you just follow those two rules, things will go a lot smoother. And if you don't follow those two rules, you're in a losing proposition. Maybe the case will come out in your favor, but it's going to be a lot messier and you're going to run into a lot of unhappiness and a lot of expense that's just plain unnecessary. Prosecutors, police, you know, they're folks. And if you don't treat them with respect, if you mess around with them, they may take it hard. And just follow different paths from what's in everybody's best interest, sometimes including theirs. What I'm going to say here is going to vary, like I said. There are civil jurisdiction, there's criminal jurisdiction, there's administrative jurisdiction, there's federal, there's state. Just a wide range. My specialty, since I left the feds, has been security and privacy. So what have we got? We've got GLB, we've got HIPAA, we've got FERPA, we've got SOX, SARBOX, depending on how you like to talk about it. A whole range. And enforcing those, and here we're only talking the federal level, you've got DOJ, Patriot Act, and a number of others. You've got the FTC. Matter of fact, Graham Leach-Bliley GLB is enforced by eight different agencies. So there's a wide variety. What I'm going to talk about here is largely based on my FTC experience, obviously. But I think it's fairly, I know, I know it's fairly typical. The context is going to vary too. There's going to be a formal investigations. You may be a target, a defendant, a respondent, depending on the stage of the proceeding. You may be a third party, like I mentioned. You may be just, my father had a favorite expression, just between you and me in the lamppost. You may have a situation where you're just sitting around shooting the breeze. And that's one kind of working with law enforcement that can be beneficial. The first, basically the first most basic interaction that we used to do was, FTC is civil and it was voluntary. We think there might be a problem. Please send us these documents. Now documents, if you've ever seen one of these civil investors, one of these access letters or a subpoena or anything, document is generally two or three paragraphs long just to identify and define document. Read all this stuff carefully. Obviously, we've opened the law enforcement investigation. Come talk to us. Okay. Don't ignore it. It's voluntary, but don't ignore it. I'm sounding very strident here. That's just common sense. If you ignore it, it will go to the next level. Read it carefully. Make sure you understand what it says, what it's asking for, what the subject matter is. Make sure you assign the best possible person to answer to come up with the documents, to find what's responsive. You need to use this person to find out where the documents are, what form they're in, how you can produce them. And then contact the requesting attorney, the folks who signed the access letter, just to discuss any issues. I mean, if you've got questions, ask them. These things aren't written in stone when they first come out, not by a long shot. Interpreter requests sensibly. The government staff who writes them may not have the technical knowledge that you do. They've got consultants that they hire, they've got people on staff. But some of this stuff, you're getting into data breach cases. For example, there may be some really specialized knowledge. Interpret the request sensibly. Call the lawyer. Say, we need to talk about this. It doesn't make sense. Let's work together. Let's get you what you need. If you throw paper, it doesn't accomplish anything. You've wasted your time and your money. And if you don't send enough, then you get into a back and forth. You didn't answer. Yes, we did. No, we didn't. Yes, you did. Did I get that reversed? Yeah. It's just a back and forth process. You can talk about rolling production. Produce it all at once. Come up with it as you can. Keep the dialogue going. Talk back and forth. Discuss whether you want to produce hard copies or electronic versions. What you can produce. The form and the location. All these things go into just getting the job done. With no hard feelings, no problems, no issues. Your interests are protected by this process as well as what the feds are. I'm a fed. State, local, whatever it is. Everybody's interests are protected. You'll be willing to meet and talk. If you need to on any of these documents, request confidential treatment. You should get it. These are trade secrets. They're sensitive information. Request, put a confidential stamp on it and talk about it. So you make sure that it's not going to be exposed in a FOIA request or something like that once the investigation is over. Negotiating and cooperating does not mean be a doormat. I can't keep stressing this enough. Stand up for yourself. This is all things you do in your interest. All the way down the line. At this voluntary level, you may just resolve the issues with no further action. The agency may decide there's no case after all, but even if they decide we need to go further, you've at least established a solid working relationship, such that the next step is going to go smoother. It's going to go better. The civil action, the mandatory kind is similar. We have a law enforcement investigation. Produce these documents. If you notice the word please is gone. This is a subpoena. You will produce it or they can go to court and file for contempt. But the process, once you do that, the stakes are higher. It's more formal. The process is still largely the same. Produce, negotiate, protect your interests, discuss what's coming, discuss how it's coming, discuss when it's coming, where it's coming. The only real difference in the mandatory, in the compulsory stage, is that it's not just going to be documents. You may get into depositions. You may get into interrogatories. You don't just provide documents. You have to provide written answers to questions. Again, make sure you provide the right person. Putting somebody up as a witness for a deposition who doesn't know what's going on is just not a good way to go. I've seen it happen. First case they ever were coming out of law school long before I was with the FTC. They provided a witness for hearing who clearly