 I'm Jennifer Granick, I'm a criminal defense attorney and I practice out of San Francisco, California. I'm going to talk to you today a bit about the laws that are related to hacking and I'm going to go through the fourth and fifth amendment in a very brief and sketchy way just to give people some idea of exactly what their rights are because certainly we have laws that criminalize things we do but we also have laws that protect the things we do so we'll try to look at the laws something that both is forceful good and for evil. With me today is Grant Gottfried, he is a policy analyst and I'm going to be turning over a portion of our time today to talk about the law to him he's going to discuss the electronic communications privacy act which is a law that protects your data privacy it basically email privacy so I will take questions during my speech if anybody has them. The first thing I want to do is I want to address some questions that were raised and I apologize for my complete lack of visual materials I am a leadite when it comes to PowerPoint and I forgot to tell our fine helping people who are helping with the AV stuff that I require overhead projector so you guys are going to have to imagine what I'm talking about as we go along which should be pretty clear. The first statute that you need to know about when you're talking about the federal hacking law is section 1030 we heard quite a bit about it this morning so I'm not going to really get into it but I do want to address a couple issues that were raised regarding 1030 this morning. The first thing is the question of what is unauthorized what is authorization and this is a very serious issue. I practice in this area and have represented several people who are charged with this crime so what I can tell you about authorization is this in practice the way that the courts are dealing with authorization is that if the victim says I didn't need for him to be able to do that he wasn't authorized to do it that is basically enough. So we're not really talking about a heavy standard for authorization. This raises the question that was discussed before that a gentleman who was sitting somewhere in this area this gentleman right here raised which was an excellent question it was my question but he asked it a lot better about an anonymous FTP server that's set up in a certain way it's set up in a way that the person who established it doesn't think that people have access but in fact that people do I encounter this all the time where permissions are set a certain way or the system is configured in such a way that with no tools without breaking anything people have access and the question is since the permissions were set up to allow access did the person have permission to access the system and as technical people you probably think the answer to that question ought to be yes but in practice the law seems to be answering that question no depends upon what was in the mind of the victim so that requires us to be something of mind readers at times is sort of unfortunate and then let's refer now to the very gentleman whose question that was he's saying does the law protect the stupidity of the person for setting up their server in such a way that people have access when they didn't need them to and at least as far as the criminal law is it seems like the answer to that is yes and unfortunately that requires us as law-abiding citizens to be something of mind readers where we're really trying to guess what it was that the victim meant for us to be able to do now there are some situations where you are have permission to do something you're able to do something but you kind of know that the people don't want you to do it and I had a case like this where somebody was ISP was running a buggy version of web server software that allowed you to type a certain URL and number of keystrokes into the go-to box on your Netscape navigator or Internet Explorer if you use that product and it would reveal to you the encrypted password file which then you could copy and run loft crack against and get a whole list of passwords and it was you know easy to do I could do it really anybody could do it but because they basically the way the court looks at it is you're supposed to know that you're not get supposed to get these people's password file so it is unauthorized in that in that sense I just want to run through a few other things about 1030 port scanning is okay under the law so far somebody asked about what if whether a failed attack would not be illegal under 1030 because there's no damage caused because you failed well the law does not reward stupidity when it comes to the defendant we have a word for failed attacks and it's an attempt and attempt crimes are illegal so if you attempt to break into a server and that is a violation of 1030 even though you fail you can still be prosecuted and then finally there was the question about juveniles which I was very concerned with I don't want anybody at this conference to come away from it with the idea that because they are under 18 they can break into people's boxes with impunity okay first of all we have state laws that prohibit that so do not do that because you can be prosecuted under the state law second of all I understand that the people from the FBI and from the Department of Justice have said that federal authorities cannot prosecute juveniles under 1030 but I do know for example and you all may have heard of the case involving the Cloverdale kids and this I think it's the solar sunrise case the greatest attack on Department of Defense computers that we've seen today 14 year olds from Cloverdale California and they were prosecuted and ended up getting convictions for that so there I'm not sure exactly what the answer is to that and why it is that federal authorities are saying they can't prosecute maybe they were prosecuted under federal law but through the state system maybe they were prosecuted under state law and I'm going to find that out but please please do not think that being under 18 is a pass okay tell your people who aren't in the room now and finally the right just a question about viruses writing virus or other dangerous code it's not illegal posting viruses or other dangerous codes are not illegal both because the law doesn't cover it and