Saturday, February 04, 2006

Increasingly, Internet's Data Trail Leads to Court

The New York Times
Increasingly, Internet's Data Trail Leads to Court

Who is sending threatening e-mail to a teenager? Who is saying disparaging things about a company on an Internet message board? Who is communicating online with a suspected drug dealer?

These questions, and many more like them, are asked every day of the companies that provide Internet service and run Web sites. And even though these companies promise to protect the privacy of their users, they routinely hand over the most intimate information in response to legal demands from criminal investigators and lawyers fighting civil cases.

Such data led directly to a suspect in a school bombing threat; it has also been used by the authorities to track child pornographers and computer intruders, and has become a tool in civil cases on matters from trade secrets to music piracy. In St. Louis, records of a suspect's online searches for maps proved his undoing in a serial-killing case that had gone unsolved for a decade.

In short, just as technology is prompting Internet companies to collect more information and keep it longer than before, prosecutors and civil lawyers are more readily using that information.

When it comes to e-mail and Internet service records, "the average citizen would be shocked to find out how adept your average law enforcement officer is at finding information," said Paul Ohm, who recently left the Justice Department's computer crime and intellectual property section.

The issue has come to the fore because of a Justice Department request to four major Internet companies for data about their users' search queries. While America Online, Yahoo and Microsoft complied with the request, Google is resisting it. That case does not involve information that can be linked to individuals, but it has cast new light on what privacy, if any, Internet users can expect for the data trail they leave online.

The answer, in many cases, is clouded by ambiguities in the law that governs electronic communication like telephone calls and e-mail. In many cases, the law requires law enforcement officials to meet a higher standard to read a person's e-mail than to get copies of his financial or medical records.

Requests for information have become so common that most big Internet companies, as well as telephone companies, have a formal process for what is often called subpoena management. Most of the information sought about users is basic, but very personal: their names, where they live, when they were last online — and, if a court issues a search warrant, what they are writing and reading in their e-mail. (Not surprisingly, the interpretation of voluminous computer records can be error-prone, and instances of mistaken identity have also come to light.)

AOL, for example, has more than a dozen people, including several former prosecutors, handling the nearly 1,000 requests it receives each month for information in criminal and civil cases. The most common requests in criminal cases relate to children — threats, abductions and pornography. Next come cases of identity theft, then computer hacking. But with more than 20 million customers, AOL has been called on to help in nearly every sort of legal action.

In recent years, "we found ourselves involved in every imaginable classification of traditional crimes, from murder to the whole scope of criminal behavior, because AOL was used to communicate or there is some trace evidence," said Christopher Bubb, assistant general counsel at AOL.

Investigators have found new ways to identify people who visit Web sites anonymously or use a false identity. Many Web sites keep a log of all user activity, and they record the Internet Protocol address of each user. I.P. addresses are assigned in blocks to Internet service providers, who use them to route information to the computers of their users. If an investigator determines the I.P. address used by a suspect, he can subpoena the Internet provider for the identity of the user associated with that address at a particular date and time.

For example, in investigating a bomb threat at a Canadian high school in 2002, Mr. Ohm approached the operator of a message board in California on which the threats were placed. He asked to review the log monitoring each user's activities, which showed the Internet Protocol address of the person who left the threatening message. Mr. Ohm used that address in turn to determine the suspect's Internet service provider, who identified a teenager who had posted the message. (As a minor, he was not prosecuted.)

While Internet evidence has been used to solve some crimes, there have also been examples of mistakes in the process. Last year, Manchester Technologies, a company in Hauppauge, N.Y., sued Ronald Kuhlman Jr. and Kim Loviglio, claiming they had posted messages on a Web site that defamed its chief executive.

Manchester had identified Mr. Kuhlman and Ms. Loviglio based on information provided by Cablevision, their Internet provider, which incorrectly associated their account with the Internet Protocol address used to make the postings. Manchester dropped its suit against Mr. Kuhlman and Ms. Loviglio, who in turn sued Cablevision. That case was settled for undisclosed terms, their lawyer, Mark Murray, said.