was not qualified. It was our first clue that they were trying to pull a fast one to put it one way. No competent person in accounting would ever testify to what they wanted on the record. So they just dragged somebody out who had no clue and they lost the case. It's the first time anybody ever failed to get a rate increase before this given administrative agency. Again, a little distracting there. The same as the voluntary. Don't ignore. Review carefully. Contact to discuss issues. Nothing magic about this. It's business negotiating. It's keeping the relationship going. It's keeping it on an even keel. So both sides benefit as things go along. Now, my background is civil. The first agency I mentioned was a little outfit that only had 350 people then I was with the Federal Trade Commission. I have a little bit of criminal background because I worked on criminal investigations with other agencies. Contrary to what you may see on TV or read in the paper, the agencies do work together. The FTC had some cases that were very good and very strong and they were good, solid civil cases. And sometimes there were also strong criminal components to them and we worked with them. When I was at the FTC, I ran the spam database. If anybody's familiar with that, it was a system where the public submitted, just forwarded their spam to a mailbox that we ran and it was indexed and a good solid repository of evidence. The Department of Justice Child Exploitation came over and got evidence off those boxes. So there is a good chunk of back and forth. Got some exposure. Obviously the stakes are higher there. In a civil matter, the only thing you've got at stake is money. Some people, that's not the only thing, that's understating what it's worth, but it's money. It's injunctive provisions. It's giving its fines. It's giving consumers their money back. It's as tough as that may be at times. Criminal actions, you can go to jail. Most people think that's a lot worse than what can happen in a civil law enforcement action. In a criminal matter, the Fifth Amendment applies. You obviously are in a much better position to say, I'm not talking to you. The Fifth Amendment does not apply in a civil action. I'm not suggesting you give up Fifth Amendment, but if you're going to talk, at some point your attorney has to talk to the prosecutor to work the matters through. So there can still be some level of cooperation, some level of civility. If nothing else civility, you get into compliance issues. The scope, say, the search warrant, the criminal version of the CID that I mentioned. There very often is room to discuss, particularly if you're talking about a business, a personal. There may be an issue of breadth. How long? How wide does it go? You have the ability to seek a protective order to try to limit things. And you also have the ability to negotiate the handling of privileged documents. Take advantage of all of these. These are all tools for your use, even in a criminal investigation. You've got the same issues you do in civil with sometimes. If it's outside the realm of a search warrant and you're just producing documents, you have the same issues of compliance and rolling and defining and all sorts of things like that. Take advantage of them. Straight up, you're the target. Law enforcement is there, is a clear cut situation. Where it gets kind of tricky sometimes, though, is you're the third party. You're the ISP and somebody shows up and says, I want their email records. A lot of the safeguards that you would have if the defendant are not there. If it's a criminal matter, if you're not the target, you have no Fifth Amendment protections. In some cases, you have to talk to the client, to your customer. Go ahead and do that if you can. There's always exceptions to anything anybody says about anything in the law. Generally, you'll be in a position to talk to your customer before you produce. Don't hesitate. Take advantage of the opportunities you have. If you really believe that the request you're getting is overbroad, if you think the request you're getting is out of line, don't hesitate to stand up for that. There was a case very recently where a company received a subpoena for third party records. No, they didn't. The agency just showed up and said, give them to us. And the company said, no, give me a search warrant. There's nothing wrong with that. Well, the police thought there was, but I don't. And it got bought through. But again, by all accounts, it wasn't get out of here, you idiot. It was, no, we can't do this. We need to talk to counsel. And it was left at a very civil level. I think the most common in what I do is ACPA, the Electronic Communications Privacy Act. There can be some very tricky issues involving whether an ISP has to give records up under ACPA or can give records up under ACPA. And those do have to be worked out. And you've got a right to take the time to do that. Keep it civil. Discuss the breadth. Discuss the terms. Proceed accordingly. Here's, I mentioned sometimes the cooperation. I'm not going to jump straight to cooperation. I'm going to go the adversarial to, quasi-adversarial to cooperation. Sometimes you can look at these documents and say something that goes to both your advantage and law enforcement's advantage. I'm aware of a situation where law enforcement came in and said, we want all the headers, or no, we want certain information out of the headers in these emails. The subpoena was to a corporation involving their enterprise email system. That would have been a lot of work for the email administrators. It would have been a whole lot of delay just putting it together, but to law enforcement's interest. However, the company knew that the enforcement agency already had certain information in their possession. They were able to identify that information. Basically, it went back and forth of, am I right that you have this information? The answer was yes. Here's how you can read that information to get what you want. The agency people weren't aware of that. They didn't know enough about how to read email headers to know what they wanted was already there. The company was out from underdoing a very expensive and lengthy production, electronic document