also because there are these cases of actual court rulings that say that code is speech and as speech it's protected under the First Amendment that we have here and enjoy the pleasure of in the United States so posting it under normal circumstances would not be illegal now there are circumstances I can imagine under which you would post code that would in her criminal or other legal liability for you for example if I posted a little link to it or download here and I said download this it's going to give you this cool neat program that's going to do something fun for you and I'm encouraging people to download and actually it's going to break their system that's the circumstance where I have the intent to transmit it I'm trying to get it to transmit it to other people's computers that wouldn't be okay but if I put up a warning like be careful this is very dangerous I'm posting it for research purposes people should be aware of this I mean you put up you know disclaimers and you're responsible about it then you should generally be a pretty okay and it's probably something of a fact specific circumstance with regards to that so those are the things I want to just say about 1030 you sir I think it's one of those prayers because you're talking about whether you know only knowingly transmitting it or intending to transmit it to cause the harm and I think it's a question I mean a trojanized program being out there without any warning I think you're really really suspect I'd be I'd be concerned basically you know these are all a lot of the technology moves really quick and there's not a lot of case on this unfortunately not many of these cases go to trial so we don't get a lot of court rulings or anything on it so oftentimes we're sort of dealing here in kind of a legal gray area and I think that that would be kind of suspect or dangerous behavior I'll take one more question please before I move on the question is and how how far will you know where the user who's Cusa is unwittingly gaining that unauthorized access and there's gonna be a question of you know know what the user knew and there's also going to be a question of how they could have known because another aspect of it is if it's so easy to get in that you don't even know that you're not supposed to be there like if there's a big welcome banner but in the person's subjective mind they're like well everybody's welcome except for people from New Jersey and you're from New Jersey and you just happen upon the site you know talking about it's not purely subjective in the victim's mind and your question was also related to how far will they go when the information is classified and the person doesn't even know the value of what they might find on the server and there you know obviously the government's very sensitive about classified information but generally they'll just look at the overall case and see whether they think they have enough evidence to meet all the elements and there is a knowledge element you can't simply be you know typing in your sleep or having no idea what you're doing and still be convicted does that answer your question okay let me move on and then we can what well I don't see how there's any I mean that's something that's open to the public so I don't see how the access is unauthorized there so maybe I don't understand your question but yeah that's what I'm saying is that if it's open to the I mean that's basically what I'm saying there is subjective in the the what the way that the courts have dealt with it is that if there's some well I think I answered it basically the way that the courts have dealt with it is if there's something that you kind of are supposed to know that you shouldn't be having like the password file even if it's otherwise very easy to access the courts may say that that was unauthorized access or you exceeded authorized access by getting this particular information and so the fact that permissions are set in a certain way or that something is open to the public is not necessarily the be all and end all of the question but if you have something that's anonymous FTP open to the public regardless of what's in the person's subjective mind that's something that's so obviously meant for public consumption I don't think they would be able to meet the unauthorized access elements of the crime and let me move on to some other statutes that I want to cover because I've got a lot to do here in a little time credit cards pin numbers blue boxes these are all possession of these things is all potentially illegal under 18 USC section 1029 which prohibits the unlawful possession of access devices pin code is an access device as is a machine like a blue box the calm mark of this crime is not just possession but in possession with intent to defraud now intent to defraud is not something that is necessarily as hard to prove as you might think because the way that courts often look at this is if you possess something and there's no real legitimate reason for having it it's susceptible to only one use and that is an illegal or fraudulent use they're going to argue that you possessed it with intent to defraud and often we've seen the prosecutor use things like people's books or manuals or other things that they're interested in you and have somebody who's got a blue box and then they've also got you know cellular phone hackers Bible or something like that and that becomes you know very powerful evidence that the person is possessing with intent to defraud it's not evidence of one's curiosity it's evidence of one's criminality so you need to be careful of things like that another statute is misappropriation of trade secrets this is 18 USC section 1831 what's a trade misappropriation let's just sum it up as theft although there's a couple of different things that fit under that term but let's just talk a little bit about what trade secrets are a trade secret is all forms of information that the owner has taken reasonable measures to keep secret and which derives independent economic value actual or potential from not being generally known to and not being readily ascertainable through proper means by the public there's your definition of trade secret and for many people this is like what else would you want to know except the trade secrets but you've got to be very