Digital Archaeology (2014)

4. Legislated Privacy Concerns

In Chapter 2, “Laws Affecting Forensic Investigations,” emphasis was placed on the difference between constitutional rights and legislated privileges. It is a common misconception that a person’s right to privacy is guaranteed under the Constitution. That is, in fact, not the case. Nowhere in the Constitution is there any mention of privacy. Attempts have been made to generously interpret the Fourth Amendment to infer such rights. However, the language in that amendment is very specific. It guards American citizens against unreasonable search and seizure—not invasions of privacy.

Considering the omission of privacy rights to be an oversight by our founding fathers, Congress has passed a litany of legislation guaranteeing that certain activities and information will remain private under the law. Those same laws, in most cases, dictate what exceptions exist and what methods can be used to acquire private information and remain in compliance with the law. This chapter covers a small collection of the laws that most typically impact a digital forensic examination.

Chapter 2 touched briefly on this subject, and in that chapter a short list of legislation was presented. This is the list that will be covered in this chapter. To recap, those laws include

• The Fair Credit Reporting Act of 1970

• The Privacy Act of 1974

• The Equal Credit Opportunity Act of 1974

• The Electronic Communications Privacy Act of 1986

• Health Insurance Portability and Accountability Act of 1996

• The Gramm-Leach-Bliley Act of 1999

• The Fair Debt Collection Practices Act of 2006

• The Family Educational Rights and Privacy Act of 2008

It should be noted that the laws are listed in the chronological order in which they were passed. In this chapter, they will be discussed by the category of protection that they provide. These categories include

• General privacy

• Financial legislation

• Health care and education legislation

Also, note that since these are pieces of legislation and not constitutional law, any one of them is subject to change at the whim of the current administration in control of our political system.

General Privacy

There have not been the large numbers of laws passed in this regard simply because the general public has accepted that the laws passed seem to cover the bases sufficiently. As one would expect, the arguments surrounding how they are enforced continue with each year, which is why we have lawyers and courts. Two laws that will be covered in this chapter are

• The Privacy Act of 1974

• The Electronic Communications Privacy Act of 1986

The Privacy Act of 1974

5 U.S.C. § 552a, otherwise known as The Privacy Act, was passed in 1974 in response to concerns about how information collected and stored in computerized databases could impact the private lives of average citizens. The law followed a report by the Department of Health, Education, and Welfare (HEW) entitled Records, Computers, and the Rights of Citizens. HEW recommended that Congress pass legislation that codified what information could be retained, how it could be used, and who had the right to see it. The report listed the following requirements for such legislation (HEW 1973):

• No recordkeeping system should exist whose very existence is kept secret from the public.

• Individuals must have some mechanism for learning what information is retained in a database and how that information is used.

• Individuals must be able to prevent information that was obtained for a specific purpose from being used or made available for other purposes without permission.

• If information retained in a database is incorrect, there must some mechanism by which an individual can have corrections made.

• Any organization creating, maintaining, using, or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take precaution to prevent misuse of the data.

In 1974, the Privacy Act was passed, addressing each of these concerns. Some restrictions to the bill do apply. For one, the legislation applies only to U.S. citizens and permanent residents of the United States. Therefore, an exchange student or a person living in the country on a temporary work visa cannot sue for damages under this statute. Also, the law was written to apply only to federal agencies. This restriction is what led to the passage of several seemingly similar laws in later years that applied to specific industries.

As passed, the law allows individuals to request access to their records. It provides guidance for how an individual can submit a request for corrections to be made—but it also allows the agency receiving the request to deny it. The law places limitations on the government’s right to disclose information—but it also provides a dozen different exceptions that allow the government to do what it pleases with confidential information. Audit trails must be maintained that identify when and to whom any given record was shared.

