Wednesday, February 13, 2008

CSAM & Predators - Ongoing survey of law enforcement re: ISP’s responses to subpoena and search warrant requests

Dr. Frank Kardasz, updated February 12, 2008  

Introduction 

I am conducting ongoing research into a contentious issue. The issue involves whether or not Internet service providers (ISP)’s should be mandated to retain basic data about their subscribers and subsequently report that information quickly to law enforcement upon receipt of legal process in the form of a subpoena or search warrant.  

Contentious Issue

The issue is contentious because law enforcement investigators around the world must rely on ISP’s to provide the most basic information about their subscribers so that law enforcement can pinpoint the location of cyber-offenders. Delays in reporting information and the lack of information can stall or extinguish an investigation. Particularly in the cases involving sexual exploitation, young lives are sometimes at stake while investigators wait for responses from ISP's. Privacy advocates sometimes argue that requiring ISP's to retain basic subscriber data is an invasion of privacy and involves government "snooping". Internet service providers themselves may be reluctant to retain and report information to law enforcement because of the additional time, equipment and resources required to preserve and report data.  

Subscriber Data

Most Internet service providers already collect and retain subscriber data. Subscriber data is the most basic user information and usually includes the name, address and billing information of the person responsible for paying for Internet service. Most ISP's collect and retain subscriber data at least long enough to charge subscribers for their Internet service. ISP’s are not required by law to retain data. Some ISP's quickly discard data when the data is no longer needed.  

Survey Data

In July 2007, I began conducting surveys of investigators by sending e-mails to my colleagues nationwide asking them for anecdotal stories involving recent problems with ISP’s. The stories are compelling. 

Here are some of the replies: 

1. In November 2006 an Arizona homicide investigator sent preservation letters to Yahoo and MSN and followed up with a search warrant for the content of e-mails from both the homicide victim and the murder suspect. As of July 2007, eight months later, the investigator had not received the information requested from either Yahoo or MSN. 

2. In April 2007, a Nebraska Internet crimes against children investigator served a subpoena to Hamilton.net, an Aurora, Nebraska based ISP, for the purpose of obtaining subscriber information. Although the company had responded to previous subpoenas, on this occasion they stated that they did not think a subpoena was legal. Investigators subsequently obtained an opinion from the Nebraska Attorney General's Office favoring the legality of the subpoena. The ISP responded on June 20, 2007, however, they had not retained all of the requested data. Investigators subsequently learned that the suspect had created child pornography involving his own daughter and had molested several child victims. (Note: Investigators often anguish over the possibility that while they await the response to one of their subpoenas, a child somewhere continues to be victimized because detectives do not know the location of the ongoing offense.) 

3. In July 2007, a Colorado Internet crimes against children investigator reported that Denver Public Libraries destroy data after each patron logs off of the libraries computers. Investigators are unable to obtain any information about library computer users. In the past year, three child pornography cases have been unresolved due to lack of information. Arizona investigators report the same situation at Phoenix Public Libraries. Child pornography incidents that have been traced to public libraries are often unresolved because libraries do not enable simple logging features that retain basic information about computer users. 

4. In July 2007, a California crimes against children investigator cited an America online (AOL) child pornography case in which the offenders’ originating Internet protocol (IP) address resolved to a Proxy IP address. AOL had only retained the needed information for five days and could not identify who was using the targeted IP address at the time of the offense. 

5. In July 2007, a California crimes against children investigator also reported that in one child pornography case the suspect used Cingular Wireless to connect to a Yahoo email account. Cingular only retains Internet protocol (IP) logs for two days and could not identify the subject. The investigator has since identified this subject from other IP addresses, but if the suspect had used only the Cingular connection, the investigation would have been extinguished. 

6. In July 2007, an Arizona investigator reported that a 16 year old victim met a 23 year old suspect at the Internet social networking site, blackplanet.com. The two also communicated via text messaging through the ISP Sprint. During the text messages the suspect was informed by the victim that the victim was 16 years old. The investigator needed to retrieve the text messages in order to show the suspects knowledge that the victim was a minor. The retention time for text messages from Sprint is only 14 days and the required information was not available to the investigator. 

7. In July 2007, a North Carolina investigator stated: “This (ISP retention and reporting issue) is still a problem. In North Carolina, Time Warner RoadRunner is not responding in a timely manner. When they do respond the answer is often: ‘The information you requested is no longer available’. Time Warner has advised our agency that we send more subpoenas than the rest of the state combined. According to Time Warner our frequent subpoenas cause them problems and they are considering charging us administrative fees. We advised Time Warner that the reason we submit a large number of subpoenas is because as the ICAC for the entire state our agency has subpoena privileges. There is a huge need for better retention requirements and laws. Time Warner is just one example.” 