careful when dealing with this type of information particularly in the employer employee context this comes up quite a bit either when somebody reveals something unwittingly or moves from one employer to another employer and has had access to proprietary trade secret information so that's just something to be careful about the criminal copyright law is at 18 USC section 2319 this prohibits unauthorized copying of copyrighted materials that are in value of excess of I believe it's five hundred dollars is the limit nowadays regardless of whether you're copying is for profit or not so that's regardless of whether you're selling it or giving it away basically if I have a copy of Microsoft Word and I make one for my dad and one for my sister and criminal so be careful with that one as well and intersection of our access to electronic communications which for an example is email or wire communications telephone calls is criminalized under 18 USC section 2702 and 2511 I just want to point out that this is really the law that criminalizes sniffers okay because a sniffer is capturing electronic communications as it comes across the wire and I want to also point out that the federal sentencing guidelines which tell you how much time you're going to do in the joint for having a sniffer are very high the base level if you don't know much about the sentencing guidelines this won't mean much to you but the base offense level is nine so you're already like way up there in those federal sentencing guidelines it's hard to get back to an area where you're going to be able to get probation for a situation like that so sniffers very bad very bad I'll take the question over again the question is if it's illegal to read somebody else's email how come the boss can do it and I'll cover that yeah I know Grant's going to cover that but in short it's the it's the business provider business exception to the statue but Grant will cover it in a little more detail and then finally I want to mention wire fraud which is 18 USC section 1343 okay wire fraud is one of the broadest crimes we have and basically it requires a scheme to defraud and the defendant transmits a wire communication and furtherance of that scheme okay so what does that bring to mind what about social engineering can social engineering be wire fraud I think that there's a good likelihood that social engineering can be prosecuted under the wild wire fraud statutes and in fact that was a substantial part of the case against Kevin Mitnick so if I have a scheme to defraud which is to obtain something I can't get like trade secrets from Nokia Motorola and I make a wire communication which is a telephone call to people saying hey you know can you set me up an account and that's supposed to help me get into the company so that then I can get the information out we're looking at wire fraud so wire fraud very broad and it can apply to a huge range of activities you gotta be really careful about something like that as well I'll take this question okay he asked me about he said well I said code is covered because that's a First Amendment thing but what about reverse engineering and this is a very good and complicated question there is a statute that relates to reverse engineering and into the digital millennium copyright act a relatively new and extremely complicated statute and this is where the DVD suits are coming from and basically what happened there is they had DCS DCSS encryption for DVDs which prevented you from playing them anywhere you wanted even from country from what machine sold in one country to machine sold in another country people reverse engineered it and cracked it so that they could play their DVDs on machines you know any machine they were they had whether they were in France or in the United States or in Norway and there are provisions of the DMCA that prohibit this kind of circumvention of copyright specifically so that's a problem with reverse engineering there's also been movements in the World Intellectual Property Organization and in the United States Congress to have laws that in effect would criminalize reverse engineering and the industry has been pretty responsive and vocal to trying to point out to legislators who are not very knowledgeable about this kind of thing how these laws could affect reverse engineering and creativity so it's kind of a gray area there's a lot of different laws that apply to it but it's not as clear as the code circumstance is but we're litigating things on that topic right now and it's it's a that's a pretty dynamic and exciting area of the law but definitely an issue I wouldn't stop reverse engineering anything right at this point in time but be aware that there are legal issues associated with it I'll take one more question the question is why does this apply to people overseas why can't you just leave the oppressive United States and go do it somewhere else and the answer to that is because a lot of these laws are are multilateral we have the World Intellectual Property Organization Treaty or the WIPO Treaty which covers a lot of these things and there's a number of countries that are signatories to this treaty which also follow this law so there are international inter intellectual property laws for example that deal with this kind of thing so it's not just a question of the United States borders but if there is other there are other countries that do this I mean there are also countries that don't enforce intellectual property laws as a matter of course and those may be more of a safe haven for this kind of thing but as a general rule it's not just about the United States there's other other jurisdictions that prosecute you as well one more question about the law and then I'm moving on to the fourth amendment so if we can affect other countries can other countries affect us and the answer to that is yes I mean we sign these movies a couple different ways first of all we can sign multilateral treaties where a bunch of different countries agree that this is the law that we're going to follow also we can through politics influence the laws that other countries pass so that their laws work clear more accurately reflect ours we have some influence over things like the Council of Europe which has a effort to make a general cyber crime statute cyber crime