production. The government had its information already there. They didn't have to wait the 30 or 60 days. I forget what the time frame was on the given formal document. That type of thing can work out to everybody's advantage. I know of a number of other examples where basically the target of the production request talked it through, realized exactly what the government wanted and said, we can help you. We can help you figure this out. We can give you the information in a different form that's really better. We can cut your expense, we can cut your time, we can cut our expense, we can cut our time. That kind of open communication is always valuable. There are times, and I'm hesitating here because there are times, and you only do this with advice of counsel, obviously. There are times you may want to look at what's been said, but they're being requested and say, I'm not sure I can give that, but I'm going to figure a way to do it. Stretch the rules. That's obviously your call, your value judgment. The hot button, I think, in law enforcement, the hot button with the public when it comes to the internet is child pornography. And sometimes the rules, I'm aware of situations where the rules have been stretched. You don't do that unless you've consulted with counsel, but think about it as a strategy, and I'm not suggesting this is a curry favor, I'm just suggesting that it's a possibility in the realm of dealing with law enforcement document production. I think it's less likely in the security area, less likely in the privacy area, but it does arise. There are certain other things you can do to maybe protect yourself in advance. Law enforcement may show up and ask for certain records that are on your systems. Well, if you've got terms of service in place that certain practices are just not going to be tolerated, there's a chance that that outfit they want records on and they're even going to be a client anymore. Look at your terms of service. Do you want certain types of clients even on your systems? This can be an ISP and ASP. Again, it comes up most often in an ISP situation, but I've seen it in other areas. Being selective on your clientele can help you avoid even dealing with law enforcement, can help you with your reputation in the community, which may help you dealing with colleagues and it may help you dealing with law enforcement. There are companies out there that have reputations as being havens for spammers. The peer approbation can be as in some ways unpleasant as the law enforcement guy is kind of every once in a while sending a piece of paper or showing up. This obviously depends on your customer base, your business, but it can be one weapon, one tool maybe is a better term in lessening your dealings with law enforcement and in making them more open, more civilized is the better word. Should you deal with them because your reputation is part of the equation when you get a visit from law enforcement agent or when somebody sitting in Washington at 600 Pennsylvania Avenue decides to send out an access letter or when somebody sitting at Pennsylvania Avenue looks at the case and thinks, is there something here? Well, if there's a reputation of catering to shady clients, the odds are of further action increase. That's just the fact of life. The other thing you might even want to consider if you have frequent dealings with enforcement is to adapt your business practices. There isn't a major ISP who had such a volume of warrants, subpoenas rather, had such a volume of subpoenas delivered by the local sheriff that they set up an office in a desk for the sheriff's department in a deputy, rotating, but a deputy sat in the offices of this ISP, 40 hours a week. It made things a lot more efficient for the sheriff's department, made a lot of things a lot more efficient for the ISP. Any cost of this desk and whatever else were more than offset by the familiarity, by how much smoother the process went from having everything close together, from having known bodies, known entities, like I said, familiarity. Think about setting up certain processes that might be advantage of use to law enforcement. The best known, I guess, is ISPs have abuse at emails. They're going to be there anyway, but if you have a complaint desk, consumer complaint desk, or other type of intake system for issues, keep the data, keep the information in such a way that it might be useful. Sorry about that. The day started kind of shaky. It will provide you a way to actually maybe get something more accomplished with the information that you've got. If it's something that could cross into a law enforcement situation, it's already packaged in a way that if you do get a piece of paper or a phone call or a visit, it's ready to go. You don't have to wander around and find where all these documents are, find how they're stored, find how they're put together and produced them. If nothing else, assign people to be dedicated law enforcement liaisons. If you have a dedicated person, it's somebody who is familiar with the ins and outs, it's somebody who's familiar with the people involved, it's somebody who can get things done more quickly, it's somebody that law enforcement can reach more quickly. Always nice, critical sometimes, when times are the essence, as it is in some law enforcement matters. All things that have minimal overhead to get accomplished, but the benefits in the long run can be very real in time and effort and money. The last one generally will impress the people you might have to convince to take these steps. No, that's fine. I'll keep the knuckle-dragger in the house. Yeah, I was going, I'm sorry, I should have done that first. The question was whether I could talk about varying capabilities of state versus local versus fed. Certainly the feds have been in the lead on any technology-related matters. The FTC, and I was part of this, was an online case in 1994, and that was way ahead of the curve. And I mentioned that just because the FTC is only about a thousand people and we did this before DOJ, we have divisions bigger than that, so we were rather proud of that. I think, no, I know the situation is still that the feds are ahead of state and local, but I think a broad generalization