Law enforcement is granted numerous exceptions in virtually every aspect of the law. Any law enforcement official or agency is exempt from the law if the records contain

• Information about offenders, either alleged or convicted

• Information compiled for the purposes of criminal investigation

• Any information collected about an individual throughout the course of enforcing law, from arrest to release

If a citizen can demonstrate that any rights accorded by this law have been violated, that person can file civil action against the agency and the official committing the alleged violation. The court will privately examine the records in question and make a determination as to whether the defendant properly invoked a legitimate exception to the law. If the court finds the violation to be willful and intentional, it can grant a settlement of actual damages plus legal expenses. Additionally, if the court finds the violation to be willful and intentional, it can find the official guilty of a misdemeanor and fine the individual up to $5000.

The Electronic Communications Privacy Act of 1986

The Electronic Communications Privacy Act (ECPA) was actually an offshoot of another law passed many years earlier. ECPA was passed as an amendment to the Omnibus Control and Safe Streets Act of 1968—more frequently referred to as the Wiretap Act. Wiretap had been passed in order to limit government access to private communications over electronic media. This particular bill prohibited government agents from employing any means to intercept a transmission of any sort over wire or airwaves without using due process—which generally requires a warrant (seeChapter 3, “Search Warrants and Subpoenas”) unless the action falls under one of the exemptions defined under the act.

A key modification included in ECPA was the Stored Communications Act (SCA). SCA was a subset of ECPA that separately defined electronic communications services (ECS) and remote computing services (RCS). The roles of each of these services received different levels of protection under the law. DOJ has defined ECS as a service available to the general public that temporarily stores data that was sent by a subscriber to or from a third party. RCS is a service that processes customer files and/or stores them on behalf of the customer for that customer’s use. A significant difference between the two services is the presence of the third party. Information stored for the customer by a service provider falls under one of three categories:

• Basic subscriber information includes the name and address of the customer, what types of services the customer receives from the provider, length of service, certain identifiers (including telephone numbers, account numbers, subscriber numbers, etc.), assigned IP addresses, and payment information (which can include any credit card numbers left on file by the customer). Telephone connection records, along with session times and durations fall under this category.

• Records or other information regarding the customer fall into a second category. This would include any information collected about a customer by the provider that does not fall under the basic subscriber information, and does not include any content of stored files or communications. This category includes “transactional” records, such as account logs, history logs, cell site history, and so forth.

• Content is the most protected of the information types defined under SCA. This includes any stored files, messages, or other data generated by the customer, and not by some automated process. Stored voice mails, other audio recordings, video, and other images all fall under the definition of content. It would also include certain automatically generated information, such as message headers and metadata.

According to 18 U.S.C. 2703 c (1)(C), a service provider can voluntarily provide certain types of information requested by an investigator. In all but the most extreme circumstances, information should be obtained through a warrant, a court order, or a subpoena. This eliminates any possibility that opposing counsel could suggest that the provider was “compelled to consent.”

Under SCA, an investigator can ask a judge to issue a preservation order. This is a legal decree to the provider to take any and all steps necessary to assure the preservation of records, log files, or other evidence defined in the order until a warrant or subpoena can be legally issued. A preservation order can be issued in writing, by fax, or by e-mail. They are good for up to 90 days, with an option for the investigator or agency to request an additional 90-day renewal.

Financial Legislation

This category of legislation covers what information can and cannot be shared by banks, mortgage companies, and other companies that collect information in order to make decisions about money, to collect information about money, or to collect debts. Financial institutions are notoriously strict about protecting customer data as a result of these laws. When conducting any sort of investigation that requires accessing financial records, it will be essential to collect the necessary legal documentation before proceeding. Additionally, these laws are frequently cited during electronic discovery in the course of a civil proceeding:

• The Fair Credit Reporting Act Of 1970

• Right to Financial Privacy Act

• The Gramm-Leach-Bliley Act Of 1999

• Fair Debt Collection Practices Act of 2006

There is a lot of overlap to these laws. Still, each one covers a different aspect of legislation. Passing familiarity with each of them is a good idea.