laws that will cover the Europe's cover Europe as a whole and we may also have individual treaties with other countries individual other countries which say that they will extradite people back to the United States for certain types of crimes so there is the long arm of the United States law can reach beyond our jurisdictional borders under certain circumstances and vice versa often because these are multi you know these these treaties go both ways so let's move on to one of my favorite topics and hopefully one of yours the fourth amendment the fourth amendment is the right to be free from unreasonable searches and seizures the hallmark here is unreasonable so it's not the right to be free from every search and seizure but only those that go beyond the pale of reasonableness the first question that you ask yourself when you're saying is this search illegal and by search what do I mean I mean the cops knocking on your door and coming inside I mean them stopping your car I mean them frisking it or looking in your purse which actually happened to me last night because I left my bag at the craps table when I came back it was gone they told me it was at security and by the time I got to the security they had everything that was in it like laid out on the table and they were inventorying it which is like a nightmare for me and that's why I dream about that at unfortunately I got there just in time and they gave the thing back to me but so the question is a reasonable expectation of privacy and that is there is no reasonable expectation of privacy that fourth amendment does not apply you have it in your house you have it to some extent in your car and your personal effects in your handbag and your wallet but you don't have it in everything and here's an example of something that you don't have a reasonable expectation of privacy in your trash so all that dumpster diving that you're doing is great and fun because you don't own nobody owns that anymore once you throw it out you've given up your ownership interest in it and it's fair game for anybody in fact Microsoft's trash is fair game for Oracle to dig through so you can dig through Microsoft's trash too and you should be on at least a sound legal footing as Oracle is of course the flip side of that is that the law enforcement can dig through your garbage so if you've got anything bad and there you might want to invest in a shredder but basically that's the first question reasonable expectation of privacy if there is a reasonable expectation of privacy the next question is is there a probable cause and probable cause means is it more likely than not that this is going to be evidence of a crime or evidence that you committed a crime so it's very is it probable that you know there's going to be evidence of a crime so it's just basically what it means and the question is the basic one it's not an extremely high standard for law enforcement to meet so if there is probable cause you move on to the next question which is is there a warrant because for searches to be legal under the fourth amendment there has to be a warrant based on probable cause now let's say there's no warrant then the question if there is a warrant then generally the search is legal unless there was something wrong with the probable cause or something wrong with the way that the warrant was issued but let's assume that there's no warrant because the vast majority of searches that occur here in the United States occur without warrant and the question is is there an exception to the warrant requirement and there's a couple of characteristic exceptions to the warrant requirement that we see all the time and I'm just going to mention a few of them the first one is the vehicle search okay this started out as a not so broad of a exception that has grown into a huge exception the basic thing you should think of is that when you walk down the street you enjoy the pleasures of the fourth amendment but the interior of your car is a fourth amendment free zone okay you don't have it there it doesn't exist there once you get in your car you're basically fair game there's a couple of reasons for that but the case law on this from the supreme court has gone so far that a passenger in a car is no if there's probable cause to believe that the driver of the car has committed a crime then the police may search the personal effects of the passenger of the car even without any reason to believe that the passenger may be involved in any kind of illegal activity so interior of car is not your safest place to be if you're hoping for the protections of the United States Constitution the second major example or exception to the warrant requirement is consent so if you let the police into your house and you've consented to it it's not unreasonable now why do people consent to be searched consent to be pat downed consent to let police officers into their house well the primary reason is because this is what police officers are trained to do they're trained to get information where otherwise they wouldn't be able to get it and believe me they're very very good at it they play upon people's need either fear of police or fear of authority or desire to appeal to appease authority in getting people to consent oftentimes i've seen where even when the person stands firm and doesn't consent to allow the police to search they'll just search anyway and then say that the guy said it was okay but where the law operates as it should um if there's no consent and there's no other exceptions and there's no warrant then there's no search and finally the other really broad category is the category of exigent circumstances um which is anything that creates such a sense of emergency that the search is authorized this can be anything from a public safety exception where if they don't do the search somebody might be injured to the situation where they knock on the door of a crack house and they hear the toilet flushing and they think that there's destruction of evidence as they flush the narcotics down the toilet that also has been held to be an exigent circumstance which would allow the police to then bust down the door and go into the house and if there's not an exception then it is an illegal search okay so that's basically a very sketchy version of the Fourth Amendment. I'm