8. In July 2007, an Arizona prosecuting attorney cited three child pornography cases wherein Cox Communication provided responses stating that the Internet protocol address in question was stolen, with no further explanation. Repeated attempts to obtain additional information about that Internet protocol address and how it was compromised have been unproductive. Luckily, there was another online session with the defendant where the subpoena results pointed to the defendant. 

9. In July 2007, a Massachusetts detective investigated a threats and sexual harassment case involving hearing impaired students at Northern Essex Community College. The students there use communication devices called "Sidekicks" that permit text messaging. The ISP's involved were T-Mobile and Danger Co. The Sidekicks were sold by Danger Co. and Danger Co. was also responsible for serving the text traffic that went out over the devices. In several cases, the suspect sent messages to the Yahoo e-mail addresses of the victims. The investigator subpoenaed Yahoo and received six relevant IP addresses back from Yahoo. These IP addresses were each found to be owned by Danger Co. The investigator subpoenaed Danger Co. for subscriber information from all six IP’s. A representative of Danger Co. advised the investigator that the company does not keep a record of IP activity. The Danger Co. representative referred the investigator to T-Mobile stating that T-Mobile handled the information about the IP addresses being researched. T-Mobile referred the investigator back to Danger Co. 

10. In 2007, an Arizona Internet crimes against children investigator states: Cell phone text messaging has been critically important to some of our cases involving minors and predators. The cell phone companies do not retain the messages or they purge them after a few days. 

11. In a recent (2007) Michigan Internet crimes against children case involving Comcast, a preservation request and search warrant were sent to Comcast within the companies 30 day time frame for such requests but Comcast responded by stating that no data was found. 

12. In 2007, a Texas investigator stated: “Verizon often claims technical problems prevent them from capturing data.” He cited eight stalled investigations involving child pornography and online solicitation cases that occurred in 2006 and 2007. 

13. In July 2007, an Arizona Internet crimes against children investigator reported that the ISP Cox Communications did not provided needed log information related to the date of an offense that was specifically requested in a subpoena. The omission resulted in delays and extra follow-up work while the suspect continued to traffic child pornography via the Internet. 

14. A Pennsylvania fraud investigator reported that in December 2006, four weeks after an order was mailed, the Earthlink legal department responded stating that they did not have access to the records about the requested Internet protocol address. Earthlink stated that the IP address in question was leased to Earthlink from Covad Communications. When the investigator inquired with Covad, he was informed that Covad had not retained the data. The Covad representative then referred the investigator back to Earthlink. As ofJuly 23, 2007 the investigator had not received a formal response from either company. 

15. In July 2007, a Texas investigator worked a case involving a stolen laptop computer. The computer had a tracking device installed on it. The device sends a message with the IP address to a monitoring company if the laptop is reconnected to the Internet. In this case the device worked and the investigator was provided with the IP address from which the stolen laptop was being used. The IP address belonged to a RoadRunner subscriber account. Roadrunner was recently acquired by Comcast from Time Warner. Both companies informed the investigator that the IP is not one of their active accounts and to date there has been no subscriber information provided to the investigator. 

16. In an Arizona identity theft case a Federal investigator spoke with a representative of the Earthlink/People PC compliance department on June 17, 2007, 40 days after the original subpoena was sent. The investigator was informed that the request would be handled the next day but as of July 23, 2007, there was still no response. 

17. In August 2007, a Federal investigator in Arizona reported that after 22 days the ISP Cox Communications had not yet responded to two subpoenas involving a suspect who is believed to be actively molesting minors. The investigator said, "These types of turnaround times are clearly unacceptable." 18. A Massachusetts Internet crimes against children investigator reported that as of August 20, 2007, the ISP Earthlink had not yet responded to a subpoena that was sent to them on April 19, 2007, a delay of four months...and counting. The investigator said, "I have called the legal department-subpoena compliance on at least four occasions. To date, I have received nothing." 

19. On July 11, 2007, an Arizona Internet crimes against children investigator sent a subpoena to Cox Communications requesting subscriber information about a suspect. There was no response from Cox. A second subpoena was sent on July 24, 2007. There was no response to the second subpoena. A third subpoena was sent on August 15, 2007. On August 17, 2007 the investigator phoned Cox and left a voice mail message with the subpoena compliance unit describing the problem and requesting an immediate response to the subpoena. The subpoena was again sent via fax to Cox on August 17, 2007. On August 22, 2007 the investigator received a response to the subpoena. The delay was 42 days. 