The Fair Credit Reporting Act of 1970

The Fair Credit Reporting Act (FCRA) is an act of legislation that lays down some guidelines that consumer reporting agencies (CRA) must follow in reporting on the activities and history of individual consumers. CRAs are the agencies that collect consumers’ payment histories into a large database and then provide that information, at a charge, to other companies that subscribe to their services. The three primary CRAs are Equifax, Experian, and TransUnion. However, under the law, any organization that collects information about consumer activity, credit, and payment history falls under the definition.

FCRA states that a consumer has the right to know what information is contained within his or her file. Every consumer is allowed to request a credit report at no charge one time every year. CRAs can (and will) charge for any additional reports requested. There are some circumstances that require the CRA to provide a report at no charge regardless of how many times a consumer has received a report in the previous year:

• Adverse action is taken against a consumer because of information contained in a report.

• A consumer is the victim of identity theft.

• The file contains inaccurate information as a result of fraud.

• The requesting consumer is on public assistance.

• The requesting consumer is unemployed but anticipates applying for employment within the next 60 days.

Information contained within the reports can be provided only to certain entities under specific circumstances. These are identified in § 604. Permissible Purposes of Consumer Reports of the act. Clearly, the consumer described in the report can authorize its release at any time. Law enforcement can obtain a report only through consent of the consumer or by way of a court-issued subpoena.

The Right to Financial Privacy Act of 1978

The Right to Financial Privacy Act was passed in 1978 to limit the circumstances under which a government agency can obtain records about an individual from a financial institution. The law states that no government official or agency can obtain financial records of a person or organization without due process. The entity requesting the records must obtain an administrative subpoena or a court-issued summons before it can access records. In order to obtain such a court order or summons, the entity must demonstrate that there is a legitimate reason to believe that the records are relevant to an ongoing investigation and that a copy of the summons or subpoena was either delivered to or mailed to the last known address of the owner of the records requested.

One paragraph in the law gives the financial institution a substantial amount of leeway in notifying the government of suspected crimes being committed by an account-holder. Section 1103, Paragraph C, says, “Nothing in this title shall preclude any financial institution, or any officer, employee, or agent of a financial institution, from notifying a Government authority that such institution, or officer, employee, or agent has information which may be relevant to a possible violation of any statute or regulation.” It goes on, later in the paragraph, to say that no state law, constitutional requirement, or regulation can prevent an institution or officer of an institution from reporting criminal behavior. All the institution can report is the identifying information of the account-holder, be it a corporation or individual, along with a description of the suspected criminal behavior. From there, the government must use that information to pursue a subpoena to collect any other information it needs in order to pursue an investigation.

In 2001, the law was amended in order for law enforcement and intelligence agencies to obtain information without the consumer’s knowledge as long as all other legal requirements were met. If it can be demonstrated that there is a danger to national security, of physical injury to another person, serious property damage, or flight to avoid prosecution, the government may serve a warrant on the institution with an order of delayed notification to the entity under investigation. This means that the government can get a subpoena, do a thorough search of the customer’s records, and then notify the customer of its intent. This prevents a suspect from destroying evidence, manipulating records, or otherwise throwing a wrench into the investigation.

The Graham-Leach-Bliley Act of 1999

The Graham-Leach-Bliley Act of 1999 has more of an impact on financial institutions than it does on civil or criminal investigations. Its impact on the forensic examination is almost exclusively related to electronic discovery. Therefore, the investigator dealing with financial institutions needs to be aware of what the act encompasses, should an investigation include such an organization. Its basic purpose was to formalize the Financial Privacy Act, defining what government agencies had the right to enforce the regulations, and granting certain states’ agencies regulatory rights. It also introduced the Safeguards Act, which requires that financial institutions have a documented security infrastructure in place to protect a customer’s private and financial information.

