Use of the EINSTEIN 2.0 Intrusion-Detection System to Protect Unclassified Computer Networks in the Executive Branch

• Court: Department of Justice Office of Legal Counsel
• Decided: January 9, 2009
• Status: Published

Opinion

Use of the EINSTEIN 2.0 Intrusion-Detection System to Protect Unclassified Computer Networks in the Executive Branch An intrusion-detection system known as EINSTEIN 2.0 used to protect civilian unclassi- fied networks in the Executive Branch against malicious network activity complies with the Fourth Amendment to the Constitution, the Wiretap Act, the Foreign Intelli- gence Surveillance Act, the Stored Communications Act, and the pen-register and trap- and-trace provisions of 18 U.S.C. § 3121 et seq., provided that certain log-on banners or computer-user agreements are consistently adopted, implemented, and enforced by executive departments and agencies using the system.

January 9, 2009

MEMORANDUM OPINION FOR THE COUNSEL TO THE PRESIDENT

As part of the Comprehensive National Cybersecurity Initiative, the Department of Homeland Security (“DHS”), in coordination with the Office of Management and Budget, is in the process of establishing an intrusion-detection system known as EINSTEIN 2.0 in order to detect unauthorized network intrusions and data exploitations against the Execu- tive Branch’s civilian unclassified computer systems (“Federal Sys- tems”). 1 In January 2007, you asked this Office to undertake a legal review of proposed EINSTEIN 2.0 operations; since that time we have provided ongoing informal advice regarding the legality of those opera- tions, which are now underway. This memorandum formalizes the infor- mal advice we have provided regarding whether EINSTEIN 2.0 opera- tions comply with the Fourth Amendment to the Constitution of the United States, title III of the Omnibus Crime Control and Safe Streets Act of 1968 (Pub. L. No. 90-351, 82 Stat. 197, 211, codified as amended at 18 U.S.C. § 2510 et seq. (“Wiretap Act”)); the Foreign Intelligence Sur- veillance Act of 1978 (Pub. L. No. 95-511, 92 Stat. 1783, codified as amended at 50 U.S.C. § 1801 et seq. (“FISA”)); the Stored Communica- tions Act (18 U.S.C. § 2701 et seq. (“SCA”)); and the pen-register and trap-and-trace provisions of 18 U.S.C. § 3121 et seq. (“Pen/Trap Act”).

1 As used this memorandum, the term “Federal Systems” includes all Executive Branch

federal government information systems except for National Security Systems of execu- tive departments and agencies and Department of Defense information systems.

63 33 Op. O.L.C. 63 (2009)

We examine these legal issues in the context of an executive depart- ment’s or agency’s use of a model computer log-on banner or a model computer-user agreement developed by lawyers from the Department of Justice (“DOJ”), DHS, and other departments and agencies with expertise in cybersecurity issues. We conclude that as long as executive depart- ments and agencies participating in EINSTEIN 2.0 operations consistently adopt, implement, and enforce the model log-on banner or computer-user agreement—or log-on banners or computer-user agreements with terms that are substantially equivalent to those models—the use of EINSTEIN 2.0 technology to detect computer network intrusions and exploitations against Federal Systems complies with the Fourth Amendment, the Wire- tap Act, FISA, the SCA, and the Pen/Trap Act.

I.

Over the past several years, Federal Systems have been subject to so- phisticated and well-coordinated computer network intrusions and ex- ploitations on an unprecedented scale. The Intelligence Community has determined that those malicious network activities pose a grave threat to national security. See also Center for Strategic and International Studies, Securing Cyberspace 11–15 (2008) (discussing national security implica- tions of federal network vulnerabilities). Those malicious network activi- ties occur at the hands of hostile foreign nations (including foreign intelli- gence services), transnational criminal groups and enterprises, and indiv- idual computer hackers. Recent intrusions and exploitations have resulted in the theft of significant amounts of unclassified data from many execu- tive departments and agencies, as well as information regarding the vul- nerabilities of Federal Systems. The unclassified networks of the Depart- ments of Defense, State, Homeland Security, and Commerce, among others, have suffered intrusions against their networks and exploitations of their data. Accordingly, the Homeland Security Council has determined that the deployment of a multi-layered network defense system is neces- sary to protect Federal Systems against these ongoing computer intrusions and exploitations carried out by a broad array of cyber adversaries. The first layer of this network-defense system is known as EINSTEIN 1.0 and already is in place across segments of several Executive Branch agencies. EINSTEIN 1.0 is a semi-automated process for detecting— albeit after the fact—inappropriate or unauthorized inbound and outbound

64 Use of the EINSTEIN 2.0 Intrusion-Detection System

network traffic between participating departments and agencies and the Internet. The United States Computer Emergency Readiness Team (“US- CERT”), an organizational component of DHS, administers EINSTEIN 1.0. EINSTEIN 1.0 analyzes only “packet header” information—and not packet “payload” (content) information—for inbound and outbound Internet traffic of participating agencies. 2 The header information collect- ed by EINSTEIN 1.0 technology includes: the source and destination IP addresses for the packet, the size of the data packet, the specific Internet protocol used (for e-mail, the Simple Mail Transfer Protocol and, for use of the World Wide Web, the Hypertext Transport Protocol), and the date and time of transmission of the packet (known as “the date/time stamp”). EINSTEIN 1.0 collects this information only after packets already have been sent or received by a user and, thus, does not provide real-time information regarding network intrusions and exploitations against Feder- al Systems. US-CERT analysts examine the header information to identify suspicious inbound and outbound Internet traffic, particularly network backdoors and intrusions, network scanning activities, and computer network exploitations using viruses, worms, spyware, bots, Trojan horses, and other “malware.” EINSTEIN 1.0 contains several limitations. First, it does not provide real-time reporting regarding intrusions and exploitations against Federal Systems. Second, it does not cover all Federal Systems, and, therefore, does not provide complete awareness regarding malicious network activi- ty directed against those systems. Third, because EINSTEIN 1.0 does not scan packet content, it does not offer complete intrusion and exploitation detection functionality.

2 The Internet consists of millions of computers connected by a network of fiber-optic

cables and other data-transmission facilities. Data transmitted across the Internet are broken down into “packets” that are sent out from one computer to another. Each packet is directed (routed) to its intended source from its respective destination by an Internet Protocol address (“IP address”). An IP address is a unique numerical address, akin to a phone number or physical address, identifying each computer on the Internet. Each packet may follow a different route to its ultimate IP address destination, traveling over the networks of several different Internet backbone providers and Internet Service Providers (“ISPs”) before arriving at the destination. Upon arrival at the destination, the packets are reconstituted. See generally Jonathan E. Nuechterlein & Philip J. Weiser, Digital Cross- roads 121–28 (2005).

65 33 Op. O.L.C. 63 (2009)

We understand that many executive departments and agencies supple- ment EINSTEIN 1.0 with their own intrusion-detection systems, which are designed to identify network intrusions and exploitations conducted against their own computer systems. In addition, individual departments and agencies also operate their own network filters to block certain unau- thorized content, such as Internet pornography and file-sharing activities, among others. We understand, however, that there is little or no coordina- tion or communication among Executive Branch entities conducting these individualized network defense activities. Accordingly, multiple depart- ments facing the same intrusion or exploitation might have no idea that they are all facing a coordinated malicious network operation. Nor would departments or agencies that have not yet been subject to the intrusion or exploitation have advanced warning of the activity, such that they could upgrade their defenses. Hence, the lack of cybersecurity collaboration within the Executive Branch leads to inefficient network defensive measures that contribute to the ongoing vulnerability of Federal Systems. To rectify this situation, DHS, in conjunction with OMB, is deploying throughout the Executive Branch an intrusion-detection system known as EINSTEIN 2.0 to provide greater coordination and situational awareness regarding malicious network activities directed against Federal Systems. EINSTEIN 2.0 is a robust system that is expected to overcome the tech- nical limitations of EINSTEIN 1.0. EINSTEIN 2.0 technology is com- prised of computers (“sensors”) configured with commercial “off-the- shelf ” intrusion-detection software as well as government-developed software. That technology will be located at certain Internet access points known as Trusted Internet Connections (“TICs”), which connect Federal Systems to the Internet. EINSTEIN 2.0 intrusion-detection sensors will observe in near-real time the packet header and packet content of all incoming and outgoing Internet traffic of Federal Systems (“Federal Systems Internet Traffic”) for the “signatures” of malicious computer code used to gain access to or to exploit Federal Systems. 3 See generally NIST Special Publication No.

3 By the term “malicious computer code,” we mean not only “malware,” such as virus- es, spyware, and Trojan horses, but also malicious network intrusion and exploitation activities, such as identifying network backdoors and network scanning activities, and so- called “social engineering” activities, such as “phishing” exploits that seek usernames, passwords, social security numbers, or other personal information.

66 Use of the EINSTEIN 2.0 Intrusion-Detection System

800-94 (2007) (discussing signature-based detection techniques). Because Internet traffic is IP address-based, we understand that only Federal Systems Internet Traffic destined to or sent from an IP address associated with an executive department or agency participating in EINSTEIN 2.0 (“EINSTEIN 2.0 Participant”) would be scanned by EINSTEIN 2.0 tech- nology. Thus, EINSTEIN 2.0 technology will scan only the Federal Sys- tems Internet Traffic for EINSTEIN 2.0 Participants that connect to the Internet at TICs. DHS has the responsibility for determining which signatures to pro- gram into the EINSTEIN 2.0 sensors, pursuant to procedures developed by DHS. Signatures may be derived from several sources, including commercial computer security services, publicly available computer security information, privately reported incidents to US-CERT, in-depth analysis by US-CERT analysts, and other federal partners involved in computer defense. We understand that from information obtained through these sources, DHS will create signatures based upon known malicious computer code to guide the operations of EINSTEIN 2.0 sensors. EINSTEIN 2.0 sensors will not scan actual Federal Systems Internet Traffic for malicious computer code as that traffic is in transmission, but instead will scan a temporary copy of that traffic created solely for the purpose of scanning by the sensors. The “original” Federal Systems Internet Traffic will continue to its destination without being scanned by EINSTEIN 2.0 sensors; thus, EINSTEIN 2.0 operations will not disrupt the normal operations of Federal Systems. But EINSTEIN 2.0 technology will create a temporary mirror image of all Federal Systems Internet Traffic of EINSTEIN 2.0 Participants for parallel scanning by the sensors. The temporary copy of Federal Systems Internet Traffic is created only for identifying known signatures. When EINSTEIN 2.0 sensors identify Federal Systems Internet Traffic containing packets with malicious com- puter code matching a signature, EINSTEIN 2.0 technology is designed to generate—in near-real time—an automated alert about the detected signa- ture. The alert generally will not contain the content of the packet, but will include header information, such as the source or remote IP address associated with the traffic that generated the alert, metadata regarding the type of signature that was detected, and the date/time stamp. In addition to generating automated alerts, EINSTEIN 2.0 operations will both acquire and store data packets from the mirror copy of Federal

67 33 Op. O.L.C. 63 (2009)

Systems Internet Traffic that are associated with a detected signature. Those packets, which may include the full content of Internet communica- tions, such as e-mails, may be reviewed by analysts from US-CERT and other authorized persons involved in computer network defense. We understand that no packets other than those associated with a known signature will be acquired and stored. Accordingly, we understand that the vast majority of packets that are not associated with malicious computer code matching a signature will be deleted promptly. See DHS, Privacy Impact Assessment for EINSTEIN 2, at 12 (May 18, 2008) (stating that all “clean traffic” is promptly deleted). We have been informed that EINSTEIN 2.0 operations are expected to improve substantially the government’s ability to defend Federal Systems against intrusions and exploitations. EINSTEIN 2.0 operations will sup- plement—and not replace—the current individualized computer network security defenses of executive departments and agencies with a central- ized and coordinated network defense system operated by DHS. That centralization and coordination of information regarding all Federal Systems Internet Traffic is expected to facilitate real-time situational awareness regarding malicious network activity across all Federal Sys- tems. Improved situational awareness in turn will facilitate improved defensive measures, such as minimizing network vulnerabilities and alerting users of Federal Systems about particular malicious computer code detected against particular EINSTEIN 2.0 Participants. By sharing information throughout the Executive Branch regarding signatures detect- ed in Federal Systems Internet Traffic, EINSTEIN 2.0 operations should facilitate improved defenses against known malicious computer code. As part of enrolling in EINSTEIN 2.0 operations, each EINSTEIN 2.0 Participant is required to enter into a memorandum of agreement (“MOA”) with DHS. We understand that the MOA will require an EINSTEIN 2.0 Participant to certify that it has implemented procedures to provide appropriate notice to its employees that by using government- owned information systems, the employee acknowledges and consents to the monitoring, interception, and search of his communications transiting through or stored on those systems, and that the employee has no reason- able expectation of privacy in his use of those systems. 4 Those procedures

4 Throughout this memorandum we refer to “Executive Branch employees” and to the

“employees” of EINSTEIN 2.0 Participants. By using the word “employees,” we do not

68 Use of the EINSTEIN 2.0 Intrusion-Detection System

are to include computer-user agreements, log-on banners, and computer- training programs. We understand that DHS must receive that certification from each EINSTEIN 2.0 Participant before any of the Participant’s Federal Systems Internet Traffic can be scanned by EINSTEIN 2.0 tech- nology. EINSTEIN 2.0 Participants will not be required to use a specific banner or user agreement. We have been advised that given the diversity of missions and organizations among departments and agencies within the Executive Branch and the varying technical constraints faced by those entities, there simply is no one-size-fits-all solution for providing notice to and obtaining the consent of employees for EINSTEIN 2.0 operations. We have been informed, however, that the MOA will include model log- on banner and model computer-user agreement language for EINSTEIN 2.0 Participants to consider in crafting their own banners and user agree- ments. The model language, which was developed by lawyers from DOJ with the input and advice of lawyers from DHS and other interested departments and agencies, is as follows: • You are accessing a U.S. Government information system, which includes (1) this computer, (2) this computer network, (3) all computers connected to this network, and (4) all devices and stor- age media attached to this network or to a computer on this net- work. This information system is provided for U.S. Government- authorized use only. • Unauthorized or improper use of this system may result in disci- plinary action, as well as civil and criminal penalties. • By using this information system, you understand and consent to the following: ◦ You have no reasonable expectation of privacy regarding com- munications or data transiting or stored on this information sys- tem.

mean to limit the requirement to provide appropriate notice and consent to only those persons in a common law employment relationship with the federal government. Rather, the term “employees” in this memorandum should be understood to include “employees” as well as “officers,” “contractors,” and “agents” of EINSTEIN 2.0 Participants.