 20. On July 31, 2007, an Arizona Internet crimes against children investigator sent a subpoena to Cox Communications requesting subscriber information about an Internet protocol address. There was no response from Cox. A second subpoena was sent on August 15, 2007. At the time of this report. (August 21, 2007) Cox still had not responded. 

21. In July 2007, an Arizona child pornography investigator made several attempts to contact the Earthlink legal department to request information concerning their subpoena requirements. The investigator phoned a number and was informed that the number was disconnected. The investigator then phoned the Earthlink emergency/after hours number and heard the recorded announcement, "the Nextel customer is currently unavailable." After several more failed attempts, the investigator searched the Internet for a customer service number and found 1-800-(number witheld). This number directs callers to a third party sales company and to an email address. The representative at the 800 number provided the investigator with a phone number for an Earthlink customer service representative but the representative would only provide a mailing address to the corporate office in Atlanta, GA. Through other sources the investigator found and called a phone number for the Earthlink legal department. This call resulted in a voice mail message that provided the investigator with an Atlanta mailing address and a voice prompt asking the caller to leave a message. The investigator left a voice message but as of a week later (July 30, 2007) Earthlink still had not responded. 

22. In February 2006, a Texas child pornography investigator sent a subpoena to Earthlink requesting subscriber information related to a suspect’s IP address. When Earthlink did not respond, the investigator left several follow-up voice mails. The investigator spoke with an Earthlink representative who assured the investigator that the information would be sent via email the next day. It was not. A second subpoena was sent on April 4, 2007. Again there was no response from Earthlink. At the time of this report, (July 2007) seventeen months have passed since the original request and the information is now too old and stale for further follow-up. 

23. In July 2007, a Pennsylvania Internet crimes against children investigator reported that 60 days after discovering two Verizon-affiliated Internet protocol addresses associated with child pornography the company reported that they had no record of either of the two addresses. 

24. A former Missouri law enforcement officer who now works in private industry recalled past problems with the Time Warner (Roadrunner) company and with Earthlink. The investigator cited a homicide case in 2000 that involved an Earthlink subscriber. The former investigator said that during the investigation Earthlink did not respond to a request for information. The former investigator said, “Bad people are doing bad things and getting away with it simply because certain ISP's won't cooperate with law enforcement. Hopefully a framework can be set into place to encourage these ISP's to comply with a legal subpoena or search warrant.” 

25. In August 2007, Arizona ICAC investigators received a report involving 640 unlawful images of child pornography. They traced the Internet protocol (IP) number to the ISP Cableone. A subpoena was sent to Cableone requesting subscriber information for the user of the suspect IP address. In response to the subpoena, the associate general counsel from Cableone wrote: Our information technology department researched this IP address and informed me that they are unable to gather any information useful to you in response to your subpoena. They are struggling with a software gremlin that has recently reared its ugly head and is corrupting the tables of our IP servers in the archiving process. Until this is corrected, much historical IP information has been and continues to be lost. They can give me no certain date when the problem will be resolved but they are working with our vendors to fix it as soon as possible. 

26. In September 2007, a frustrated Arkansas ICAC investigator wrote to her nationwide colleagues: Does anyone have a number for someone, anyone at Comcast who will return your calls? I have tried (name witheld) at 856-(number withheld) and the Comcast Legal Response Center at 856-(number withheld) and left numerous messages. No one will call me back. Any help will be appreciated. Note: Shortly after the investigator posted the preceding message she received a return phone call from a Comcast representative.  

Conclusion

A subpoena request for basic subscriber information is not a highly invasive query. Basic subscriber information includes only such items as the name, address and phone number of the user. Basic subscriber information does not include the private text of e-mails or chat conversations. The subpoena request for subscriber information differs from a more invasive search warrant request for content. 

A search warrant request to an ISP for content produces information of a more private nature including such things as the text of private e-mails. The courts recognize that such information is deserving of a higher level of protection from law enforcement scrutiny and consequently requires a sworn affidavit and search warrant. 

The most invasive (and expensive) form of law enforcement inquiry involves capturing real-time electronic communications and is commonly known as a wiretap. In law enforcement circles a wiretap is also often called a "Title III", named after the Federal Wiretap Law. A court-ordered wiretap has additional requirements and time-constraints above and beyond those required of either a subpoena or search warrant. 

The stories of investigations that ended because an ISP did not provide subscriber data are disheartening to those who seek to apprehend offenders and bring them to justice. The stories seem to indicate a need for a review of the data retention policies of Internet service providers.

No comments:

Post a Comment

Thank you for your thoughtful comments.