The key provision of Graham-Leach-Bliley affecting a legal investigation is the pretexting provision. This provision prohibits anyone or any organization from obtaining information from a financial organization by providing false information about why the information is needed. Not that any investigator would ever do such a thing. Another issue discussed by the act is that of document retention and availability of documents in e-discovery motions.

The Fair Debt Collection Practices Act of 2006

The Fair Debt Collection Practices Act (FDPA) is another law that has but minimal impact on investigators but may have a peripheral impact. This law was passed in 2006 in response to predatory actions used by debt collection agencies and their employees in their efforts to recovered monies owed. It specified a set of ethical guidelines for debt collectors to follow, which will not be covered here. Additionally, the act specifies how and when information can be shared by financial organizations with such agencies, or between agencies.

Law enforcement may become involved when investigating identity theft, fraudulent check-passing, or forgery. It allows information to be shared with law enforcement without a warrant, with the authorization of the person whose name is on the check or whose identity is being used.People operating under a misappropriated identity are not protected by the law in any way.

Privacy in Health Care and Education

While there are numerous laws passed in the arena of health care and legislation, the two that are of concern here are the Health Insurance Portability and Accountability Act of 1996 and the Family Educational Rights and Privacy Act of 2008. It is likely that civil investigations will be impacted more by these acts than will criminal investigations, but familiarity is required under either circumstance.

The Health Insurance Portability and Accountability Act of 1996

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 applies to the insurance and health industries. It also impacts banks and other financial organizations in how they interact with the organizations impacted by the law. HIPAA dictates standards for conducting health care transactions and maintenance of health plans, and defines end users’ rights when it comes to general health care issues. The law defines specific rules concerning a person’s rights to privacy and the confidentiality of both financial and health-related data.

The main thrust of the regulation is to mandate how and when medical facilities or practitioners can exchange a patient’s information. It also specifies that the entities covered by the regulation may provide information to law enforcement under specific circumstances. Obviously, a recipient of a legally issued subpoena or search warrant must comply with the order. It may also comply with written administrative requests of law enforcement, providing that the request is accompanied by a written request that specifies the information sought and an affidavit stating that the materials requested are relevant and material to an ongoing legal matter.

Information regarding identifying characteristics pertaining to missing persons, fugitives, suspects in ongoing criminal investigations, or material witnesses may be provided without requiring a warrant. This information can include the person’s name and address, social security number, blood type, and Rh factor. If the person is known to have been injured or to be dead, the institution can also provide dates and times of treatments or the date and time of death if appropriate. Descriptions of any distinguishing characteristics, such as birthmarks or scars, is also permitted. The institution may not share DNA or tissue samples, blood samples, dental records, or the results of analyses without a legally issued subpoena or warrant.

Medical facilities may approach law enforcement with voluntary information in cases of child abuse, domestic violence, or neglect and provide the information allowable under an administrative request. In some circumstances, the facility may be required to contact law enforcement. Gunshot wounds and stab wounds must be reported. If a death is suspected to be the result of criminal activity, it must be reported.

The Family Educational Rights and Privacy Act of 2008

The Family Educational Rights and Privacy Act of 2008 (FERPA) controls the distribution of private information about students. It dictates that parents and eligible students must have a right to examine any of the student’s records maintained by an educational institution. Only the parent or eligible student may review the records except under specific circumstances. These include (as written in the act)

• School officials with legitimate educational interest

• Other schools to which a student is transferring

• Specified officials for audit or evaluation purposes

• Appropriate parties in connection with financial aid to a student

• Organizations conducting certain studies for or on behalf of the school

• Accrediting organizations

• To comply with a judicial order or lawfully issued subpoena

• Appropriate officials in cases of health and safety emergencies

• State and local authorities, within a juvenile justice system, pursuant to specific state law

There is certain information that the school is allowed to provide in a published directory. This includes names and addresses, dates and places of birth, any awards received by the students, and the dates that the student attended the institution. If such a directory exists, parents and students must be notified of its existence and must have the right to request that the information not be disclosed.