69 33 Op. O.L.C. 63 (2009)

◦ At any time, and for any lawful government purpose, the Gov- ernment may monitor, intercept, and search any communication or data transiting or stored on this information system. ◦ Any communications or data transiting or stored on this infor- mation system may be disclosed or used for any lawful gov- ernment purpose. [click button: I AGREE] The model computer-user agreement language contains the same substan- tive terms as the model log-on banner, except that it requires a computer user to sign a document indicating that the user “understand[s] and con- sent[s]” to the foregoing terms. Although we understand that EINSTEIN 2.0 Participants will not be required to use the exact model log-on banner and model computer-user agreement language, each EINSTEIN 2.0 Par- ticipant must certify that its log-on banners, computer-user agreements, and other computer policies contain language that demonstrates consent is “clearly given” and “clearly obtained” before EINSTEIN 2.0 becomes operational for the Participant’s Federal Systems Internet Traffic. 5 DOJ has advised that with the consistent adoption, implementation, and enforcement of appropriate consent and notification procedures, EINSTEIN 2.0 operations would comply with the Fourth Amendment to the Constitution of the United States, the Wiretap Act, FISA, the SCA,

5 For example, DOJ already has in place a log-on banner that we believe would satisfy

the MOA’s certification criteria. DOJ’s banner at present provides: • You are accessing a U.S. Government information system, which includes (1) this computer, (2) this computer network, (3) all computers connected to this network, and (4) all devices and storage media attached to this network or to a computer on this network. This information system is provided for U.S. Government-authorized use only. • Unauthorized or improper use of this system may result in disciplinary action, as well as civil and criminal penalties. • By using this information system, you understand and consent to the following: ◦ You have no reasonable expectation of privacy regarding any communications transmitted through or data stored on this information system. ◦ At any time, the Government may monitor, intercept, search and/or seize data transiting or stored on this information system. ◦ Any communications transmitted through or data stored on this information sys- tem may be disclosed or used for any U.S. Government-authorized purpose. [click button: I AGREE]

70 Use of the EINSTEIN 2.0 Intrusion-Detection System

and the Pen/Trap Act. The Department arrived at these conclusions after a lengthy review by the Office of the Deputy Attorney General, this Office, and, with respect to the statutes for which they have expertise, the Nation- al Security Division and the Computer Crimes and Intellectual Property Section of the Criminal Division. This memorandum explains the reason- ing for those conclusions.

II.

We first explain the reasoning behind DOJ’s conclusion that the de- ployment, testing, and use of EINSTEIN 2.0 technology complies with the Fourth Amendment where each EINSTEIN 2.0 Participant consistently adopts and implements the model log-on banner or model computer-user agreement—or a log-on banner or computer-user agreement containing substantially equivalent terms establishing that the consent of its employ- ees is “clearly given” and “clearly obtained.”

A.

The Fourth Amendment provides in relevant part: “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause . . . .” U.S. Const. amend. IV. Gov- ernment activity implicates the protections of the Fourth Amendment where it constitutes a “search” or a “seizure” within the meaning of the Fourth Amendment. The Supreme Court has said that a “search” occurs where the government infringes upon a person’s legitimate expectation of privacy, consisting of both an actual, subjective expectation of privacy as well as an objectively reasonable expectation of privacy—“i.e., one that has a source outside the Fourth Amendment, either by reference to con- cepts of real or personal property law or to understandings that are recog- nized and permitted by society.” Minnesota v. Carter, 525 U.S. 83, 88 (1998) (internal quotation marks omitted). We think it plain that computer users exchanging Internet communica- tions through Federal Systems lack a legitimate expectation of privacy in certain specific categories of data that will be subject to scanning by EINSTEIN 2.0 technology. There is no objectively reasonable expectation of privacy in information regarding the to/from addresses for e-mails, the IP addresses of websites visited, the total traffic volume of the user, and 71 33 Op. O.L.C. 63 (2009)

other addressing and routing information conveyed for the purpose of transmitting Internet communications to or from a user. See Quon v. Arch Wireless Operating Co., Inc., 529 F.3d 892, 904–05 (9th Cir. 2008); United States v. Forrester, 512 F.3d 500, 510 (9th Cir. 2008); see also Smith v. Maryland, 442 U.S. 735, 743–44 (1979) (no legitimate expecta- tion of privacy in dialing, routing, addressing, and signaling information transmitted to telephone companies). E-mail addresses and IP addresses provide addressing and routing information to an Internet Service Provid- er (“ISP”) in the same manner as a telephone number provides switching information to a telephone company. Forrester, 512 F.3d at 510. Just as a telephone user has no objectively reasonable expectation of privacy in telephone numbers voluntarily turned over to the phone company to enable switching of a phone call, an Internet user has no such expectation of privacy in routing information submitted to an ISP in order to deliver an Internet communication. Id. That routing information also is akin to the addressing information written on the outside of a first-class letter, which also is not constitutionally protected. Id. at 511 (“E-mail, like physical mail, has an outside address ‘visible’ to the third-party carriers that trans- mit it to its intended location.”). With respect to information regarding the total volume of data received and transmitted by an Internet user, that information is no different from the information produced by a pen regis- ter regarding the number of incoming and outgoing calls at a particular phone number; and the Supreme Court has long held that an individual has no legitimate expectation of privacy in such information, which already has been exposed to a telecommunications carrier for the purpose of routing a communication. Id. Therefore, because there is no legitimate expectation of privacy with respect to the foregoing information transmit- ted for the purpose of routing Internet communications, the scanning of that information by EINSTEIN 2.0 technology does not constitute a “search” subject to the restrictions of the Fourth Amendment. With respect to a user’s expectation of privacy in the content of an In- ternet communication (such as an e-mail), we assume for the purposes of this memorandum that a computer user generally has a legitimate expecta- tion of privacy in that content while it is in transmission over the Internet. To date, the federal courts appear to agree that the sender of an e-mail, like the sender of a letter via first-class mail, has an objectively reasona- ble expectation of privacy in the content of a message while it is in trans- mission. See, e.g., United States v. Lifshitz, 369 F.3d 173, 190 (2d Cir.

72 Use of the EINSTEIN 2.0 Intrusion-Detection System

2004) (analogizing expectation of e-mail user in privacy of e-mail to expectation of individuals communicating by regular mail); United States v. Maxwell, 45 M.J. 406, 418 (C.A.A.F. 1996) (sender of an e-mail gener- ally “enjoys a reasonable expectation that police officials will not inter- cept the transmission without probable cause and a search warrant”); see also Quon, 529 F.3d at 905 (“[U]sers do have a reasonable expectation of privacy in the content of their text messages vis-à-vis the service provid- er.”). 6 Here, EINSTEIN 2.0 technology will scan a mirror copy of the packet content of Federal Systems Internet Traffic—including packets that are part of e-mails—for malicious computer code associated with a signature while the e-mail is in transmission, and, thus, while a sender of the e-mail, we assume, generally retains an expectation of privacy in the content of that communication. Hence, the precise question for us is whether the Executive Branch’s automatic scanning of Federal Systems Internet Traffic for malicious computer code would implicate a computer user’s legitimate expectation of privacy in the content of his Internet communi- cations. We consider the privacy expectations of two groups of computer users: (1) Executive Branch employees and (2) private individuals com- municating with specific Executive Branch employees or with Executive Branch departments or agencies more generally.

6 It also appears that the federal courts agree that, again like the sender of a first-class

letter, an individual has a “diminished” expectation of privacy in the content of an e-mail that “ha[s] already arrived at the recipient.” Lifshitz, 369 F.3d at 190 (internal citations omitted); see Guest v. Leis, 225 F.3d 325, 333 (6th Cir. 2001) (individual does not have a reasonable expectation of privacy “in an e-mail that had already reached its recipient; at this moment, the e-mailer would be analogous to a letter-writer, whose expectation of privacy ordinarily terminates upon delivery of the letter”); Maxwell, 45 M.J. at 417 (once an e-mail, like a letter, “is received and opened, the destiny of the [e-mail] then lies in the control of the recipient . . . , not the sender”); United States v. Jones, No. 03-15131, 149 F. Appx. 954, 959 (11th Cir. Sept. 20, 2005) (unpublished) (“We have not addressed previously the existence of a legitimate expectation of privacy in text messages or e-mails. Those circuits that have addressed the question have compared e-mails with letters sent by postal mail. Although letters are protected by the Fourth Amendment, ‘if a letter is sent to another, the sender’s expectation of privacy ordinarily terminates upon delivery.’” (quoting United States v. King, 55 F.3d 1193, 1195–96 (6th Cir. 1995)).

73 33 Op. O.L.C. 63 (2009)

1.

We first address the expectations of Executive Branch employees. The Supreme Court has rejected the contention that public employees “can never have a reasonable expectation of privacy in their place of work.” O’Connor v. Ortega, 480 U.S. 709, 717 (1987) (plurality); id. at 729–31 (Scalia, J., concurring). “Individuals do not lose Fourth Amendment rights merely because they work for the government instead of a private em- ployer.” Id. at 717 (plurality). Nevertheless, there are reasons to doubt that an Executive Branch employee has a legitimate expectation of priva- cy in the content of his Internet communications made using government- owned information systems. The text of the Fourth Amendment protects the right of the people to be secure only in “their persons, houses, papers, and effects.” U.S. Const. amend. IV (emphasis added). Although an individual generally possesses a legitimate expectation of privacy in his own personal computer, e.g., United States v. Heckenkamp, 482 F.3d 1142, 1146 (9th Cir. 2007); Lifshitz, 369 F.3d at 190, it is less clear that an Executive Branch employee has a legitimate expectation of privacy in Internet communications he makes using a computer that is the property of the United States government, provided by the taxpayers for his use at work. Cf. Muick v. Glenayre Elecs., 280 F.3d 741, 743 (7th Cir. 2002) (Posner, J.) (employee “had no right of privacy in the computer that [his private employer] had lent him for use in the workplace”); but cf. United States v. Slanina, 283 F.3d 670, 677 (5th Cir. 2002) (employee had rea- sonable expectation of privacy in use of city-owned computer where there was no “city policy placing Slanina on notice that his computer usage would be monitored” and there was no “indication that other employees had routine access to his computer”), vacated on other grounds, 537 U.S. 802 (2002). A government employee lacks an ownership or other property interest in the computer he uses at work; and he especially lacks any such interests in the Federal Systems—the network infrastructure that the government provides to enable its employees to access the Internet—that, unlike his personal computer, ordinarily is not within his day to day control. As a general matter, however, the Supreme Court has held that there may be circumstances in which a government employee has a legitimate expectation of privacy in the contents of governmental property that the employee uses or controls at work, such as an office or a locked desk

74 Use of the EINSTEIN 2.0 Intrusion-Detection System

drawer. See O’Connor, 480 U.S. at 716–19 (1987) (plurality opinion) (public employee has a reasonable expectation of privacy in personal items, papers, and effects in office, desk, and file cabinets provided by public employer); id. at 730–31 (Scalia, J., concurring) (government employee has a legitimate expectation of privacy in the contents of his office). And the Court also has made it clear that property interests are not conclusive regarding the legitimacy of an individual’s expectation of privacy. See Oliver v. United States, 466 U.S. 170, 183 (1984) (“The existence of a property right is but one element in determining whether expectations of privacy are legitimate.”); Warden v. Hayden, 387 U.S. 294, 304 (1967) (“The premise that property interests control the right of the Government to search and seize has been discredited.”); see also Legality of Television Surveillance in Government Offices, 3 Op. O.L.C. 64, 66–67 (1979) (government ownership of office insufficient to estab- lish employee’s lack of expectation of privacy where “in a practical sense” the employee exercises exclusive use of the office) (“Television Surveillance”); but cf. United States v. Ziegler, 474 F.3d 1184, 1191 (9th Cir. 2007) (private employee’s “workplace computer . . . is quite different from the” property described in O’Connor, because the computer was owned by the company, was controlled jointly by the company and the employee, and was monitored to ensure that employees did not visit pornographic or other inappropriate websites). Instead, whether, in a particular circumstance, a government employee has a legitimate expectation of privacy in his use of governmental proper- ty at work is determined by “[t]he operational realities of the workplace” and “by virtue of actual office practices and procedures, or by legitimate regulation.” O’Connor, 480 U.S. at 717 (plurality); see United States v. Simons, 206 F.3d 392, 398 (4th Cir. 2000) (“[O]ffice practices, proce- dures, or regulations may reduce legitimate privacy expectations.”). Here, we believe that an Executive Branch employee will not have a legitimate expectation of privacy in the content of his Internet communications transmitted over government-owned information systems, provided that EINSTEIN 2.0 Participants consistently adopt, implement, and enforce appropriate consent and notification procedures, such as the model log-on banner or model computer-user agreement. Although the Supreme Court has not addressed the issue, the federal courts of appeals have held that the use of log-on banners or computer- user agreements, such as the models provided by DHS to EINSTEIN 2.0

