Introduction

The compulsory production provisions of ECPA allow law enforcement to obtain all manner of information from Internet Service providers, for crimes ranging from the latest, high profile international cyber intrusion to the purely local cases investigated by state and local police.

In this assignment you will work with the ECPA provisions, or the parallel Connecticut statute to seek evidence for use in a local police investigation.

You may use either the provisions of the Federal ECPA or the Connecticut statute, Conn. Gen Stat. 54-47aa.Links to an external site.The federal statute allows law enforcement to compel basic subscriber information with a subpoena and transactional information with a 2703(d) order, while the Connecticut statute provides for the use of an ex parte order to obtain both categories of data.

A copy of the standard Connecticut Application and Order form is below.

• Ct. Application for Ex Parte Order.pdf

The Facts

You work as an investigator in a local police department. A Ms. Alice Robin has contacted the Department to complain about her husband, Mr. Edward Behr. She has filed for divorce and the case is very contentious. She believes her husband has "hacked" her cell phone because he always knows what her lawyer will do next in the divorce action and seems to know where she is, even appearing at restaurants when she is having dinner with friends.

She consented to have your Department analyze her phone. The forensic examiner has reported back that there is no evidence of any malware on the phone or of any unauthorized access to the phone. The prosecutor advised that you do not have probable cause for a search warrant to seize and search Mr. Behr's iPhone or his MacBook computer.

During the initial interview, Ms. Robins told the officer that she has an email account with her employer, Ashdown Wood Products, and a personal Gmail account. The Department's forensic examiner, with her permission, used Ms. Robin's credentials to log onto her Google account. The examiner reported that the Google security and privacy links in the accounts show that in addition to Ms. Robin's logins, both a computer and a mobile phone have logged into the account over the last two months (the online reports do not go back any further in time). The examiner also pointed out that Google keeps track of the IP address from which a customer logs into a Google or Gmail account.

Copies of the screenshots the examiner made from her account are below.

• Image 1
• Image 2

The examiner's analysis also showed that someone had logged onto Ms. Robin's account at midnight on April 30 and created a "Google Takeout" of Mr. Robin's email and the contents of her Google drive. The examiner explained that a Google "takeout" creates a compressed (".zip") file that contains all of a user's mail, Google drive storage and other account activity, and makes the zip file available for downloading. A takeout of all of Ms. Robin's Google accounts and mail was started on April 30 and was completed on May 1 at noon. The takeout was stored on Ms. Robins Google Drive. Shortly after noon on May 1, the email message saying that the takeout was complete was deleted and later that day the takeout itself was moved to the trash, where the examiner found it.

The examiner speculates that between the time the takeout was completed and the time it was moved to the trash, someone downloaded it, possibly into another Google account. Mr. Robins said she did not log onto her account at midnight on April 30, did not know how to download her Google accounts or what a "takeout" is. She said that her Gmail account has copies of all the messages between herself and her divorce attorney, her entire calendar with her business and personal schedule, and her list of contacts of all her friends and associates. She said that her husband also has a Google account.

Your Task

The lead detective believes the Mr. Behr has violated the State's computer crime statute by accessing Ms. Robin's Google and Gmail accounts without her authorization. She wants to determine whether Mr. Behr was the individual who logged into Ms. Robin's accounts and created and downloaded the Google takeout. She knows you are an expert in ECPA and the Connecticut statute and has asked for your help in drafting the parts of the request for information from the ISP and Google.

You have already learned in this course that each host connected to the Internet has a unique IP address, and you should know that the ISP that "owns" particular IP addresses keeps records showing the subscriber to whom a particular IP address is assigned at any particular time. The examiner has given you the IP address of a computer and a cell phone not belonging to Ms. Robin that logged into her account in the screen shots from her account.

Using a WHOIS search you learned that IP address 173.66.82.158 is owned by OldHavenISP.com, located at 123 Main Street, Old Haven, Connecticut, 06561.

Your first assignment is to explain what information you expect to get from OldHavenISP.com and then draft the portion of a subpoena to OldHavenISP.com requiring it to provide the subscriber information for the IP address 173.66.82.158 for whatever times you think are relevant to the investigation.

The detective also told you that she would fill out the subpoena or ex parte order form and where its states what is required to be produced she would insert "See Attachment." You are to draft the "Attachment to Court Order [or Ex Parte order] to OldHavenISP.com." That Attachment should establish the facts needed to establish reasonable cause and list the records required to be produced.

The lead detective also told you that Google logs the IP address from which someone logs into an account, and that she wants to apply for a 2703(d) order (or ex parte order if you are in Connecticut) to Google to find out the IP address from which the April 30 and May 1 logins to Ms. Robin's account were made and to get all the information Google recorded regarding the downloading or copying of that takeout. The detective asks that you draft the Attachment to a proposed 2703(d) order to Google. That attachment should also include the facts needed to meet the "reasonable and articulable suspicion" standard of the statute (or "reasonable and articulable suspicion that a crime has been or is being committed" in Connecticut).

Assignment Checklist:

OldHaven

• Explain what information you expect to get from OldHavenISP.com
• Draft only the "Attachment to Subpoena [or Ex Parte order] to OldHavenISP.com."

Google

• Explain what information could be obtained by a 2703(d) order to Google and how that would be relevant to the case.
• Draft the request you would make to Google and the "articulable facts" portion of the application. (You do not need to draft the entire application for the Order or the Order itself)
  • State with specificity what you are requiring the provider to produce.
  • Also, the 2703(d) application requires you to show "specific and articulable facts" (or "reasonable and articulable suspicion that a crime has been or is being committed" in Connecticut) that the information you seek is "relevant to an ongoing criminal investigation."