going to take two questions and I'm going to skip the Fifth Amendment because I want to make sure that Grant has time and then we'll definitely have a good period for questions at the end um so uh the gentleman in the blue shirt he's asking me whether compiled binary is also protected speech the same as source code and um I would say that the you'd have to take a look at the exact language of the case which is the Bernstein case but I think that uh basically the case has a rather broad holding which says that um because it's expressive because code is expressive it is protected speech and I think that both those examples are expressive it doesn't necessarily matter matter exactly what form it comes in as long as it has the expressive element do you need to follow up on that well I think the opinion compares the code to the wheel on a player piano which to the you know naked eye doesn't seem to mean or do anything we don't really know what that is or what the music is but it nonetheless is a uh is something that is the it creates the expression in the player piano so I like I said I think that it also would fit in under that because I think the analogy to the I think the analogy that the court's making between other expressive things and code fits for uh fits for that as well um you with the reddish hair is that okay that I said that okay okay he's asking me about um the I said that the cars with huh I said that the car he asked me about the car and what I said about it being forth amendment free zone they asked me about other things like a motorcycle or a bike and the trunk of a car and the trunk of the car also is that you know sort of fits in the the exceptions developed and initially there were different rules for the trunk of the car for the passenger compartment and all of that but generally I think and could then containers in the trunk or containers in the uh glove compartment and all of that but I think the easy answer to that is that once it's in the car um you're really looking at it being something that's searchable I can walk down the street with a box and it has first fourth amendment protection but when I put it in the trunk of the car it's gone now the sad thing about this isn't motorcycles or bicycles the sad thing about this is mobile homes okay in which people live and just by the very nature of the fact that it is mobile courts have held that the vehicle with exception to the warrant requirement applies to that even though it's somebody's house so if you can drive it away they can search it I know the law is not often definable by these very bright line rules but that's a that's pretty much basically true so um because of my time constraints I'm going to turn it over to grant right now and um we'll probably be able to have about 10 or 15 minutes after four questions bicycles and motorcycles you can move it you can search it thanks jen for a job well done as always and we will be taking more questions at the end what is akba it's the electronic crime prevention act and before I go into too much detail I have a question for all of you and that is how many of you have set up run a pop 3 imap bbs that you can send emails on or any type of email server that's a good percentage of the room you're going to find out very quickly why you care about akba and one of that is the key terms the key term in akba is electronic communication service and that is it's very well defined 2510 any service which provides the users there of the ability to send or receive wire or electronic communication the other one is remote computing service which we don't really have enough time to cover that means that every one of you who raised your hand you are regulated by akba whether you realize it or not another key term is an electronic storage and you might think that it means any data stored electronically because that would make sense well you'd be welcome it has a very specific definition and it is very key to understanding akba and it is any temporary intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof or basically that backed up so how is email protected well it's misdemeanor as it was covered to access a facility within or an excess of authority and thereby obtain alter or prevent authorized access to wire or electronic communication in electronic storage it's interesting to note here that you had it is both of those you have to access it with without or an excess of authority now there's some exceptions and this covers one of the question that the gentleman over there had was that the criminal provision does not provide to the provider your provider can read your email all it wants but there's more specifics about that that we need to get into in a minute but i'm going to cover the government first obviously the user the user has an exception if the message was intended for that user and the government if it follows the proper procedures with the provider so the provider can read all of your email but can the provider give that email to the government the answer is it's distinctive between a provider to the public and a provider to the private now a public provider is AT&T hotmail yahoo and anybody that you can buy an account from essentially or any free email provider those are providers to the public they cannot disclose content except to those shown the addresses otherwise authorized by certain state statutes lawful consent or necessary to incident to the rendition of service or to prevent the rights or property of the provider that means that if it finds an email that it feels that it could be liable for it can disclose that under the statute it can also disclose to a foreigner or to law enforcement if the contents are inadvertently obtained and appear to pertain to the commission of a crime so what does this mean well I sent you an email the email gets to the server but you're you're not at home you're out partying so you don't read the email that night where your isp backs that server up and puts that over here right now it is an electronic storage referencing the key term next morning next afternoon you wake up and read the email you decide I'm going to leave this email on the server now it is not an electronic storage why because you had an opportunity to protect that email by deleting it downloading it whatever but