Adrian Williams, NSA-IAM 

The technological changes introduced by the dependence on digital information have prompted The US government and Congress to respond by invoking various laws and Federal Acts to accommodate law enforcement and other security professionals.  The most important federal statutes affecting computer forensics and computer incident response.

The technological changes introduced by the dependence on digital information have prompted The US government and Congress to respond by invoking various laws and Federal Acts to accommodate law enforcement and other security professionals.  The most important federal statutes affecting computer forensics and computer incident response are the Electronic Communications Privacy Act (ECPA), the Wiretap Statute, the Pen/Trap Statute and the USA PATRIOT Act.

The Electronic Communications Privacy Act (ECPA) 1986

The ECPA pertains to controlling legal authority with regards to stored computer files that have been transmitted to a network administrator.  It is important to emphasize that this Act affects stored computer information, as opposed to the real-time interception of communications.  Stored information includes all Internet communications, such as email stored on an Internet Service Provider’s (ISP) servers.   

The Wiretap Statute 1986

While ECPA regulates government access to stored computer information, the Wiretap statute deals with real-time interception of electronic communications by government agents and law enforcement.  A person who was accessing a target computer as messages were being sent would be subject to the Wiretap statute.

The Pen/Trap Statute, amended 2001

The Pen/Trap statute provides for a less intrusive form of government surveillance than the Wiretap statute.  This statute authorizes the installation of pen registers and trap-and-trace devices.  A pen register records only dialing, routing and addressing information regarding outgoing electronic communications.  Electronic communications include telephone, computer, telegraph and telex communications.  A trap-and-trace device records the same information regarding incoming electronic communications.   The significant fact regarding both is that the content of communications is not recorded.  Only information such as telephone numbers of incoming and outgoing calls is recorded.  Because these devices record less sensitive private information, the legal burden upon the government is significantly less than with a wiretap.  A court order for a pen/trap device requires only a statement by the investigator that it is his/her belief that the information likely to be obtained is “relevant” to a criminal investigation.  A recitation of probable cause is not necessary, nor is it necessary to attest to the many other requirements necessary to obtain a wiretap order or a search warrant.

The USA PATRIOT Act 2001

On October 26, 2001, President Bush signed the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act (USA PATRIOT Act).  This Act was overwhelmingly passed by Congress shortly after the events of September 11, 2001.  It expands the government’s investigative power. This Act has become very controversial, drawing criticism from both Conservatives and Liberals who question whether the Act goes too far. 

The most controversial provision of the Patriot Act is the so-called “sneak and peek” authority conveyed in Section 213 of the Act.  A sneak and peek search warrant (also called a covert entry search warrant or a surreptitious entry search warrant) is a search warrant authorizing the law enforcement officers executing it to effect physical entry into private premises without the owner’s or the occupant’s permission or knowledge and to clandestinely search the premises; usually, such entry requires a stealthy breaking and entering. [1]  

The Act also makes it easier for law enforcement to install an electronic surveillance device.  Formerly, a wiretap order or pen register order had to be obtained in the jurisdiction in which the device was to be installed.  Internet communications typically involve Internet service providers located in many jurisdictions.  Sections 216 and 220 allow devices to be installed anywhere in the U.S.A.

About the Author:

Adrian Williams is a Senior Security Consultant based in Maryland and holds a NSA-IAM certification. His current security research interests are wireless security, computer forensics and security assessments/audits.

[1] http://www.law.uga.edu/academics/profiles/dwilkes_more/37patriot.html