75 33 Op. O.L.C. 63 (2009)

Participants, can eliminate any legitimate expectation of privacy in the content of Internet communications made at work using government- owned information systems. For example, in Simons, the computer-use policy at the Foreign Bureau of Information Services (“FBIS”), a division of the Central Intelligence Agency, expressly noted that FBIS would “‘audit, inspect, and/or monitor’” employees’ use of the Internet, “includ- ing all file transfers, all websites visited, and all e-mail messages, ‘as deemed appropriate.’” 206 F.3d at 398 (quoting policy). The Fourth Circuit held that this policy “placed employees on notice that they could not reasonably expect that their Internet activity would be private” and that, “in light of the Internet policy, Simons lacked a legitimate expecta- tion of privacy” in his use of the Internet at work. Id. Likewise, in United States v. Angevine, 281 F.3d 1130 (10th Cir. 2002), the Tenth Circuit held that a professor at a state university had no reason- able expectation of privacy in his Internet use in light of a broadly worded computer-use policy and log-on banner. The computer-use policy stated that the university “‘reserves the right to view or scan any file or software stored on the computer or passing through the network, and will do so periodically’” and has “‘a right of access to the contents of stored compu- ting information at any time for any purpose which it has a legitimate need to know.’” Id. at 1133 (quoting policy). The log-on banner provided that “‘all electronic mail messages . . . contain no right of privacy or confidentiality except where Oklahoma or Federal statutes expressly provide for such status,’” and that the university may “‘inspect electronic mail usage by any person at any time without prior notice as deemed necessary to protect business-related concerns . . . to the full extent not expressly prohibited by applicable statutes.’” Id. (quoting banner). The court held that these notices prevent university employees “from reasona- bly expecting privacy in data downloaded from the Internet onto [u]niversity computers,” because users are warned that data “is not confi- dential either in transit or in storage” and that “network administrators and others were free to view data downloaded from the Internet.” Id. at 1134. The Eighth Circuit came to the same conclusion in United States v. Thorn, 375 F.3d 679 (8th Cir. 2004), vacated on other grounds, 543 U.S. 1112 (2005). In Thorn, a state employee had acknowledged in writing a computer-use policy, which warned that employees “‘do not have any personal privacy rights regarding their use of [the agency’s] information

76 Use of the EINSTEIN 2.0 Intrusion-Detection System

systems and technology. An employee’s use of [the agency’s] information systems and technology indicates that the employee understands and consents to [the agency’s] right to inspect and audit all such use as de- scribed in this policy.’” Id. at 682 (quoting policy). As a result of this policy, the court held that the state employee “did not have any legitimate expectation of privacy with respect to the use and contents of his [work] computer,” because under the agency’s policy, employees have “no per- sonal right of privacy with respect to their use of the agency’s computers” and provides the state with a “right to access all of the agency’s comput- ers.” Id. at 683. The decisions of other federal courts that have addressed the issue sup- port the proposition that actual and consistent use of log-on banners or computer-user agreements can eliminate any legitimate expectation of an employee in the privacy with respect to his Internet communications using government-owned information systems. See Biby v. Bd. of Regents, 419 F.3d 845, 850–51 (8th Cir. 2005) (university computer policy warning user “not to expect privacy if the university has a legitimate reason to conduct a search” and that “computer files, including e-mail, can be searched” under certain conditions eliminates any reasonable expectation of privacy the use of the computer network); Muick, 280 F.3d at 743 (employer’s announced policy of inspecting work computers “destroyed any reasonable expectation of privacy”); United States v. Monroe, 52 M.J. 326, 330 (C.A.A.F. 1999) (no reasonable expectation of privacy that network administrators would not review e-mail where banner stated that “users logging on to this system consent to monitoring”); see also Heckenkamp, 482 F.3d at 1147 (“[P]rivacy expectations may be reduced if the user is advised that information transmitted through the network is not confidential and that the systems administrators may monitor commu- nications transmitted by the user.”) (citing Angevine, 281 F.3d at 1134, and Simons, 206 F.3d at 398); cf. Slanina, 283 F.3d at 677 (“[G]iven the absence of a city policy placing Slanina on notice that his computer usage would be monitored and the lack of any indication that other employees had routine access to his computer, we hold that Slanina’s expectation of privacy was reasonable.”); Leventhal v. Knapek, 266 F.3d 64, 73–74 (2d Cir. 2001) (public employee had reasonable expectation of privacy in the contents of his office computer because his employer neither “had a general practice of routinely conducting searches of office computers” nor

77 33 Op. O.L.C. 63 (2009)

“had placed [him] on notice that he should have no expectation of privacy in the contents of his office computer”). In light of these decisions, we believe that an Executive Branch em- ployee who has clicked through the model log-on banner or signed the model computer-user agreement—or a log-on banner or computer-user agreement containing substantially equivalent terms—would not have a legitimate expectation of privacy in the contents of Internet communica- tions made using government-owned information systems and transmitted over Federal Systems. The model log-on banner is explicit and compre- hensive regarding an employee’s lack of a legitimate expectation of privacy in his use of government-owned information systems. That banner states that the information system the employee uses is the property of the government and “is provided for U.S. Government-authorized use only.” The user “understand[s] and consent[s]” that: he has “no reason- able expectation of privacy regarding communications or data transiting or stored” on that information system; “[a]t any time, and for any lawful government purpose, the Government may monitor, intercept, and search any communication or data transiting or stored” on the information sys- tem; and any communications transmitted through or data stored on the information system “may be disclosed or used for any lawful government purpose.” See supra pp. 69–70. We believe that the current DOJ banner, which deviates from the model log-on banner and the model computer- user agreement language in some respects, is to the same effect. See supra note 5. Both the model log-on banner and computer-user agree- ment and the current DOJ log-on banner are at least as robust as—and we think they are even stronger than—the materials that eliminated an em- ployee’s legitimate expectation of privacy in the content of Internet com- munications in Simons, Angevine, Thorn, Biby, and Monroe. Therefore, we believe that adoption of the language in those model materials by EINSTEIN 2.0 Participants would eliminate their employees’ legitimate expectations of privacy in their uses of government-owned information systems with respect to the lawful government purpose of protecting Federal Systems against network intrusions and exploitations. It is important to note, however, that the use of log-on banners or com- puter-user agreements may not be sufficient to eliminate an employee’s legitimate expectation of privacy if the statements and actions of Execu- tive Branch officials contradict these materials. Recently, in Quon v. Arch Wireless Operating Company, the Ninth Circuit held that a police officer

78 Use of the EINSTEIN 2.0 Intrusion-Detection System

had a legitimate expectation of privacy in the contents of text messages sent and received on his department-provided pager notwithstanding departmental policies, because informal guidance from the officer’s superiors had established, in practice, that the department would not monitor the content of his text messages. 529 F.3d at 906–07. Thus, the “operational reality” at the department established a reasonable expecta- tion of privacy in the text messages sent through a department-provided pager. Id. at 907 (quoting O’Connor, 480 U.S. at 717). In light of Quon, management officials at EINSTEIN 2.0 Participants should be careful not to make statements—either formal or informal—or to adopt practices that contradict the clear position in a log-on banner or a computer-user agree- ment that an employee has no legitimate expectation of privacy in his use of government-owned information systems.

2.

We next consider whether an individual in the private sector communi- cating with an Executive Branch employee (such as where an individual sends an e-mail to either the employee’s governmental—i.e., work—or personal e-mail account) or with an EINSTEIN 2.0 Participant directly (such as where an individual browses the website of the participating department or agency) has a legitimate expectation of privacy in the content of those communications. We conclude that he does not, provided that EINSTEIN 2.0 Participants consistently adopt, implement, and en- force notice and consent procedures for Executive Branch employees, such as the model log-on banner or model computer-user agreement, or banners or user agreements with terms that are substantially equivalent to those models. The Supreme Court has held repeatedly that “[t]he Fourth Amendment does not prohibit the obtaining of information revealed to a third party and conveyed by him to Government authorities, even if the information is revealed on the assumption that it will be used only for a limited pur- pose and the confidence placed in the third party will not be betrayed.” United States v. Miller, 425 U.S. 435, 443 (1976); see SEC v. Jerry T. O’Brien, Inc., 467 U.S. 735, 743 (1984) (“[W]hen a person communicates to a third party even on the understanding that the communication is confidential, he cannot object if the third party conveys that information or records thereof to law enforcement authorities.”); Smith, 442 U.S. at

79 33 Op. O.L.C. 63 (2009)

743–44 (“[A] person has no legitimate expectation of privacy in infor- mation he voluntarily turns over to third parties.”). Accordingly, “[i]t is well[ ]settled” that where a person “reveals private information to another, he assumes the risk that his confidant will reveal that information to the authorities, and if that occurs the Fourth Amendment does not prohibit governmental use of that information.” United States v. Jacobsen, 466 U.S. 109, 117 (1984). We believe this principle applies to a person e-mailing an Executive Branch employee at the employee’s personal e-mail account, where the employee has agreed to permit the government to monitor, intercept, and search all of his Internet communications and data transiting government- owned information systems. By clicking through the model log-on banner or agreeing to the terms of the model computer-user agreement, an Execu- tive Branch employee gives ex ante permission to the government to intercept, monitor, and search “any communications” and “any data” transiting or stored on a government-owned information system for any “lawful purpose.” That permission necessarily includes the interception, monitoring, and searching of all personal communications and data sent or received by an employee using that system for the purpose of protect- ing Federal Systems against malicious network activity. 7 Therefore, an individual who communicates with an employee who has agreed to permit the government to intercept, monitor, and search any personal use of the employee’s government-owned information systems has no Fourth

7 The language of the model log-on banner and model computer-user agreement unam- biguously applies to “any” communications and “any” data transiting through or stored on a government-owned information system and clearly eliminates any reasonable expecta- tion of privacy that a user could have with respect to such communications and data. Nevertheless, if a participating department or agency wished to add even more express notice that those terms apply to personal communications and personal data that an employee sends, receives, or stores using a government-owned information system, such as the use of personal web-based e-mail accounts at work, the department or agency could do so in several ways. To be clear, we do not believe that any such efforts are legally required. But should a participating department or agency decide to go even further than the robust protection afforded by the model language, it would have several options at its disposal. For example, the department or agency could include in its log-on banner or computer-user agreement express language regarding personal communications or data. Or it could notify employees through computer training and certification programs that any personal use of government-owned information systems by an employee is subject to interception, monitoring, and searching.