along that line is to get you to create problems. Most states that I'm aware of do have good, solid state police units working cyber. I've worked with people, Georgia, Florida, Michigan, California, Nevada, so certainly at the state level I would say no. They're strong. You're seeing more and more local police departments now that have good, solid cyber units. I'm from Ann Arbor, and the Ann Arbor Police Department is building that nicely. It's nice to have the university resources to call on, obviously. New York City Police Department has some outstanding people. So there's still the overall gradation, but the states have caught up, the locals are getting there. No question. I keep saying fed just because that's my background. The other thing to consider is be part of the process even. Something that I really enjoyed about internet work, both when I was at the agency and now that I'm out on my own, is the level of cooperation between the public and the private sector because it's what it should be all along in a dream world. You've got organizations such as the National Cyber Forensic Training Alliance in Pittsburgh on one extreme that's one building that has federal law enforcement, state law enforcement, local law enforcement, graduate students, private sector people all housed together working cyber issues. But even at a lesser level, you've got a lot of companies that are providing data to LE, companies that have, for example, honeypot email accounts that they don't hesitate to share. They will turn over evidence. Private people... I think it's an unfair term, but I'll use it because a lot of people do vigilantes. There's a lot of great information that the private sector can give to law enforcement to help the process. Law enforcement expertise is catching up. That's not even the right way to put it. Law enforcement expertise has always been there in some agencies. It's catching up in others. But where law enforcement lags is resources. The people that I used to work with knew how to do certain things. We just didn't have the equipment to get it done. We didn't have enough people to get it done. And if somebody would come in and say, here's all the information you need to get this botmaster, it was great. Now, I need to add one caveat to that. If the law enforcement agency you're dealing with isn't in a position to replicate what you've done, you need to be prepared to testify because whatever you provided, it has to be authenticated. I'm throwing that out because it is an issue for some people. And I can't say I criticize it. Particularly on the internet side, as organized crime gets more and more involved in certain things, it's a concern. But I'm raising it both to raise the issue and also so you understand that sometimes enforcement can't just take what you give and run with it because there is this authentication issue. And if it can't be duplicated, it can't be used. Duplicated or authenticated, it just can't be used. There's the other interesting little question in law enforcement is how to deal with information that maybe was questionably obtained. I raised this issue with a class that I'm teaching this morning online. If you go in and snoop around an e-commerce website and find a hole in the systems and give it to law enforcement, can law enforcement use it? I'm just throwing that out as a rhetorical question with no statement on whether I'm aware that law enforcement has or has not used it before. Obviously, I think they'd be hard pressed to ask you to testify, but it's amazing what happens when something goes to consent order. Because if something goes to consent order, nobody ever has to testify. You never have to put all your evidence on the record. So an interesting ethical issue that has an easy out if you can get the defendant or the respondent to settle early. That's most cases do. Most civil cases go to consent. They either die or go to consent. They don't go to trial. There are outfits like castle cops that's involved in spotting fishing and working directly with ISPs to do takedowns of these fishing sites. They can do it. Law enforcement can't without subpoenas, without court orders. So there's room for private sector law enforcement, quasi law enforcement involvement. You all can get things done that we can't we. I haven't gone that long. You all can get things done that we can't. I always hesitate to use the word takedown because it brings up images of DMCA. I didn't do DMCA work. I didn't want to do DMCA work, and I'm only talking websites and things like that. The other thing you can do is just be proactive. Perception is important. Get out there in the community. There are organizations such as InfraGuard. There are excellent avenues for law enforcement in the private sector just to talk. This isn't even helping with the case, but it's being in the same room, getting to know each other, building mutual respect. It will help you if you have a problem and need to reach law enforcement. You know the right people. This is particularly true, say, with a federal agency where you need to go to headquarters. You can reach a field office, figure out who to talk to, but it's not necessarily so easy to find the folks in DC. You've got the established relationship. You know who the names are. On the other hand, if you've got this nice established relationship and they know who you are, well, if there's an issue involving you, at the primary level, maybe there won't even be a follow-up, but even if there is a follow-up, it goes better. There's a certain bias. There's a certain perception that it will work to your advantage as the matter goes. I'm not saying it will be dropped if there's something there, but I'm saying it will go more smoothly. That's pretty much what I had to say. I remember running not as far ahead of time as I thought. I need to do more of these because I didn't realize how dependent you get on the silly slides. If there are any questions, I'll be glad to take questions here. Later on, it's Don at donblumenthal.com, or the website's there with phone numbers if you wanted to catch up. But be glad to take any questions. Like I said, we're running a little bit ahead. The lights are brutal. We kind of appreciate it.