you decided that it wasn't important enough so you left it on the server so therefore is no longer an electronic storage the backup from the night before that's still an electronic storage but the email that you left there is not private providers schools your employer any system that does not give accounts to the public have no prohibitions on disclosure your workplace can turn over your email to law enforcement any time it freezes unless it has other civil contractual with the with you no um because it's still limited to those enrolled within the school and I had that exact same question and I looked into that wondering and the answer is that they are private providers there was a case actually Anderson versus somebody or another that questioned on what provide private provider is microsoft.com's internal email even though it accesses the internet is counts as a private provider so whether or not it accesses the internet or not has nothing to do with it all it is is who gets access legal access to that email who are accounts handed out to yes doesn't matter if you if it requires tuition then uh you know if it's something that not anyone can just get it's a private provider there's no disclosure on pro there's no prohibitions on disclosures I cannot stress that enough what would it have to turn it over unless it depends and there's no prohibitions on disclosure oh I'm sorry the question was that the employer would be advised to make a policy that says that it's private that depends on the employer and what they feel I know there was some and Jennifer might might remember this as well there are some instances in which the provider might be liable for email that one of its employees send and so that's one of the reasons why they have complete access to disclosures to view your email or whatever it's it's up to the provider there really the government there's three levels of access there's basic subscriber information other subscriber information and content and all three of these require different levels to obtain first is basic subscriber information the government can obtain without notice you'll never know with a subpoena your name address local and long distance telephone toll building records telephone number other subscriber information in originality such as ISDN numbers or in the length of service and types of services utilized all of the subpoena you'll never know about it other subscriber information this might be they want to know whojondo at aol.com is sending email too because they know he's sending kitty porn and they want to know who it's being sent to that they have to get a court order for this and this came out of this was actually a step up from what it used to be it used to only be a subpoena but this was this was put in as a result of CALEA which is a separate law and it was a compromise which actually put this up to a court order and there's a special it's actually a little bit different from most court orders that it has to be relevant and material to an ongoing criminal investigation and lastly there's content and a governmental entity can only require the disclosure of content of an electronic communication electronic storage 180 days or less only pursuant to us warrant there's never been as far as I'm aware any time that the 100 that they've searched they've wanted email older than 180 days but the law specifically does make a distinction between email less than 180 days or older than 180 days if it's more than 180 days in storage then they have a few more options they can do it without notice to the subscriber with a warrant with notice to the subscriber with a variety of subpoenas or they can get a court order under the previous statute and delay notice using 2705 once again this has never come up as far as I'm aware and this is an yes Steven, are they not? no they're not and but there is a what I'm about to talk about right here in the preservation of evidence he asked our public providers do they have to maintain mail for 180 days and the answer is no but there is a law under 2703f and this is remember all of you who raised your hands are regulated by ACPA this applies to you a provider upon request of governmental entity which all it has to be is a letter shall take all necessary steps to preserve records and other evidence in its possession pending the issuance of a court order or other process that means if the government sends a letter to AT&T saying we're going to go get a subpoena we want you to hold on to those records they then do have to hold on to them for 90 days and then at the end of that 90 days they the government can request an additional 90 days with a separate form yes he asked Noyes was up here earlier with the remailer and said that she doesn't keep any records the answer is if there's no records to keep then they can't preserve them can I let me just add a little bit to that if I can the thing with that is they can ask you to preserve records that already exist they cannot ask you to intercept records that are forthcoming because that would be an intercept under the under title it would be a ECPUB it comes under this statue but it's like a title III intercept where you need to have a different standard to collect prospectively content because really what that is is that's an intercept and to intercept electronic communications you need a wire tap warrant which is a warrant plus minimization and all these other things so no they cannot force her to create the records you can only ask somebody to preserve records that have already been accumulated right it is you don't have the ability to do it you haven't done it so they can't force you to do it prospectively if you hold the records for five days then if they send you a request within those five days you're legally bound to hold those records that are already created for 90 days while the government goes and resists yes it's important alter by alter the system that I'm using in my own expense at your full shift that's the law that's the law I don't make the law I don't yes she was asking is there a provision regarding credit cards if you accept e-commerce information do you have to keep those records I believe it's not under ECPUB but it's under I believe that it's there that I do not remember the stashing number are fed he's saying