80 Use of the EINSTEIN 2.0 Intrusion-Detection System

Amendment right to prohibit the government from doing what the em- ployee has authorized. See Jerry T. O’Brien, Inc., 467 U.S. at 743; Jacob- sen, 466 U.S. at 117; Miller, 425 U.S. at 443. This well-settled Fourth Amendment principle applies even where, for example, the sender of an e-mail to an employee’s personal, web-based e-mail account (such as G-mail or Hotmail) does not know of the recipi- ent’s status as a federal employee or does not anticipate that the employee might read an e-mail sent to a personal e-mail account at work. Indeed, it is well established that a person communicating with another (who turns out to be an agent for the government) assumes the risk that the person has agreed to permit the government to monitor the contents of that com- munication. See, e.g., United States v. White, 401 U.S. 745, 749–51 (1971) (plurality opinion) (no Fourth Amendment protection against government monitoring of communications through transmitter worn by undercover operative); Hoffa v. United States, 385 U.S. 293, 300–03 (1966) (information disclosed to individual who turns out to be a govern- ment informant is not protected by the Fourth Amendment); Lopez v. United States, 373 U.S. 427, 439 (1963) (same); Rathbun v. United States, 355 U.S. 107, 111 (1957) (“Each party to a telephone conversation takes the risk that the other party may have an extension telephone and may allow another to overhear the conversation. When such takes place there has been no violation of any privacy of which the parties may com- plain.”); United States v. Coven, 662 F.2d 162, 173–74 (2d Cir. 1981) (individual has no expectation of privacy in documents given to or acces- sible by undercover informant). Therefore, where an employee agrees to let the government intercept, monitor, and search any communication or data sent, received, or stored by a government-owned information system, the government’s interception of the employee’s Internet communications with individuals outside the Executive Branch does not infringe upon those individuals’ legitimate expectations of privacy. See also infra pp. 83–89 (consent of employee). We also think it clear that an individual submitting information directly to an EINSTEIN 2.0 Participant through the Internet—such as where an individual submits an application online or browses the public website of the Participant—has no legitimate expectation of privacy in the contents of any information that he transmits to the department or agency. An individual has no expectation of privacy in communications he makes to a known representative of the government. See United States v. Caceres,

81 33 Op. O.L.C. 63 (2009)

440 U.S. 741, 750–51 (1979) (individual has no reasonable expectation of privacy in communications with IRS agent made in the course of an audit); cf. Transmission by a Wireless Carrier of Information Regarding a Cellular Phone User’s Physical Location to Public Safety Organizations, 20 Op. O.L.C. 315, 321 (1996) (individual calling 911 lacks a reasonable expectation that information regarding his location will not be transmitted to public safety organizations) (“Caller ID”). Furthermore, an individual who communicates information to another individual who turns out to be an undercover agent of the government has no legitimate expectation of privacy in the content of that information. See supra p. 81. A fortiori, where an individual is communicating with a declared agent of the gov- ernment—here, an executive department or agency—the individual does not have a legitimate expectation that his communication would not be monitored or acquired by the government. It also is well established that an individual does not have any legitimate expectation of privacy in information that he reveals to a third party. See supra p. 79; see also United States v. Ganoe, 538 F.3d 1117, 1127 (9th Cir. 2008) (individual has no legitimate expectation of privacy in computer files he made acces- sible to others); United States v. King, 509 F.3d 1338, 1342 (11th Cir. 2007) (individual has no legitimate expectation of privacy in computer files shared with others over network on military base). Hence, an indi- vidual could not possibly have a legitimate expectation of privacy in communications he shares directly with a department or agency of the government. Indeed, the entire purpose of his online communication is for the government to receive the content of his message. Cf. Caller ID, 20 Op. O.L.C. at 321 (purpose of calling 911 is to request governmental aid in an emergency). Therefore, we also do not believe that EINSTEIN 2.0 operations implicate a legitimate expectation of privacy in the content of Internet communications made between private individuals and an EINSTEIN 2.0 Participant.

B.

Even if EINSTEIN 2.0 operations were to constitute a “search” under the Fourth Amendment, we believe that those operations nonetheless would be consistent with that Amendment’s “central requirement” that all searches be reasonable. Illinois v. McArthur, 531 U.S. 326, 330 (2001) (internal quotation marks omitted). Where, as here, the statutes and com-

82 Use of the EINSTEIN 2.0 Intrusion-Detection System

mon law of the founding era do not provide a specific analogue, we ana- lyze the reasonableness of a search in light of traditional judicial stand- ards, balancing the degree of intrusion upon an individual’s privacy in light of the search’s promotion of legitimate governmental interests. Virginia v. Moore, 553 U.S. 164, 168–71 (2008). In many circumstances, a search is unreasonable unless law enforcement officials first obtain a warrant “issued by a neutral magistrate after finding probable cause.” McArthur, 531 U.S. at 330. Yet the Supreme Court also has “made it clear that there are exceptions to the warrant requirement,” id., and that “neither a warrant nor probable cause, nor, indeed, any measure of individualized suspicion, is an indispensable component of reasonableness in every circumstance,” Nat’l Treasury Emps. Union v. Von Raab, 489 U.S. 656, 665 (1989). One well-known exception to the need to obtain a warrant based upon probable cause is where a person consents to the search. See Schneckloth v. Bustamonte, 412 U.S. 218, 219 (1973) (consent is “one of the specifi- cally established exceptions to the requirements of both a warrant and probable cause”). An Executive Branch employee who clicks “I agree” in response to the model log-on banner, enabling him to use government- owned information systems to access the Internet, or an employee who signs the model computer-user agreement, thereby acknowledging his “consent[]” to monitoring of his use of those systems, certainly appears to have consented expressly to the scanning of his incoming and outgoing Internet communications. In the context of public employment, however, merely obtaining the consent of an employee to search is not necessarily coextensive with the requirements of the Fourth Amendment. Such consent must be voluntary and cannot be obtained through duress or coercion. See generally Schneckloth, 412 U.S. at 223–35. Where an employee is confronted with the choice of either consenting to a search or facing adverse employment consequences, it is debatable whether consent is in fact voluntary. An Executive Branch employee who refuses to accept a log-on banner or to sign a computer-user agreement likely will not be able to access his com- puter and, hence, may be unable to perform his duties. See, e.g., Anobile v. Pelligrino, 303 F.3d 107, 124 (2d Cir. 2002) (“[C]oercion may be found where one is given a choice between one’s employment and one’s constitutional rights.”).

83 33 Op. O.L.C. 63 (2009)

Indeed, putting a public employee to the choice of either consenting to an unreasonable search or facing potential adverse employment conse- quences may impose an invalid condition on public employment. Into the first part of the 20th Century, the government “enjoyed plenary authority to condition public employment on the employee’s acceptance of almost any term of employment including terms that restricted constitutional rights.” Memorandum for the Attorney General, from Charles J. Cooper, Assistant Attorney General, Office of Legal Counsel, Re: The Legality of Drug Testing Programs for Federal Employees at 4 (Aug. 25, 1986) (“Drug Testing”). That view has since given way to the doctrine of un- constitutional conditions, which, as applied to public employment, prohib- its the government from conditioning employment on the relinquishment of a constitutional right, such as the First Amendment right to freedom of speech. See, e.g., Pickering v. Bd. of Educ., 391 U.S. 563, 568 (1968) (“‘The theory that public employment, which may be denied altogether may be subjected to any conditions, regardless of how unreasonable, has been uniformly rejected.’”) (quoting Keyishian v. Bd. of Regents, 385 U.S. 589, 605–06 (1967)). More than 20 years ago, we noted that the federal courts of appeals “have generally applied the doctrine of unconstitutional conditions” to conditions of employment that would require government employees to forgo their Fourth Amendment rights against unreasonable searches. Drug Testing at 7 (“[T]here appears to be a consensus that the doctrine of unconstitutional conditions applies in the Fourth Amendment context.”). That statement is just as true today. See, e.g., Anobile, 303 F.3d at 123–25 (search of dormitories of horse-racing industry employees’ pursuant to their written consent unreasonable under the Fourth Amend- ment); McGann v. Ne. Ill. Reg’l Commuter R.R. Corp., 8 F.3d 1174, 1180 (7th Cir. 1993) (“[T]he conditioning of access on the surrender of one’s Fourth Amendment rights raises the specter of an unconstitutional condi- tion.”); McDonell v. Hunter, 807 F.2d 1302, 1310 (8th Cir. 1987) (“If a search is unreasonable, a government employer cannot require that its employees consent to that search as a condition of employment.”); Doyon v. Home Depot U.S.A., Inc., 850 F. Supp. 125, 129 (D. Conn. 1994) (Cabranes, J.) (“[C]onsent to an unreasonable search is not voluntary when required as a condition of employment.”). We do not believe, however, that the unconstitutional conditions doc- trine applies here, because obtaining the consent of employees for EINSTEIN 2.0 operations does not require Executive Branch employees

84 Use of the EINSTEIN 2.0 Intrusion-Detection System

to consent to an unreasonable search. Notwithstanding that the terms of both the model log-on banner and the model computer-user agreement would permit monitoring of an employee’s computer use for purposes other than network defense, we believe that the specific EINSTEIN 2.0 operations to which Executive Branch employees would be asked to consent would be reasonable. 8 Where, as here, an Executive Branch employee is being asked to consent only to a reasonable search, there is no invalid conditioning of public employment on the employee’s relin- quishment of his Fourth Amendment rights against unreasonable searches and no coercion that renders a search involuntary. See, e.g., United States v. Sihler, 562 F.2d 349 (5th Cir. 1977) (prison employee’s consent to routine search of his lunch bag valid); cf. Drug Testing at 7 (“[C]onsent to an unreasonable search is invalid.”) (emphasis added); Anobile, 303 F.3d at 124 (similar); McDonnell, 807 F.2d at 1310 (similar). Thus, the inquiry regarding the voluntariness of an Executive Branch employee’s consent merges with the underlying inquiry regarding the overall reasonableness of EINSTEIN 2.0 operations. 9 See Drug Testing at 7 (“[I]t appears that the government could not insist upon a complete waiver of Fourth Amendment rights as a condition of public employment and that the courts will scrutinize the search under the Fourth Amendment to deter- mine whether it is reasonable.”). Therefore, we turn to the reasonableness of EINSTEIN 2.0 operations. A work-related administrative search by a public employer conducted for a non-law enforcement purpose is not per se unreasonable under the

8 Because the question presented to us is whether an employee’s consent to conduct the particular scanning activities performed by EINSTEIN 2.0 technology would be valid under the Fourth Amendment, we do not address whether there would be valid consent to conduct any other search that could be conducted pursuant to the terms of the model log- on banner or the model computer-user agreement. See Warshak v. United States, 532 F.3d 521, 529–31 (6th Cir. 2008) (en banc) (rejecting premature Fourth Amendment challenge to facial constitutionality of provisions of the Stored Communications Act). 9 Indeed, the consent of an employee is one factor the courts consider in determining

whether a search by a public employer is reasonable. See, e.g., Nat’l Treasury Emps. Union, 489 U.S. at 672 & n.2 (considering consent to drug testing by customs officers as one factor in concluding that such testing was reasonable); United States v. Scott, 450 F.3d 863, 868 (9th Cir. 2006) (“[S]earches of government employees still must be reason- able. . . . The employee’s assent is merely a relevant factor in determining how strong his expectation of privacy is, and thus may contribute to a finding of reasonableness.”) (internal citations omitted).

85 33 Op. O.L.C. 63 (2009)

Fourth Amendment simply because the government has not obtained a warrant based upon probable cause. The Supreme Court has said that “special needs, beyond the normal need for law enforcement,” may render the warrant and probable cause provisions of the Fourth Amendment “impracticable for legitimate work-related, non-investigatory intrusions as well as investigations of work-related misconduct.” O’Connor, 480 U.S. at 725 (plurality opinion) (internal quotation marks and citations omitted); id. at 732 (Scalia, J., concurring) (searches in the government- employment context present “special needs”); see also Nat’l Treasury Emps. Union, 489 U.S. at 665–66 (warrant and probable cause provisions of the Fourth Amendment are inapplicable to a search that “serves special governmental needs, beyond the normal need for law enforcement”); Griffin v. Wisconsin, 483 U.S. 868, 872 (1987) (special needs doctrine applies in circumstances that make the “warrant and probable cause requirement impracticable”). Rather, “public employer intrusions on the constitutionally protected privacy interests of government employees for noninvestigatory, work-related purposes . . . should be judged by the standard of reasonableness under all the circumstances.” O’Connor, 480 U.S. at 726 (plurality); see id. at 732 (Scalia, J., concurring). Here, the government plainly has a lawful, work-related, noninvestiga- tory purpose for the use of EINSTEIN 2.0’s intrusion-detection system, namely the protection of Federal Systems against unauthorized network intrusions and exploitations. See Heckenkamp, 482 F.3d at 1148 (prevent- ing misuse of and damage to university computer network is a lawful purpose); see also Nat’l Treasury Emps. Union, 489 U.S. at 668 (special needs include government’s need to “discover . . . latent or hidden” haz- ards); Federal Information Security Management Act of 2002, Pub. L. No. 107-347, tit. III, 116 Stat. 2899, 2946 (2006) (codifying 44 U.S.C. §§ 3541–3549) (“FISMA”) (establishing purposes and authorities for the protection of federal information systems). As we have already noted, see supra p. 64, there is a substantial history of intrusions and exploitations against Federal Systems. The deployment of EINSTEIN 2.0 technology is designed to provide greater awareness regarding intrusions and exploi- tations against those Systems in order to facilitate improved network defenses against malicious network activity. Those goals are unrelated to the needs of ordinary criminal law enforcement. See Heckenkamp, 482 F.3d at 1147–48 (state university has “separate security interests” in maintaining integrity and security of its network that are unrelated to

86 Use of the EINSTEIN 2.0 Intrusion-Detection System

interest in law enforcement); see also Illinois v. Lidster, 540 U.S. 419, 424 (2004) (although ordinary law enforcement objectives do not qualify as “special needs,” certain distinct “special law enforcement concerns” do); Mich. Dep’t of State Police v. Sitz, 496 U.S. 444 (1990) (upholding highway checkpoint stops designed to detect and prevent drunk driving). It is true that DHS may share alerts of detected signatures associated with malicious computer code with other executive departments and agencies, including law enforcement agencies, as permitted by applicable law and DHS procedures. The disclosure of alert information to law enforcement agencies, however, is at most an ancillary, rather than a central, feature of EINSTEIN 2.0 operations. Cf. Ferguson v. City of Charleston, 532 U.S. 67, 79–80 (2001) (“central and indispensable feature” of hospital policy to screen obstetrics patients for cocaine was to facilitate “the use of law enforcement” tools—arrest and prosecution —“to coerce the pa- tients into substance abuse treatment”); City of Indianapolis v. Edmond, 531 U.S. 32, 44 (2001) (“primary purpose” of narcotics checkpoints is to advance the “general interest” in “ordinary crime control”). We under- stand that EINSTEIN 2.0 operations are for the purpose of protecting Federal Systems, see supra p. 66, and are not conducted in order to ad- vance ordinary law enforcement goals. Therefore, we conclude that EINSTEIN 2.0 operations would advance special governmental needs distinct from the ordinary interest in criminal law enforcement. Furthermore, it would be impracticable to require the government to obtain a warrant based upon probable cause before deploying EINSTEIN 2.0 technology to detect malicious cyber activity against Federal Systems. The need for coordinated situational awareness regarding all intrusions and exploitations against Federal Systems is inconsistent with the re- quirement to obtain a warrant based upon probable cause. See Bd. of Educ. v. Earls, 536 U.S. 822, 828 (2002) (warrant and probable cause requirements are “peculiarly related to criminal investigations and may be unsuited to determining the reasonableness of administrative searches where the government seeks to prevent the development of hazardous conditions”). Indeed, the goal of near-real-time awareness of malicious network activity is incompatible with a requirement to obtain a warrant. Given the constant stream of intrusions and exploitations against Federal Systems and the time it would take to seek and obtain a warrant, it would be entirely impracticable—if not impossible—to identify data packets containing malicious code in near real-time if the government was re-

