headers as “packet headers” or “traffic data” and communications content data (including HTTP headers) as “content.” Legal frameworks with respect to the interception of content and real-time collection of packet headers are usually complicated and carry stiff criminal penalties, including imprisonment and fines. Today, U.S. wiretap and stored communication laws are embodied within the Electronic Communications Privacy Act (ECPA), which governs not only the interception of content and the real-time collection of pen register and trap/trace (packet header) data, but also when such data may be disclosed to or used by third parties. The Stored Communications Act (SCA) has separate provisions governing the disclosure and use of stored communications data, such as that kept by Internet service providers (ISPs). ECPA presents grave and complex legal risks to cyber security R&D. ECPA now governs: • The possession, sale, transport, and installation of devices that can be used to intercept content; • The interception of content (wiretapping) and the disclosure and use of intercepted content; 3 • The installation and use of pen register and trap and trace devices for the real-time capture of non-content, such as packet headers; 4 and • The access to and disclosure of stored communications information (content and packet headers) by communications providers “to the public,” to governmental entities, and others. 5 Thus, ECPA sets forth protections for stored communications and those in transit and the conditions under which intercepted and stored data can be accessed, used, and disclosed. ECPA also provides privacy protections to individuals by limiting what stored data “governmental entities” can obtain and the circumstances under which they can obtain it. Separate laws protect certain customer data. The Communications Act of 1934 governs the use, disclosure, and access to customer proprietary network information (CPNI) data of regulated carriers, and the Telephone Records and Privacy Protection Act governs obtaining, transferring, receiving, or accessing confidential phone records information (CPRI). Interception laws contain exceptions that allow providers to capture communications traffic for purposes related to the provisioning of service, protection of their property and the rights of their users, or to record the fact that a communication was completed. The use of intercepted communications, or the 3 18 U.S.C. §§ 2510-22; http://www4.law.cornell.edu/uscode/18/usc_sec_18_00002510---- 000-.html. 4 18 U.S.C. §§ 3121-27, http://www4.law.cornell.edu/uscode/18/3121.html. 5 18 U.S.C. §§ 2701-12, http://www4.law.cornell.edu/uscode/18/2701.html. 3 97 disclosure of it to others, however, is restricted and violations carry criminal penalties. There are additional considerations which may come into play, such as whether the researcher is associated with a “governmental entity” and whether the provider is one who services the general public (“provider to the public”). At the outset, it is important that researchers, IRBs, and legal counsel analyze whether the data contemplated for use in a research project: • Was legally collected (by what entity, by what person, using what device, installed by whom, on what network); • May be legally disclosed to researchers; and • May be legally used by researchers. Such analysis is necessary because, beyond the criminal penalties of imprisonment and/or substantial fines, several laws allow persons whose data was wrongfully intercepted, disclosed, or used to bring civil suits against the offender, including the U.S. Government. Thus, a failure to properly analyze whether network data was legally obtained and whether it may be disclosed to and used by researchers may lead to embarrassment, tarnished reputations, loss of research funding, ruined careers, significant fines, and/or imprisonment. Legal analysis is complicated and requires a sequence of questions involving the information gathered in the fact gathering process: 1. Determine whether the data was collected (a) through the real-time interception of content or packet header data, or (b) at the end point of a communication and stored. 2. Determine whether the data involves content and/or packet header data. (Reminder: HTTP packet headers contain URLs and are treated as content). 3. Determine whether the data provider is a provider “to the public” or a private provider. 4. Determine (a) whether the researcher is an individual acting in his/her personal capacity or on behalf of a private organization, (b) whether the researcher is an employee or agent of a “governmental entity,” and (c) whether the organization conducting the research is a “governmental entity.” 5. Determine whether the data can be disclosed to and used by the researcher. The Tool Chest provides worksheets, decisional flowcharts, definitions, and references to facilitate this analysis. Once network communications data has been determined to have been legally obtained and may be legally disclosed to researchers and used for research and development (R&D) purposes, the next level of inquiry concerns privacy 6 considerations pertaining to 6 Europeans and some international audiences often use the term “data protection” instead of privacy. U.S. laws and reference materials generally use the term “privacy” with respect to data that