that you can charge the government for your costs for having to store email but let's move on because grants that a lot I'm I'm almost done yes what is this is they're not turning anything over at this he asked what kind of authenticity is required they're not turning anything over at this point they're just have to preserve it as long as it's from a legal governmental entity they have to preserve it for that number of days nothing is being turned over to law enforcement at this point they just have to preserve it with their within their own servers as you said there's one last slide and then we'll be done is what what happened about equity violations constitutional violations are subject to the usual sanctions but civil remedies are only available for non-constitutional violations under 27 or 7 that means you can sue the government that's it there's no criminal violations other than already specified under 27 or 1 now both Jen and I will take I just want to before we go for the question I just want to say one thing ECPA stands for Electronic Communications Privacy Act Provision Act Privacy you sure? Electronic Communications Privacy Act okay let's take questions you'll be next but you sir let's say he asked me will you be forced to provide the key to your encrypted data and unfortunately the data let's say I sent a PGP you would probably know okay and some reason your brother wants to take a look at it and basically you might apply or apply or you would email is it critical? are they going to are they going to require to how can they get if you have encrypted stuff and you've got the key can they force you to turn it over and this is something unfortunately I wasn't able to really touch on that the Fifth Amendment would apply in some ways to this so if the key if the passphrase was solely in your mind then I think the case law is pretty clear that the government can't force you to tell them what the key is because it's in your mind and that is forcing you to produce something that may be incriminating or not and that is that is it goes contrary to the Fifth Amendment the cases are a little bit difficult more difficult if it's written down for example if your passphrase is written down well in PGP you're not it's not the passphrase um let's take let's take this gentleman who I said could be next uh he asked is the web resource regarding more information about ECPA there's the basically where I would go is the usdoj.gov they they have some information there it's not extreme depending on what you're looking for you might just want to look at the statute but if you're looking for case law and stuff I don't know of any other websites other than the governments that it's the computer crime and intellectual property section of the the Department of Justice has a website that has a lot of stuff about that on it um cyclecrime.gov can we have the gentleman in the hat yes you so he's a lot what he wants to ask me about is a little come through on the law enforcement so they say that you know you can't come into somebody else's box if they don't mean for you to be there what about if I don't mean for law enforcement to be allowed into my box can I sort of reverse the 1030 on them and that's going to depend upon a lot of that's a very good but complicated questions going to depend on a lot of things in terms of uh how they gained access what kind of information they were accessing and um whether they had any court authority or anything like that but law enforcement's not allowed to break the law any more than you are and if the access is truly unauthorized then uh no they wouldn't be allowed to do that but do keep in mind that sometimes the what's good for the goose is not good for the gander and law enforcement may receive a benefit of the doubt where you would not as a as a citizen so my answer is yes maybe okay I'm going to take two more questions I'll take this eager gentleman right here he asked me whether the law allows the defendant to hire a forensic expert to testify for them about how the evidence was collected or anything like that and the answer to that is yes in fact um that's a constitutionally protected right under the sixth amendment part of having the right to counsel is the right to have somebody who helps your counsel with understanding the technical things and this goes to the question that was asked by the lady over here earlier often you know attorneys can't know everything so oftentimes we do rely upon our experts to help us with the difficult technological issues it's hard for us to be uh knowledgeable in all the areas that all the times so uh one last question I'll use sir but then yes you grand do you want to answer that or do you want me to I'm sorry can you repeat the question he asked whether or not if there is a corporate use policy or some agreement with the users that the network's going to be sniffed does that make it okay for them to do it right if the others are trying to do the right next year yeah there's this you're going to just some civil law there are you asking it float let me just answer it since we're the answer is yes you can yes the reason is because it's actually not a 1030 violation it really is an ECPA violation and the EPCPA has a very broad exception for the service provider provider it also has an exception for consent so there you've got both you've got the service provider accepting and you've got consent so you want to sniff your own network you go right ahead same thing in corporate realm same thing yeah they can inside of a corporate if they tell you you have no expectation of privacy you have no expectation of privacy and they tell you you can't then you're then you're going to get fired yeah you get fired but you're not going to get permanently prosecuted it's your terms of employment you'd be fired I'm going to accept illegally one more question from this gentleman here just for the how of it so the question is can the government go through hotmail's backups and access email that I've deleted from my personal inbox with the proper authority yes it's a 2703d court order I'm going 2730d it's over within 180 days it'd be if hotmail keeps all that which I seriously doubt they do okay so hotmail it's not all that safe I want to thank everybody for coming I know that there's a lot more questions