87 33 Op. O.L.C. 63 (2009)

quired first to obtain a warrant before each such action. See Skinner, 489 U.S. at 623 (interest in dispensing with warrant requirement is at its strongest where “the burden of obtaining a warrant is likely to frustrate the governmental purpose behind the search”) (internal quotation marks omitted). Requiring a particularized warrant based upon probable cause before a scan for each signature would introduce an element of delay, thus frustrating the government’s ability to collect information regarding intrusions and exploitations in a timely manner. See Vernonia Sch. Dist. 47J v. Acton, 515 U.S. 646, 653 (1995) (obtaining a warrant based upon probable cause is not a necessary element of reasonableness where such a requirement “would unduly interfere with the swift and informal” proce- dures needed to facilitate the government’s special needs) (internal quota- tion marks omitted). Moreover, in light of the speed and frequency with which intrusion and exploitation techniques change, requiring the gov- ernment to obtain a warrant to use EINSTEIN 2.0 sensors to protect Federal Systems would require nearly continuous, ongoing, daily supervi- sion by the courts of the details of the government’s network-defense activities. Such supervision would frustrate efforts to protect Federal Systems and to obtain new information regarding advanced intrusion and exploitation techniques. See Heckenkamp, 482 F.3d at 1148 (“[R]equiring a warrant to investigate potential misuse of the university’s computer network would disrupt the operation of the university and the network that it relies upon in order to function.”). For these reasons, we do not believe that EINSTEIN 2.0 operations would be presumptively unreasonable absent a warrant justified by probable cause. Therefore, the reasonableness of EINSTEIN 2.0 operations is measured in light of the “totality of the circumstances,” United States v. Knights, 534 U.S. 112, 118 (2001), in “the context within which a search takes place,” New Jersey v. T.L.O., 469 U.S. 325, 337 (1985). In the context of a workplace search by a public employer, the reasonableness analysis requires balancing the “invasion of the employees’ legitimate expectation of privacy against the government’s need for supervision, control, and the efficient operation of the workplace.” O’Connor, 480 U.S. at 719–20 (plurality); see Knights, 534 U.S. at 118–19 (reasonableness inquiry balances, “on the one hand, the degree to which it intrudes upon an indi- vidual’s privacy and, on the other, the degree to which a search is needed for the promotion of legitimate governmental interests”) (internal quota- tion marks omitted). A reasonable workplace search must be “justified at

88 Use of the EINSTEIN 2.0 Intrusion-Detection System

its inception” and “reasonably related in scope to the circumstances which justified the interference in the first place.” O’Connor, 480 U.S. at 726 (plurality) (internal quotation marks omitted). Based upon the information available to us, we believe that EINSTEIN 2.0 operations are reasonable under the totality of the circumstances. In light of the substantial history of intrusions and exploitations against Federal Systems, see supra p. 64, the deployment and use of EINSTEIN 2.0 technology to scan Federal Systems Internet Traffic of EINSTEIN 2.0 Participants for malicious computer code certainly is “justified at its inception.” O’Connor, 480 U.S. at 726 (plurality) (internal quotation marks omitted). We also conclude that any search conducted under EINSTEIN 2.0 op- erations would have a minimal impact upon the legitimate privacy expec- tations of computer users. The Supreme Court has said that “[w]hen faced with . . . diminished expectations of privacy, minimal intrusions, or the like, certain general, or individual, circumstances may render a warrant- less search or seizure reasonable.” McArthur, 531 U.S. at 330. We already have noted that individuals have no legitimate expectation of privacy whatsoever in certain categories of information collected by EINSTEIN 2.0—e.g., to/from addresses for e-mails, the IP addresses of websites visited, and the total traffic volume of a user—generated in connection with the routing of Internet communications. See supra pp. 71–72. And in light of the notice and consent procedures that EINSTEIN 2.0 Participants must adopt under the MOA, we believe that an individual’s expectation of privacy in the content of Internet communications transiting Federal Systems would, at a minimum, be significantly diminished. See supra pp. 75–78. Furthermore, we think it is reasonably likely that most Executive Branch employees and United States persons interacting with EINSTEIN 2.0 Participants and their employees neither intend to include nor want to receive malicious computer code in their e-mails and other Internet com- munications. And those who do intentionally unleash malicious computer code upon the Internet in order to conduct an unauthorized exploitation against Federal Systems have “no reasonable expectation of privacy” in the contents of those unauthorized Internet communications. 18 U.S.C. § 2510(21)(A). We also conclude that the use of EINSTEIN 2.0 technology to detect malicious computer code in Federal Systems Internet Traffic imposes, at

89 33 Op. O.L.C. 63 (2009)

worst, a minimal burden upon legitimate privacy rights. Indeed, we un- derstand that the actual scope of content monitoring by EINSTEIN 2.0 technology will be quite narrow. EINSTEIN 2.0 technology scans a mir- ror copy of the Federal Systems Internet Traffic of EINSTEIN 2.0 Partici- pants. Of course, the EINSTEIN 2.0 technology will scan a copy of every single data packet of the Federal Systems Internet Traffic of those Partici- pants. But we understand that the technology will scan that traffic—and only that traffic—only for particular malicious computer code associated with specific signatures. There is no authorization to acquire the content of any communication unrelated to detecting malicious computer code present in the packet. Therefore, we believe the intrusion upon any expec- tation of privacy in the privacy of the content of Internet communications that computer users may have vis-à-vis EINSTEIN 2.0 operations would be minimal, encompassing only the intrusion of searching for specified malicious computer code. Our conclusion finds some support in the Supreme Court’s cases hold- ing that a search technique that reveals only unlawful activity is not subject to the Fourth Amendment at all. See Jacobsen, 466 U.S. at 123–24 (chemical field test that could disclose only whether white powder was cocaine does not infringe upon a legitimate expectation of privacy); see also United States v. Place, 462 U.S. 696, 706–07 (1983) (canine sniff by a well-trained narcotics detection dog that discloses only the presence or absence of narcotics is “sui generis” because it “is so limited both in the manner in which the information is obtained and in the content of the information revealed by the procedure” and, therefore, does not intrude upon a legitimate expectation of privacy). The inclusion of malicious computer code in an e-mail or other Internet-based communication may or may not be analogous to the possession of contraband, such as narcotics, at issue in Jacobsen and Place. But the use of malicious computer code to gain access to Federal Systems is a federal offense, see, e.g., 18 U.S.C. § 1030(a)(2)(B), (3), & (5)(A) (2006), and the inclusion of that code in, for example, an e-mail is far from “perfectly lawful activity,” Illinois v. Caballes, 543 U.S. 405, 409–10 (2005) (emphasizing that a canine sniff detects only unlawful activity and does not implicate legitimate privacy interests). We also find support in the decisions of federal appellate courts con- cluding that the use of a magnetometer (a metal detector) to scan for weapons at airports, courthouses, and other special locations is a reasona-

90 Use of the EINSTEIN 2.0 Intrusion-Detection System

ble search. See, e.g., United States v. Albardo, 495 F.2d 799, 803–06 (2d Cir. 1974) (airport); United States v. Epperson, 454 F.2d 769, 771–72 (4th Cir. 1972) (airport); Klarfield v. United States, 944 F.2d 583, 586 (9th Cir. 1991) (courthouse). In those contexts, the government’s interests are compelling, and the magnetometer’s ability to detect not only weap- ons, but also keys, belt buckles, jewelry, and other harmless items does not otherwise render its use an unreasonable search. See United States v. Bell, 464 F.2d 667, 675 (2d Cir. 1972) (Friendly, J.); Epperson, 454 F.2d at 771–72. Regardless whether the government’s interests here are on par with preventing hijacking or airport and courthouse violence, EINSTEIN 2.0 technology promotes the government’s network-defense interests through a more limited and precise intrusion. The information provided to us indicates that EINSTEIN 2.0 technology is more precisely calibrated than a magnetometer to detect the materials (here, malicious computer codes) that pose a threat. See supra pp. 66–68. Hence, we believe that, like the use of the magnetometer in certain contexts, the use of EINSTEIN 2.0 technology to detect malicious computer code in Federal Systems Internet Traffic is a reasonable activity. Furthermore, we understand that any information acquired or shared by DHS in the course of EINSTEIN 2.0 operations shall be subject to mini- mization procedures that are designed to minimize the acquisition, reten- tion, and dissemination of non-publicly available information concerning United States persons. So, for example, even to the extent EINSTEIN 2.0 operations would acquire the content of malicious computer code that overlaps with human-readable text—e.g., the “I love you” virus from several years ago, or social engineering techniques that rely upon regular e-mail text to encourage the recipient to submit sensitive information, including personally identifiable information—we understand that these minimization procedures are intended to reduce further the impact of EINSTEIN 2.0 operations upon the privacy interests of United States persons in the content of their Internet communications. Cf. In re Sealed Case, 310 F.3d 717, 740 (FISA Ct. Rev. 2002) (noting importance of minimization procedures in holding that electronic surveillance pursuant to FISA was reasonable under the Fourth Amendment). In addition, we understand that DHS is required to develop auditing, oversight, and train- ing procedures to ensure that its employees follow the procedures devel- oped with respect to minimizing and protecting United States person information. We further understand that DHS is required to develop

91 33 Op. O.L.C. 63 (2009)

procedures for the development of signatures to be programmed into the EINSTEIN 2.0 sensors, to ensure that the sensors are limited only to the detection of malicious computer code. In light of these safeguards, we believe that EINSTEIN 2.0 operations will have a minimal impact upon the legitimate privacy rights of computer users. We conclude that the important governmental interest in protecting Federal Systems from intrusion and exploitation at the hands of foreign intelligence services, transnational criminal enterprises, and rogue com- puter hackers, see supra p. 64, outweighs the limited impact on the priva- cy rights, if any, of computer users communicating through Federal Sys- tems. See Heckenkamp, 482 F.3d at 1148 (there is a “compelling gov- ernment interest” in maintaining “the security of its network” and in de- termining the source of “unauthorized intrusion into sensitive files”); Vernonia Sch. Dist., 515 U.S. at 661 (government must identify “an inter- est that appears important enough to justify the particular search at hand”). Based upon the information provided to us, we believe that EINSTEIN 2.0 operations would constitute a “reasonably effective means” of promot- ing those interests. Earls, 536 U.S. at 837 (activity must be “a reasonably effective means of addressing” government’s interest); see Vernonia Sch. Dist., 515 U.S. at 663 (considering “the efficacy of [the] means for ad- dressing the problem”). As explained, see supra pp. 66–68, EINSTEIN 2.0 operations are expected to improve the government’s situational awareness regarding computer network intrusions and exploitations against Federal Systems and to strengthen the ability to defend Federal Systems across the entire Executive Branch. Because EINSTEIN 2.0 technology is designed to detect and to store only malicious computer code associated with previously signatures, they also “are reasonably related in scope” to the problem EINSTEIN 2.0 is intended to address— the use of known malicious computer code to conduct intrusions and exploitations against Federal Systems. O’Connor, 480 U.S. at 726 (plural- ity) (internal quotation marks omitted). Therefore, even if EINSTEIN 2.0 operations did involve a “search” within the meaning of the Fourth Amendment, we conclude that those operations nonetheless would satisfy the reasonableness requirement of the Fourth Amendment. For that same reason, we also conclude that an Executive Branch employee’s agreement to the terms of the model log-on banner or the model computer-user agreement, or those of a banner or user agreement that are substantially equivalent to those models, consti-

92 Use of the EINSTEIN 2.0 Intrusion-Detection System

tutes valid, voluntary consent to the reasonable scope of EINSTEIN 2.0 operations, and, thus, does not impose any coercive unconstitutional condition upon federal employment.

III.

We now turn to the statutory issues. DOJ has advised that the deploy- ment, testing, and use of EINSTEIN 2.0 technology would comply with the requirements of the Wiretap Act, FISA, the SCA, and the Pen/Trap Act where EINSTEIN 2.0 Participants obtain the consent of their employ- ees through appropriate log-on banners or computer-user agreements. As we concluded with respect to the Fourth Amendment, we also conclude that EINSTEIN 2.0 operations would be consistent with the requirements of these statutes, provided that each EINSTEIN 2.0 Participant consistent- ly adopts, implements, and enforces the model log-on banner or model computer-user agreement—or a log-on banner or computer-user agree- ment containing substantially equivalent terms establishing that the con- sent of its employees is “clearly given” and “clearly obtained.”