information in the dataset. Even though a dataset may have cleared the Legal Analysis process, further analysis with respect to privacy laws may reveal that the data cannot be used for R&D purposes – or that certain fields of the dataset will require special anonymization actions or elimination measures to comply with privacy protections or to mitigate risk. There are several layers of inquiry in analyzing privacy issues in the context of communications data. These include: • Laws and regulations; • Legal instruments setting forth compliance obligations to protect the data, such as non-disclosure agreements, contract provisions, terms of service, administrative decisions or directives, etc.; and • Privacy and other organizational policies, such as codes of conduct, policies governing the use of technology, and data retention and destruction. The Privacy Analysis Tool in the Tool Chest is based upon U.S. laws and regulations, but basic differences between U.S. privacy laws and those in other jurisdictions are discussed. Globally, approximately 55 countries have privacy laws that may impact researchers using communications data. One legal consideration is whether a country’s laws extend extraterritorially to a researcher. Due to the nature of packet switching technologies, it is virtually impossible to determine where all the data within a network communications dataset may have originated. Unless there is a clear overseas origination point for the data, such as a device sitting on a network in the Netherlands capturing data pertaining to traffic on that network, data may be viewed as subject to the laws of the country in which it was obtained. It is important to note that this issue has not been directly addressed and there is no clear determination or accepted principles to draw upon. The Privacy Analysis Tool explains these legal and policy privacy considerations and provides a decisional framework to guide researchers and IRBs through the process of determining (1) whether a dataset has privacy issues associated with it, (2) whether these issues are fatal and may preclude the use of the data, and (3) whether certain privacy issues may be mitigated or eliminated through anonymization or other de-identification techniques. International Legal Considerations Every country has its own legal peculiarities, but multinational legal structures, such as the European Union’s determination that Internet Protocol addresses are PII, significantly impact cyber security research and must be taken into consideration. The United Nations (UN) has several international agreements that have been signed by all or most nations and form the basis of international law that can be extended to cyber security R&D. One of the most fundamental documents in international law is the Universal Declaration of Human Rights, which was adopted in 1948 and explicitly states that, “No one shall be subjected to is afforded protection from disclosure. Since this paper is U.S.centric, it will use the term privacy. 4 98 arbitrary interference with his privacy, family, home, or correspondence.” 7 The UN International Covenant on Civil and Political Rights also establishes a right to privacy. 8 The Council of Europe (CoE), comprised of 47 member countries, laid the foundation in 1950 for Europe’s legal framework regarding privacy, the processing of personal data, and crossborder data flows with its Convention for the Protection of Human Rights and Fundamental Freedoms. 9 The CoE’s Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, enacted in 1981, carried these concepts forward in an electronic environment. 10 The CoE’s subsequent Additional Protocol on Supervisory Authorities and Transborder Data Flows, adopted in 2001, incorporated the concept of national supervisory authorities and restrictions on cross-border data flows to the Convention. 11 European Union Directives There are two aspects of EU law that are particularly troublesome to researchers: the Data Protection Directive, which prohibits cross-border data flows of information protected by the EU Directive unless the receiving jurisdiction offers equivalent privacy protections, 12 and the Article 29 Working Party’s (advisory body to the European Commission) opinions regarding IP addresses constituting PII. 13 The EU Data Protection Directive has a broad definition of PII. It defines “personal data” as: [A]ny information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, 7 Universal Declaration of Human Rights, United Nations, General Assembly, Resolution 217 A (III), Dec. 10, 1948, http://www.un.org/Overview/rights.html. 8 International Covenant on Civil and Political Rights, Dec. 16, 1966, http://treaties.un.org/Pages/ViewDetails.aspx?src=TREATY&mtds g_no=IV-4&chapter=4&lang=en. 9 CoE Convention for Protection of Human Rights, http://conventions.coe.int/treaty/en/treaties/html/005.htm. 10 CoE Convention on Processing of Personal Data, Articles 5-6, http://conventions.coe.int/Treaty/en/Treaties/Html/108.htm. 11 CoE Additional Protocol, Articles 2-3. 12 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OFFICIAL JOURNAL L. 281/31, Nov. 23, 1995, http://ec.europa.eu/justice_home/fsj/privacy/law/index_en.htm#dir ective (hereinafter “EU Directive”). 13 Opinion 4/2007 on the concept of personal data, Article 29 Data Protection Working Party, 01248/07/EN WP 136, June 20, 2007 at 16-17, http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/wpdocs /2007_en.htm (hereinafter WP 29 2007 Opinion).