Congress passed the USA Patriot Act to combat terrorism after September 11, 2001. Portions of the law affect the collection of computer evidence. For example, in some circumstances, customer records from Internet service providers (ISPs) can be disclosed to law enforcement. The law significantly expands the circumstances under which ISPs can now notify law enforcement of information that may indicate an imminent threat.

The Patriot Act contains two procedural changes directly related to computer crimes. First, it specifically adds felony acts related to the Computer Fraud and Abuse Act in the list of predicates that can serve as the basis for authorizing a warrant to intercept wire, oral, and electronic communications. Second, with the permission of the owner or operator of a “protected computer,” a term defined in the computer fraud statute, law enforcement officers may now intercept communications to and from the computer trespasser if they have reasonable grounds to believe that the trespasser’s communications will be relevant to the investigation. Essentially, a protected computer is any computer at a financial institution or a government agency. This provision basically means that if someone hacks into a protected system, law enforcement officials can track down and intercept all that perpetrator’s communications if they reasonably believe it is relevant to the investigation.

In addition to these procedural changes, Section 816 of the Patriot Act calls for establishing regional computer forensic laboratories. This has led to the creation of the Electronic Crimes Task Force, led by the U.S. Secret Service. The Patriot Act is a perfect example of how the rules of evidence collection can change dramatically due to a new law being passed.

This is one of the pivotal laws related to computer crime. The purpose of the act was to extend federal wiretap laws to cover electronic communications, including the requirement that a law enforcement officer needs a warrant to intercept electronic communications.

The Electronic Communications Privacy Act extended the following guidelines to email:

• The consent exception—Both parties to a conversation must give consent. If you recall the last time you called a customer service phone number, you may have heard an automated voice inform you that the call was being recorded, and the person you spoke to may have even asked your consent to record the call.

• The business extension exemption—This does not mean that a business can monitor and record all employee calls. A business can claim this exemption only for monitoring by certain types of equipment; the recording must occur in the ordinary course of business.

The Communications Assistance to Law Enforcement Act (CALEA) is another of many laws that govern the capture and interpretation of forensic information. Originally, CALEA granted the ability to wiretap only digital telephone networks, but in 2004, the U.S. Department of Justice (DOJ); Bureau of Alcohol, Tobacco, Firearms, and Explosives (ATF); Federal Bureau of Investigation (FBI); and Drug Enforcement Administration (DEA) filed a joint petition with the Federal Communications Commission (FCC) to expand CALEA to include the ability to monitor Voice over IP (VoIP) and broadband Internet communications so that they could monitor web traffic as well as phone calls. In September 2005, the FCC ruled that providers of broadband Internet access and interconnected VoIP services are telecommunications carriers under CALEA and, therefore, extended CALEA to the Web and broadband access. Subsequent court cases risked reinterpretation or limitation of the CALEA law but, as of this writing, information can be collected under CALEA and used as evidence.

Although the Health Insurance Portability and Accountability Act (HIPAA) regulations are directly applicable to health care, a number of provisions of HIPAA must be understood and followed by forensic professionals. Similar laws govern a wide variety of other areas, such as the Sarbanes-Oxley Act of 2002, which governs publicly traded corporations. HIPAA contains the Privacy Rule, which covers the disclosure of personally identifiable protected health information (PHI). A subsequent update changed the disclosure period from “forever” to 50 years after death of the subject of the health information, but the update also increased the penalties for disclosure of PHI. Every forensic examiner should be very familiar with what constitutes PHI and the potential penalties for disclosure.

The legal underpinnings of digital forensics, both computer and network, may seem like shifting sands and, in many very important cases, they are. If, however, the forensic examiner sticks to the Daubert standard, handles all information in his or her possession according to rules of evidence, and maintains the chain of custody, then much of the legal positioning and interpretation is an interesting sideshow. But it’s a sideshow that the forensic professional must understand.