We begin with the Wiretap Act. The Wiretap Act, as amended by title I of the Electronic Communications Privacy Act of 1986, Pub. L. No. 99- 508, 100 Stat. 1848 (1986) (“ECPA”), and other subsequent statutes, prohibits the intentional “intercept[]” of any “electronic communication” unless authorized by law. 18 U.S.C. § 2511(1)(a) (2006); see also id. § 2511(1)(c) & (d) (prohibiting the intentional disclosure or use of the contents of electronic communications acquired in violation of section 2511(1)(a)). As relevant here, the Act defines “intercept” as the “acquisi- tion of the contents of any . . . electronic . . . communication through the use of any electronic, mechanical, or other device.” Id. § 2510(4). EINSTEIN 2.0 technology would constitute a covered “device.” See id. § 2510(5) (defining “electronic, mechanical, or other devices” as any device “which can be used to intercept a[n] . . . electronic communication other than” certain specified devices not applicable here). Because use of the EINSTEIN 2.0 sensors requires the creation of a full mirror copy of the Federal Systems Internet Traffic of EINSTEIN 2.0 Participants, we conclude that the operation of those sensors “acqui[res] the contents” of an electronic communication within the meaning of the 93 33 Op. O.L.C. 63 (2009)

Act. The Wiretap Act defines “contents” to mean “any information con- cerning the substance, purport, or meaning” of a communication. 18 U.S.C. § 2510(8). And “electronic communication” is defined to mean “any transfer of signs, signals, writing, images, sounds, data, or intelli- gence of any nature transmitted in whole or in part by a wire, . . . electro- magnetic, photoelectronic, or photooptical system that affects interstate or foreign commerce,” with certain exceptions not applicable here. Id. § 2510(12). The courts have held that communications that have not been recorded (to a medium such as a computer disk), viewed, or listened to have not been “acquired” within the meaning of the Wiretap Act. See, e.g., United States v. Lewis, 406 F.3d 11, 17–18 (1st Cir. 2004). Although the full mirror copy of Federal Systems Internet Traffic is only temporary, we believe the creation of the copy is sufficient to constitute an acquisi- tion of the contents of communication under the Wiretap Act. Further- more, even if creation of the temporary mirror copy were not sufficient to implicate the provisions of that Act, EINSTEIN 2.0 technology also acquires and stores, for later review by analysts, data packets from Fed- eral Systems Internet Traffic containing malicious computer code associ- ated with a signature. The acquisition and storage of these data packets, which are part of the “contents” of electronic communications, certainly constitutes an “intercept” within the meaning of the Wiretap Act. See 18 U.S.C. § 2510(4), (5), (8), & (12). Therefore, absent an exception, section 2511(1)(a) applies to at least some aspects of EINSTEIN 2.0 operations. The Wiretap Act also prohibits a person or entity providing “electronic communication service” to “the public” from intentionally “divulg[ing] the contents of any communication (other than one to such person or entity, or an agent thereof ) while in transmission on that service to any person or entity other than an addressee or intended recipient of such communication or an agent of such addressee or intended recipient.” 18 U.S.C. § 2511(3)(a). It is unclear whether the federal Government pro- vides “electronic communication service” to “the public.” It reasonably could be argued that an EINSTEIN 2.0 Participant does offer websites and other Internet-related services that enable the transmission of electronic communications to and from the public, qualifies as a provider of elec- tronic communication service to the public. See id. § 2510(15) (defining “electronic communication service” as “any service which provides to users thereof the ability to send or receive wire or electronic communica- tion service”); Black’s Law Dictionary 1227 (6th ed. 1990) (defining

94 Use of the EINSTEIN 2.0 Intrusion-Detection System

public as “aggregate of the citizens”; “everybody”; “the community at large”). We need not decide the issue today, for even if the government is a provider of electronic communication service to the public, we do not believe that EINSTEIN 2.0 operations run afoul of the prohibitions in the Wiretap Act on the divulging of the contents of wire and electronic com- munications. We conclude that EINSTEIN 2.0 operations do not constitute an un- lawful interception or divulging of the contents of Internet communica- tions under the Wiretap Act for two reasons. First, where EINSTEIN 2.0 Participants obtain the consent of their employees through appropriate log-on banners or computer-user agreements, there would be no violation of the Wiretap Act. Second, there is a strong argument that the govern- ment’s EINSTEIN 2.0 operations are subject to the “rights or property” exception to the Wiretap Act. We also discuss, but do not decide, whether EINSTEIN 2.0 operations fall within the new “computer trespasser” exception to the prohibitions of the Wiretap Act.

Under the Act, “[i]t shall not be unlawful . . . for a person acting under color of law to intercept a[n] . . . electronic communication, where such person is a party to the communication or one of the parties to the com- munication has given prior consent to such interception.” 18 U.S.C. § 2511(2)(c). Likewise, a person providing electronic communication service to the public “may divulge the contents of any such communica- tion” either “to a person . . . authorized, or whose facilities are used, to forward such communications to its destination,” id. § 2511(3)(b)(iii), or “with the lawful consent of the originator or any addressee or intended recipient of such communication,” id. § 2511(3)(b)(ii). These exceptions take EINSTEIN 2.0 operations, if conducted consistent with the terms of the EINSTEIN 2.0 MOA, outside the scope of the prohibitions in the Wiretap Act. The exception in section 2511(2)(c) applies to the interception of the contents of an Internet communication where an executive department or agency is a direct party to the communication, such as where an individu- al files a form with an agency through a website or responds online to a government survey. There is no violation of the Wiretap Act where “a person acting under color of law” intercepts an electronic communication

95 33 Op. O.L.C. 63 (2009)

provided that “one of the parties to the communication has given prior consent to such interception.” 18 U.S.C. § 2511(2)(c). For purposes of section 2511(2)(c), DHS is “a person acting under color of law” in the course of conducting EINSTEIN 2.0 operations. Id. § 2510(6) (defining person to include any “agent” of the United States Government). See Nardone v. United States, 302 U.S. 379, 384 (1937) (government bound by wiretap laws because “the sovereign is embraced by general words of a statute intended to prevent injury”); cf. 18 U.S.C. § 2520(a) (2006) (plaintiff may recover civil damages from “a person or entity, other than the United States,” which engaged in that violation). By entering into an MOA with DHS, an EINSTEIN 2.0 Participant has signaled its consent to the interception by EINSTEIN 2.0 sensors and DHS of the content of Internet communications to which it is a party. Therefore, DHS lawfully may intercept the contents of an EINSTEIN 2.0 Participant’s Internet communications with individuals under the Wiretap Act. Id. § 2511(2)(c). For the same reason, it also is lawful for an EINSTEIN 2.0 Participant to divulge the contents of an Internet communication to DHS for the purposes of EINSTEIN 2.0 operations where an EINSTEIN 2.0 Partici- pant is one of the addressees or recipients of the communication. Id. § 2511(3)(b)(ii) (person may divulge contents of communication “with the lawful consent of the originator or any addressee or intended recipient of such communication”). With respect to intercepting and divulging the contents of Internet communications involving Executive Branch employees and individuals outside the Executive Branch, we do not believe that such actions would violate the prohibitions in the Wiretap Act. To begin with, EINSTEIN 2.0 operations do not unlawfully “divulge” the contents of Internet communi- cations with Executive Branch employees, because the federal govern- ment is “authorized,” and its “facilities are used, to forward such commu- nications to [their] destination.” 18 U.S.C. § 2511(3)(b)(iii). Internet communications cannot get to or from Executive Branch employees at work without routing through the facilities of Federal Systems. There also is no violation of either the interception or the divulging prohibitions of the Wiretap Act where one of the parties to a communica- tion has given consent. See 18 U.S.C. § 2511(2)(c) (“prior consent” re- quired for intercept); id. § 2511(3)(b)(ii) (“lawful consent” required for divulging). An EINSTEIN 2.0 Participant cannot consent to the intercep- tion of the contents of the communications of its employees on their

96 Use of the EINSTEIN 2.0 Intrusion-Detection System

behalf; rather, the consent of the employee who is the sender or the recip- ient of the communication is required. See Television Surveillance, 3 Op. O.L.C. at 67 (consent to surveillance is “not predicated on the consent of the owner of the pertinent property, but rather on the consent of the per- son to whom the targeted individual reveals his communications or activi- ties”); see also Caceres, 440 U.S. at 750 (“[F]ederal statutes impose no restrictions on recording a conversation with the consent of one of the conversants.”); United States v. Barone, 913 F.2d 46, 49 (2d Cir. 1990) (one-party consent obviates the need to obtain a court order under the Wiretap Act). As with any other person, an employee’s consent under the Wiretap Act also must be provided voluntarily. See United States v. Hernandez, 93 F.3d 1493, 1500 (10th Cir. 1996). Here, an employee’s valid, voluntary consent is expressly apparent from his clicking through the log-on banner or signing the computer-user agreement in order to access a government-owned information system. See supra pp. 83–89; Memorandum for Ronald D. Lee, Associate Deputy Attorney General, from William Treanor, Deputy Assistant Attorney General, Office of Legal Counsel, Re: Report of the Working Group on Access to Govern- ment Property (Second Draft) at 5 (June 1, 2000) (consent exception in Wiretap Act satisfied where employee clicks through log-on banner acknowledging monitoring of electronic communications in order to access DOJ’s computer network). An Executive Branch employee’s consent to interception or divulging of the contents of his Internet communications also may be implied where the “‘circumstances indicat[e] that the [individual] knowingly agreed to the surveillance.’” United States v. Van Poyck, 77 F.3d 285, 292 (9th Cir. 1996) (quoting United States v. Amen, 831 F.2d 373, 378 (2d Cir. 1987) (federal inmate consented to interception of phone calls where notice that inmate calls were monitored was ubiquitous)). Under the Wiretap Act, “as in other settings, consent inheres where a person’s behavior manifests acquiescence or a comparable voluntary diminution of his or her other- wise protected rights.” Griggs-Ryan v. Smith, 904 F.2d 112, 116 (1st Cir. 1990) (tenant consented to landlord’s recording of phone calls where tenant knew that all calls were being recorded); accord United States v. Staves, 383 F.3d 977, 981 (9th Cir. 2004) (party to communication im- pliedly consents to monitoring where circumstances “indicate that [he] knew that interception was likely and agreed to the monitoring”). Where “language or acts . . . tend to prove (or disprove) that a party knows of, or

97 33 Op. O.L.C. 63 (2009)

assents to, encroachments” on a routine expectation of privacy, that party has manifested his consent for purposes of the Wiretap Act. Griggs-Ryan, 904 F.2d at 117; see Van Poyck, 77 F.3d at 292 (similar). Here, no Executive Branch employee who has read the model log-on banner or computer-user agreement (or a log-on banner or computer-user agreement with substantially equivalent terms) and who nonetheless has logged on to a government-owned information system could reasonably claim not to have knowledge that monitoring, interception, and searches of his Internet communications would occur. The employee’s use of government-owned information systems despite that knowledge would establish voluntary consent to any such monitoring, interception, or search. See supra pp. 81, 84–93. 10 Therefore, we believe that EINSTEIN 2.0 operations would comply with the Wiretap Act as long as EINSTEIN 2.0 Participants consistently adopt, implement, and enforce the terms of appropriate log-on banners or computer-user agreements, as discussed in this memorandum.

Even absent the consent of Executive Branch employees, there is a rea- sonable basis to conclude that the use of EINSTEIN 2.0 technology to protect Federal Systems comes within the express terms of the “rights or property” exception to the prohibitions in the Wiretap Act, 18 U.S.C. § 2511(2)(a)(i). The “rights or property” exception provides in relevant part that the prohibitions in the Act shall not apply to the “intercept, disclosure, or use” of an “electronic communication” by a “provider of a wire or electronic communication service . . . engaged in any activity which is a necessary incident to . . . the protection of the rights or proper- ty of the provider of that service.” Id. We believe that this provision may be applied to the government here as a “provider” of “electronic communication service[s]” for its employ-

10 Similarly, no reasonable person communicating directly with an agency of the feder-

al government through the Internet, such as by filing a form on an agency website, could claim not to know that his communication would be acquired by the government. Indeed, that is the entire purpose of communicating with the government. See supra pp. 81–82. Hence, the individual impliedly would consent to the government’s interception of the contents of his communication. See Caller ID, 20 Op. O.L.C. at 320 & n.13 (dialing 911 constitutes implicit consent to government’s direct monitoring of an emergency call).