The 1996 law that governs privacy for telephones, Internet use and faxes — the Electronic Communications Privacy Act — provides varying degrees of protection for online information. It generally requires a court order for investigators to read e-mail, although the law is inconsistent on this, treating unopened items differently from those previously read. The standard to compel an Internet service provider to provide identifying information about an Internet user is lower — in general, an investigator needs a subpoena, which can be signed by a prosecutor, not a judge. (And the USA Patriot Act allows some of these procedures to be waived when lives are at risk.) By comparison, domestic first-class mail requires a search warrant to be opened.

In cases in which investigators want to intercept Internet communication as it occurs, they must get the same authorization needed for a telephone wiretap, which requires continuing court monitoring. In 2004, there were 49 cases of computer or fax transmissions being monitored under these procedures, according to federal statistics (which exclude national security cases).

Mr. Ohm, now an associate professor at the University of Colorado Law School, said those statistics undercounted the instances of such monitoring, especially cases in which an Internet company was tracing attacks on its own system.

"The Wiretap Act has enough loopholes built into it that you can often do a wiretap without having to get a court order," he said.

The law for civil cases, like divorces or employment disputes, is also a bit unclear. Litigants can generally subpoena the identifying information of a user behind an e-mail account or an I.P. address.

AOL says that only 30 of the 1,000 monthly requests it receives are for civil cases, and that it initially rejects about 90 percent of those, arguing that they are overly broad or that the litigants lack proper jurisdiction. About half of those rejected are resubmitted, on narrower grounds. Generally, AOL gives its members notice when their information is sought in civil cases. If the member objects, the issue is referred back to the court. (In criminal cases, there is often no notice, or notice is given after the information has been given to investigators.)

"Subpoenas come in all the time that ask for everything," said Kelly Skoloda, an AOL lawyer. "We engage in an active dialogue to determine what they want and what we can give in compliance with our privacy policies."

AOL and most other Internet providers take the view that the content of e-mail messages cannot be turned over to lawyers in civil suits. The most significant exception is that e-mail can be turned over with the consent of the account owner, and litigants often persuade judges to order their opponents to authorize the disclosure of e-mail.

A gray area that has recently gained prominence involves the pages that users read online and the terms of their searches.

Yahoo, Google and the new free site, for example, maintain records of user surfing behavior. Google also keeps a log file that associates every search made on its site with the I.P. address of the searcher. And Yahoo uses similar information to sell advertising; car companies, for example, place display advertising shown only to people who have entered auto-related terms in Yahoo's search engine.

It is unclear what standard is required to force Internet companies to turn over this search information to criminal investigators and perhaps civil litigants.

"The big story is the privacy law that protects your e-mail does not protect your Google search terms," said Orin S. Kerr, a professor at the George Washington University Law School and a former lawyer in the computer crime section of the Justice Department.

Other lawyers argue that the law that provides protection for e-mail content, or even the Fourth Amendment protection against unreasonable searches, could be applied to data about Web searching, but the issue has not been tested in court.

The break in the St. Louis murders came in 2002, when a reporter received an anonymous letter with a map generated by Microsoft's MSN service — marked with the location where a body could be found.

The F.B.I. subpoenaed Microsoft for records of anyone who had searched for maps of that area in the days before the letter was sent. Microsoft discovered that only one user had searched for precisely that area and provided the user's Internet Protocol address. That address, in turn was provided by a unit of WorldCom, which identified the user as Maury Troy Travis, a 36-year-old waiter. (Mr. Travis was arrested and hanged himself in jail without ever admitting guilt.)

While requests for search data have been few, computer experts expect them to increase.

"It is rare that those links will be a slam-dunk that will make a case," said John Curran, a former cybercrime investigator for the F.B.I. "But when you are putting together a larger case, you are trying to connect the dots, and it is the little things that actually help."