It is important that investigators be familiar with state laws in this regard. Different states have different regulations regarding how law enforcement may access student records.

Privileged Information

Assume for a moment that an investigator is presented with a case with a proper warrant intact and legal counsel has mitigated the privacy issues. Does that mean that the investigation can now dig out anything related to the case as defined by the warrant? Not necessarily. There are certain forms of information deemed privileged by law. Four areas of privileged information to be careful about are

• Attorney/client privilege

• Doctor/patient privilege

• Work/product doctrine

• Protected intellectual property

Attorney/Client Privilege

The only privileged information defined in the Federal Rules of Evidence is that of attorney/client privilege. The U.S. Department of Justice (DOJ) publishes a manual entitled Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations (DOJ 2009) that further defines federal concerns regarding privileged information that are handled by DOJ attorneys. If a case expands to the point where disinterested third parties become involved, then 42 U.S.C. § 2000aa-11(a); 28 C.F.R. comes into play. This regulation prohibits federal law enforcement officers from obtaining privileged documents from attorneys, physicians, or clergy. The investigator also needs to be aware that certain state and local laws also protect physician/patient information and in some cases proprietary intellectual property.

The Government Enforcement Bulletin defines attorney/client privilege in the following way: “Communications shared in the course of an internal investigation, including documents which contain or constitute communications between employees and in-house or outside counsel, are subject to the attorney-client privilege if they are made with a reasonable expectation of, and in confidence between, privileged persons, and for the purpose of seeking, obtaining, or providing legal assistance or advice” (Jonas and Keefe 1996). Rule 502 of the Federal Rules of Evidence sets specific conditions for maintaining confidentiality between an attorney and client.

The right of client/attorney privilege was established in a landmark Supreme Court case, Upjohn v. United States. The U.S. Court of Appeals for the Sixth Circuit ruled on appeal that existing client/attorney privilege laws did not apply to information exchanged by middle management employees of the corporation and the organization’s legal counsel. In an opinion presented by Justice William Rehnquist, the court issued a ruling that even employees of the rank and file were protected.

Physician/Patient Privilege

Federal Rules of Evidence make no mention of physician/patient privilege. However, most state jurisdictions have rules pertaining to this professional relationship. This is an area that will require careful consultation with a lawyer familiar with the jurisdiction that has power over a case. There is legal precedent for not invoking this privilege. In Tarasoff v. Regents of the University of California (17 Cal. 3d 425, 551 P.2d 334, 131 Cal. Rptr. 14), California’s Supreme Court contended that medical professionals have a legal obligation to notify authorities when they know that actions by a patient are potentially harmful to another person. Since each state writes its own statutes regarding this privilege, it is essential to follow the advice of an attorney when this privilege is invoked.

Work-Product Doctrine

The work-product doctrine is a legal principle that applies to documents or other evidentiary material that an individual or organization prepares in anticipation of litigation. The person or organization under investigation can seek a protective order rendering those documents undiscoverable. Unlike client/attorney privilege, materials protected under the work-product doctrine can be overcome under two sets of circumstances. First, if it can be demonstrated that facts critical to the investigation can only be found in the “protected” documents, a judge can issue an order to produce the requested materials. Second, if the entity seeking the information can prove undue hardship caused by discovering the information from any source other than the protected documents, the judge can order discovery.

Protected Intellectual Property

By law, proprietary information, such as corporate trade secrets, is not protected by law. However, it is possible for the party subject to the search to negotiate limited review of such files. An article published in Corporate Counsel’s Quarterly recommends that companies or individuals with such information stored on a device subject to search notify the agents executing the warrant that such records exist and insist that those records be sealed until legal review (Vizy 2005).

While a search warrant may preclude an investigator from obtaining certain information, it is possible that a judge may issue a subpoena, ordering the surrender of the requested information