98 Use of the EINSTEIN 2.0 Intrusion-Detection System

ees. Executive Branch departments and agencies provide the necessary computers, network infrastructure, facilities, and connectivity to the Internet that enable Executive Branch employees “to send or receive” electronic communications. 18 U.S.C. § 2510(15) (defining “electronic communication service”). The courts have held that to benefit from the rights or property exception, the electronic communication service pro- vider’s activities must protect the provider’s own rights or property, and not those of any third party, such as a customer. See, e.g., Campiti v. Walonis, 611 F.2d 387, 393 (1st Cir. 1979) (rights or property exception does not apply to a person who is not an agent of the telephone company for monitoring that “had nothing to do with telephone company equip- ment or rights”); United States v. Auler, 539 F.2d 642, 645–46 (7th Cir. 1976) (telephone companies intercepting communications under section 2511(2)(a)(i) may share those communications with the government only to the extent necessary to protect telephone company’s rights or property). EINSTEIN 2.0 technology is owned, operated, and controlled by DHS, and we understand that it is to be used solely for the protection of the government’s rights and property in Federal Systems. See supra p. 66. The legislative history of the rights or property exception in the Wire- tap Act arguably speaks only to the efforts of telephone companies to monitor calls in order to prevent callers from using “blue boxes” to avoid paying for long-distance telephone calls. See S. Rep. No. 90-1097, at 67 (1967), reprinted in 1968 U.S.C.C.A.N. 2112, 2182. Nevertheless, we believe that “the plain meaning of Congress’[s] language” in the “rights or property” exception includes EINSTEIN 2.0 operations “within its am- bit.” United States v. Savage, 564 F.2d 728, 731 (5th Cir. 1977). The courts have construed the “necessary” language in the Wiretap Act provi- sion “to impose a standard of reasonableness upon” the provider’s activi- ties to protect his rights or property. United States v. Harvey, 540 F.2d 1345, 1351 (8th Cir. 1976); see, e.g., United States v. McLaren, 957 F. Supp. 215, 220 (M.D. Fla. 1997) (similar). As in the Fourth Amend- ment context, reasonableness is “assessed under the facts of each case.” Harvey, 540 F.2d at 1352 n.9. The “rights or property” exception does not strictly require “minimization” of the acquisition of communication contents by a provider, McLaren, 957 F. Supp. at 220, but a provider’s activities are reasonable under the exception where they involve only “minimal interception” of communications. Harvey, 540 F.2d at 1351.

99 33 Op. O.L.C. 63 (2009)

We believe that the government’s use of EINSTEIN 2.0 technology to detect intrusions and exploitations against Federal Systems is reasonably necessary to protect the federal government’s rights with respect to its exclusive use of Federal Systems and its property interests in the integrity and security of its networks and data. For the reasons we have noted already, see supra pp. 89–92, we believe that EINSTEIN 2.0 operations would involve the minimal acquisition and storage of communications necessary to detect malicious network activity directed against Federal Systems. EINSTEIN 2.0 operations are limited to the detection and stor- ing of data packets containing only malicious computer code associated with computer intrusions and exploitations, and are reasonably designed to protect Federal Systems without acquiring any additional content of Internet communications that is unrelated to that goal. Thus, EINSTEIN 2.0 operations are appropriately limited in scope to what is reasonably necessary to protect governmental rights and property against computer intrusions and exploitations. See Harvey, 540 F.2d at 1351 (recording of limited portion of phone calls to identify use of technology to evade paying for long-distance calls is “reasonable”); United States v. Freemen, 524 F.2d 337, 341 (7th Cir. 1975) (taping of conversations for no more than two minutes and only when blue box was in use was “necessary and in line with the minimal invasion of privacy contemplated by the stat- ute”); cf. Auler, 539 F.2d at 646 (monitoring and recording of all calls, regardless whether made using a blue box, acquired “far more infor- mation” than the telephone company “needed to protect its interests”); McLaren, 957 F. Supp. at 220 (interception, recording, and disclosure of complete phone calls “having nothing whatever to do” with abuse of telephone company’s service is unreasonable because those actions “could not possibly be ‘necessary’” to protecting the company’s rights). Therefore, even absent employee consent, there is a strong basis in the text of the “rights or property” exception to the Wiretap Act to believe that the government’s activities under EINSTEIN 2.0 would not violate the prohibitions in the Wiretap Act. That being said, however, there are very few cases applying the rights or property exception since the mid- 1970s, and almost none involving computer networks, the Internet, or defenses against cyber intrusions and exploitations, and none involving the government in protecting its own rights or property, as opposed to a private communications provider protecting its private property. Accord- ingly, we believe there is some uncertainty regarding how the courts

100 Use of the EINSTEIN 2.0 Intrusion-Detection System

would view a defense of EINSTEIN 2.0 operations based upon the “rights or property” exception to the Wiretap Act.

3.

Finally, we discuss briefly the “computer trespasser” exception in the Wiretap Act, 18 U.S.C. § 2511(2)(i), which was added to the Wiretap Act by section 217 of the USA PATRIOT Act, Pub. L. No. 107-56, 115 Stat. 272, 291 (2001). Section 2511(2)(i) permits “a person acting under color of law” to “intercept” the contents of “wire or electronic communi- cations of a computer trespasser transmitted to, through, or from [a] protected computer” on four conditions: First, “the owner or operator of the protected computer authorizes the interception of the computer tres- passer’s communications on the protected computer.” Second, “the person acting under color of law is lawfully engaged in an investigation.” Third, “the person acting under color of law has reasonable grounds to believe that the contents of the computer trespasser’s communications will be relevant to the investigation.” And fourth, “such interception does not acquire communications other than those transmitted to or from the com- puter trespasser.” 18 U.S.C. § 2511(2)(i)(I)–(IV). The phrase “protected computer” has the same definition as in 18 U.S.C. § 1030(e)(2), see id. § 2510(20) (defining “protected computer”), which includes the govern- ment-issued computers of EINSTEIN 2.0 Participants at issue here. “Computer trespasser” is defined to mean “a person who accesses a pro- tected computer without authorization” and “does not include a person known by the owner or operator of the protected computer to have an existing contractual relationship with the owner or operator of the protect- ed computer for access to all or part of the protected computer.” Id. § 2510(21)(A) & (B). We need not discuss the first three requirements of the computer tres- passer exception. Even assuming that EINSTEIN 2.0 operations satisfy these requirements, it is questionable that EINSTEIN 2.0 operations satisfy the final requirement. The computer trespasser exception is ap- plicable only if interception of the contents of communications “does not acquire communications other than those transmitted to or from the computer trespasser.” 18 U.S.C. § 2511(2)(i)(IV). We understand that EINSTEIN 2.0 technology is designed to detect and to store only packets containing malicious computer code associated with a signature. Accord-

101 33 Op. O.L.C. 63 (2009)

ingly, it could be argued that it would not acquire communications other than the malicious code sent over the Internet by computer trespassers, as defined in section 2510(21). However, EINSTEIN 2.0 technology also can acquire the contents of communications to or from persons who do not satisfy the definition of “computer trespasser.” To take just one example, an Executive Branch employee—even one who intentionally includes malicious computer code in his Internet communications at work—does not appear to be a “computer trespasser” within the scope of the defini- tion. See id. § 2510(21)(B) (defining “computer trespasser” to exclude a “person known by the owner or operator of the protected computer to have an existing contractual relationship . . . for access to all or part of the protected computer”). 11 EINSTEIN 2.0 operations, however, nonetheless would acquire the contents of their communications. We do not decide, however, whether the computer trespasser exception would or would not apply to EINSTEIN 2.0 operations. In light of the other legal justifications for EINSTEIN 2.0 operations under the Wiretap Act, we need not rely upon this provision.

We next consider whether the provisions in title I of FISA, which gov- ern the conduct of “electronic surveillance” within the United States, and in revised title VII of FISA, which govern, among other things, the acqui- sition of foreign intelligence information from United States persons outside the United States, apply to the deployment, testing, and use of EINSTEIN 2.0 technology. We conclude that they do not, provided that EINSTEIN 2.0 Participants obtain the consent of their employees through the terms of log-on banners or computer-user agreements, as discussed throughout this memorandum.

Under 50 U.S.C. § 1809(a)(1) (Supp. II 2008), it is a felony for a per- son acting “under color of law” to engage intentionally in “electronic

11 That does not mean that the government would be prohibited from acquiring the communications of an employee or contractor who intentionally incorporates malicious code in their Internet communications. Rather, some other statutory exception—such as consent or the rights or property exception—may authorize that result.

102 Use of the EINSTEIN 2.0 Intrusion-Detection System

surveillance” as defined in title I of FISA, see 50 U.S.C. § 1801(f ) (2006), “except as authorized” by FISA, the Wiretap Act, the SCA, the Pen/Trap Act, or any other “express statutory authorization that is an additional exclusive means for conducting electronic surveillance” under 50 U.S.C. § 1812(b) (Supp. II 2008). See also id. § 1810 (2006) (establishing civil penalties for violations of section 1809(a)(1)). As we have established in Part III.A, EINSTEIN 2.0 operations would not be prohibited by the Wiretap Act. Thus, it could be argued that they are “authorized” under the Wiretap Act. On this view, FISA does not govern activity that is expressly permitted under provisions in the Wiretap Act, such as activity falling within the terms of the consent or the rights or property exception. Cf. Freemen, 524 F.2d at 340 & n.5 (phrase “[e]xcept as authorized by [the Wiretap Act]” in 47 U.S.C. § 605(a) (1970) “permits” telephone compa- nies to protect their rights or property under section 2511(2)(a)(i) notwith- standing any otherwise applicable terms of section 605(a)). Accordingly, EINSTEIN 2.0 operations permitted under the rights or property excep- tion of the Wiretap Act would be authorized notwithstanding the electron- ic surveillance provisions of FISA (and notwithstanding the absence of a rights or property exception in FISA). There is much to recommend that view, although the better reading of “authorized” may be that the term refers to orders obtained under the procedures of the Wiretap Act, the SCA, the Pen/Trap Act, or another covered statute, rather than to activities that merely are not prohibited by those statutes. Cf. United States v. Keen, 508 F.2d 986, 988 (9th Cir. 1974) (“Section 2511(2)(c) is worded as an exception to [the] general prohibition of judicially non-authorized wire taps, not as a positive au- thorization of such taps.”). We need not and do not resolve this issue today. Rather, we assume for the purposes of this memorandum that title I of FISA applies to the deployment, testing, and use of EINSTEIN 2.0 technology if those actions constitute “electronic surveillance” within the meaning of 50 U.S.C. § 1801(f ). Section 1801(f ) sets forth four separate definitions of “electronic sur- veillance.” They are as follows: (1) the acquisition by an electronic, mechanical, or other surveil- lance device of the contents of any wire or radio communications sent by or intended to be received by a particular, known United States person who is in the United States, if the contents are acquired

103 33 Op. O.L.C. 63 (2009)

by intentionally targeting that United States person, under circum- stances in which a person has a reasonable expectation of privacy and a warrant would be required for law enforcement purposes; (2) the acquisition by an electronic, mechanical, or other surveil- lance device of the contents of any wire communication to or from a person in the United States, without the consent of any party thereto, if such acquisition occurs in the United States, but does not include the acquisition of those communications of computer trespassers that would be permissible under section 2511(2)(i) of Title 18; (3) the intentional acquisition by an electronic, mechanical, or other surveillance device of the contents of any radio communica- tion, under circumstances in which a person has a reasonable expec- tation of privacy and a warrant would be required for law enforce- ment purposes, and if both the sender and all intended recipients are located within the United States; or (4) the installation or use of an electronic, mechanical, or other surveillance device in the United States for monitoring to acquire in- formation, other than from a wire or radio communication, under circumstances in which a person has a reasonable expectation of pri- vacy and a warrant would be required for law enforcement purposes. 50 U.S.C. § 1801(f )(1)–(4). EINSTEIN 2.0 operations that scan, acquire, and store copies of data packets containing malicious computer code from Federal Systems Internet Traffic constitute an “acquisition” of the “con- tents” of a communication. Id. § 1801(n) (defining “contents” to include “any information concerning the identity of the parties to . . . communica- tions or the existence, substance, purport, or meaning of that communica- tion”). Nevertheless, paragraphs (1) and (3) of section 1801(f ) do not apply to EINSTEIN 2.0 operations. Those operations do not constitute electronic surveillance under section 1801(f )(1), because EINSTEIN 2.0 sensors generally would not target any “particular, known United States person” in the United States. Nor do EINSTEIN 2.0 operations constitute electron- ic surveillance within the meaning of section 1801(f )(3), because the EINSTEIN 2.0 sensors do not acquire the contents of any “radio commu- nication.” As explained in Part I, EINSTEIN 2.0 sensors are to scan only a mirror copy of Federal Systems Internet Traffic created as that traffic passes through the facilities located at the government’s TICs. Further-

104 Use of the EINSTEIN 2.0 Intrusion-Detection System

more, even if section 1801(f )(1) and section 1801(f )(3) did apply to EINSTEIN 2.0 operations, the use of EINSTEIN 2.0 technology still does not constitute “electronic surveillance” under those definitions, because the use of those sensors does not implicate “a person’s reasonable expec- tation of privacy.” See supra pp. 71–82 and infra p. 106. That leaves section 1801(f )(2) and (4). Section 1801(f )(2) applies to EINSTEIN 2.0 operations only if EINSTEIN 2.0 technology acquires the contents of “wire communication[s],” which FISA defines as “any communication while it is being carried by a wire, cable, or other like connection furnished or operated by . . . a common carrier . . . providing or operating such facilities for the transmission of interstate or foreign communications.” 50 U.S.C. § 1801(l ); see H.R. Rep. No. 95-1283, at 66–67 (1978) (communications are wire communications “only when they are carried by a wire furnished or operated by a common carrier”). FISA does not define the term “common carrier.” We need not decide whether EINSTEIN 2.0 operations acquire the contents of communications while being carried by the wire facilities of a common carrier. Even if they do, the use of EINSTEIN 2.0 technology does constitute electronic surveil- lance under section 1801(f )(2) as long as the government obtains “the consent of any party” to a communication to acquire the contents of that communication. 50 U.S.C. § 1801(f )(2). Because the consent exception in section 1801(f )(2) concerns the same subject matter—consent of a party to a communication—as section 2511(2)(c), we construe the two provisions in pari materia. See Wachovia Bank, N.A. v. Schmidt, 546 U.S. 303, 316 (2006) (statutes addressing a similar subject matter should be read “as if they were one law”) (internal quotation marks omitted); Authority of USDA to Award Monetary Relief for Discrimination, 18 Op. O.L.C. 52, 69 (1994) (“Statutes addressing the same subject matter—that is, statutes ‘in pari materia’—should be con- strued together.”). That construction is consistent with the stated views of the Senate Select Committee on Intelligence and the Senate Committee on the Judiciary in their respective committee reports on the legislation that ultimately would become FISA. See S. Rep. No. 95-604, pt. I , at 35 (1978) (definition of electronic surveillance “has an explicit exception where any party has consented to the interception. This is intended to perpetuate the existing law regarding consensual interceptions found in 18 U.S.C. § 2511(2)(c).”), reprinted in 1978 U.S.C.C.A.N. 3904, 3936–37; S. Rep. No. 95-701, at 37 (1978) (same), reprinted in 1978 U.S.C.C.A.N.

105 33 Op. O.L.C. 63 (2009)

3973, 4006. Accordingly, for the same reasons already noted above with respect to the Wiretap Act, we believe that the government could obtain valid consent under section 1801(f )(2) through consistent and actual use of log-on banners or computer-user agreements. See United States v. Missick, 875 F.2d 1294, 1299 (7th Cir. 1989) (section 1801(f )(2) does not apply to acquisition of content of telephone calls where one of the parties consented). For that same reason, we do not believe that EINSTEIN 2.0 operations constitute “electronic surveillance” under section 1801(f )(4). It is plain that the use of EINSTEIN 2.0 technology constitutes “the installation or use of an electronic, mechanical, or other surveillance device in the Unit- ed States for monitoring to acquire information.” 50 U.S.C. § 1801(f )(4). But regardless whether that technology would acquire the contents of communications “other than from” the wire facilities of a common carrier, EINSTEIN 2.0 operations would not fall within the scope of section 1801(f )(4). As long as EINSTEIN 2.0 Participants consistently adopt, implement, and enforce the use of appropriate log-on banners or comput- er-user agreements as discussed in this memorandum, EINSTEIN 2.0 technology would not acquire the contents of Internet communications under circumstances where there is a “reasonable expectation of privacy” and a warrant “would be required for law enforcement purposes.” See supra Parts II.A.2, III.A.1; see also Interception of Radio Communication, 3 Op. O.L.C. 240, 241 (1979) (phrase “reasonable expectation of privacy” in FISA incorporates “the standard of constitutionally protected privacy interests”); H.R. Rep. No. 95-1283, pt. 1, at 53 (1978) (under section 1801(f )(4) “the acquisition of information [must] be under circumstances in which a person has a constitutionally protected right of privacy. There may be no such right in those situations where the acquisition is consent- ed to by at least one party to the communication”); S. Rep. No. 95-701, at 37 (1978) (same). Therefore, EINSTEIN 2.0 operations would not constitute “electronic surveillance” under title I of FISA as long as EINSTEIN 2.0 Participants consistently adopt, implement, and enforce the terms of appropriate log- on banners or computer-user agreements, as discussed in this memoran- dum.

106 Use of the EINSTEIN 2.0 Intrusion-Detection System

For the same reasons, we do not believe that the use of EINSTEIN 2.0 technology with respect to the Federal Systems Internet Traffic of Execu- tive Branch employees outside the United States, such as (hypothetically) employees of the Department of State or the Central Intelligence Agency, implicates revised title VII of FISA. As applicable here, section 703(a)(1) of FISA provides that the Foreign Intelligence Surveillance Court (“FISC”) shall have jurisdiction over the “the targeting of a United States person reasonably believed to be located outside the United States to acquire foreign intelligence information, if the acquisition constitutes electronic surveillance” under FISA. 50 U.S.C. § 1881b(a)(1) (Supp. II 2008). And section 704(a)(2) of FISA generally prohibits elements of the Intelligence Community from “intentionally target[ing], for the purpose of acquiring foreign intelligence information, a United States person reason- ably believed to be located outside the United States under circumstances in which [the] person has a reasonable expectation of privacy and a war- rant would be required if the acquisition were conducted inside the United States for law enforcement purposes.” Id. § 1881c(a)(2) (Supp. II 2008). We have no reason to believe that EINSTEIN 2.0 operations generally would involve the intentional targeting of any United States person em- ployed by an EINSTEIN 2.0 Participant outside the United States in order to acquire “foreign intelligence information” as defined in 50 U.S.C. § 1801(e). Even assuming for the sake of argument that EINSTEIN 2.0 operations would satisfy those requirements, we do not believe those operations would satisfy the other jurisdictional requirements in sections 1881b(a)(1) or 1881c(a)(2), provided that EINSTEIN 2.0 Participants employing United States persons outside the United States consistently adopt, implement, and enforce appropriate notice and consent procedures, as discussed in this memorandum. In that circumstance, there would be no “electronic surveillance” as defined in section 1801(f )(1)–(4), and, thus, section 1881b(a)(1) would be inapplicable. See supra Part III.B.1. Likewise, there would be no reasonable expectation of privacy and a warrant would not be required for law enforcement purposes for either of two reasons: there would be no search under the Fourth Amendment, see supra Part II.A, or there would be proper consent, thus obviating the need for a warrant and probable cause, see supra pp. 81, 84–93. Under either rationale (or both), the prohibition in section 1881c(a)(2) would not apply.

107 33 Op. O.L.C. 63 (2009)

Therefore, we do not believe that EINSTEIN 2.0 operations would be subject to revised title VII of FISA.

C.

We also conclude that the relevant provisions of the Stored Communi- cations Act would not apply to EINSTEIN 2.0 operations, provided that EINSTEIN 2.0 Participants consistently adopt, implement, and enforce the terms of appropriate log-on banners or computer-user agreements, as discussed in this memorandum. As relevant here, the SCA prohibits a person or entity “providing an electronic communication service to the public” from knowingly “divulg[ing] to any person or entity the contents of a communication while in electronic storage by that service.” 18 U.S.C. § 2702(a)(1) (2006). As already noted with respect to the Wiretap Act, it is unclear that the federal government—which does offer websites and other Internet-related services that enable the transmission of electronic communications to and from the public—qualifies as a provider of elec- tronic communication service to the public under the SCA. See supra p. 94. The matter is far from settled. Compare Andersen Consulting LLP v. UOP, 991 F. Supp. 1041, 1042–43 (N.D. Ill. 1998) (computer system of partnership used to communicate with third parties does not provide electronic communication service to the public within the meaning of the SCA), with Bohach v. City of Reno, 932 F. Supp. 1232, 1236 (D. Nev. 1996) (City of Reno is an “electronic communication service provider” under the SCA because it provides the terminals, computers, pages, and software that enables its own personnel to send and to receive electronic communications). We need not decide the issue, for even if the govern- ment is a provider of electronic communication service to the public, we do not believe that EINSTEIN 2.0 operations would run afoul of the SCA. EINSTEIN 2.0 operations would implicate the prohibition in section 2702(a)(1) if the temporary mirroring of all Federal Systems Internet Traffic of EINSTEIN 2.0 Participants divulges the content of an electron- ic communication “while in electronic storage.” The SCA defines “elec- tronic storage” to mean: (A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and

108 Use of the EINSTEIN 2.0 Intrusion-Detection System

( B ) any storage of such communication by an electronic commu- nication service for purposes of backup protection of such communi- cation. Id. § 2510(17)(A) & (B). The courts have interpreted section 2510(17)(A) to apply only to an electronic communication stored temporarily on a provider’s server pending delivery of the communication to the recipient. See, e.g., In re DoubleClick, Inc. Privacy Litig., 154 F. Supp. 2d 497, 511–12 (S.D.N.Y. 2001). As noted in Part I, see supra p. 67, EINSTEIN 2.0 technology does not have any effect upon the transmission of wire or electronic communications to their intended recipients. Rather, EINSTEIN 2.0 operations will make a mirror copy of every packet in Federal Systems Internet Traffic and will scan that copy to detect known signatures. This copy is “temporary” storage of communications “inci- dental” to their transmission, in the sense that the storage is related to the transmission of those communications. But arguably it is not “intermedi- ate” in the process of that transmission, because the temporary copy is not created as part of a step in the chain of transmitting the communication to its intended recipient. Rather, the copy is made for the separate purpose of enabling EINSTEIN 2.0 sensors to detect malicious computer code em- bedded in Federal Systems Internet Traffic. Indeed, the EINSTEIN 2.0 scanning process occurs out-of-line from the transmission process, even if it is related to the in-line transmission of Federal Systems Internet Traffic. Nor do we understand that EINSTEIN 2.0 operations would divulge the content of any communication while in storage “for purposes of backup protection” within the meaning of section 2510(17)(B), even under a broader reading of “backup protection” than DOJ has embraced in litigat- ing the scope of that provision. See Theofel v. Farey Jones, 341 F.3d 978, 985 (9th Cir. 2003) (backup protection means “storing a message on a service provider’s server after delivery to provide a second copy of the message in the event that the user needs to download it again”). Because the EINSTEIN 2.0 sensors scan a mirror copy of Federal Systems Internet Traffic for the purpose of detecting malicious computer code, there is no routing of the contents of any communication stored by an ISP for purposes of backup protection. It is true that EINSTEIN 2.0 technology would store data packets containing malicious computer code for later review by DHS analysts. But the “purpose” of any storage and subse- quent review by analysts of blocked data packets would be to prevent

109 33 Op. O.L.C. 63 (2009)

intrusions and exploitations against Federal Systems, and not “to provide a second copy of the message in the event that the user needs to down- load it again.” Id. at 985. Therefore, we have no reason to believe that EINSTEIN 2.0 operations would divulge the contents of communications stored for backup protection. Even if section 2702(a)(1) would apply to EINSTEIN 2.0 operations, scanning Federal Systems Internet Traffic for malicious computer code would fall within the SCA’s consent exception in 18 U.S.C. § 2702(b)(3) as long as EINSTEIN 2.0 Participants consistently adopt, implement, and enforce the terms of appropriate log-on banners or computer-user agree- ments, as discussed in this memorandum. Section 2702(b)(3) states in relevant part that an electronic communication service provider “may divulge the contents of a communication . . . with the lawful consent of the originator or an addressee or intended recipient of such communica- tion.” Id.; see also id. § 2702(c)(2) (provider may divulge information pertaining to subscriber or customer of electronic communication service, but not the contents of that communication, “with the lawful consent of the customer or subscriber”). We have interpreted a similar consent ex- ception in 18 U.S.C. § 2703(c)(1)(B)(iii) (2006), which states that a provider shall divulge a record pertaining to the identity of a subscriber or customer—but not the contents of a communication—to a govern- mental entity that “has the consent” of the customer or subscriber, in pari materia with the consent exception in the Wiretap Act. See Caller ID, 20 Op. O.L.C. at 319 & n.12 (interpreting consent exception in section 2703(c)(1)(B)(iii) in accord with the consent exception in the Wiretap Act). We also construe the consent exception in section 2702(b)(3)— which is even more closely analogous to the consent exception in section 2511(2)(c) than is section 2703(c)(1)(B)(iii)—in pari materia with section 2511(2)(c). See supra p. 105. For the reasons already noted with respect to the consent exception in the Wiretap Act, see supra Part III.A.1, to the extent the SCA applies to EINSTEIN 2.0 operations, we believe that the government could obtain proper consent under section 2702(b)(3) and (c)(2) through the consistent and actual use of log-on banners or comput- er-user agreements. 12

12 EINSTEIN 2.0 operations also may fall within the “rights or property” exceptions

to the SCA, see 18 U.S.C. § 2702(b)(5), (c)(3). The SCA’s “rights or property” exceptions are substantively similar to the parallel exception in the Wiretap Act. The SCA’s first

110 Use of the EINSTEIN 2.0 Intrusion-Detection System

D.

Finally, we conclude that the Pen/Trap Act would not apply to EINSTEIN 2.0 operations where EINSTEIN 2.0 Participants consistent- ly adopt, implement, and enforce the terms of appropriate log-on banners or computer-user agreements, as discussed in this memorandum. Section 3121(a) of title 18, United States Code, provides that “[e]xcept as provid- ed in this section, no person may install or use a pen register or a trap- and-trace device without first obtaining a court order under section 3123 of this title or” FISA. 18 U.S.C. § 3121(a) (2006). As relevant here, the statute defines a “pen register” as a “device . . . which records or decodes . . . routing, addressing, or signaling information transmitted by an in- strument or facility from which a wire or electronic communication is transmitted, provided, however, that such information shall not include the contents of any communication.” Id. § 3127(3) (2006). And a “trap- and-trace device” means “a device . . . which captures the incoming electronic or other impulses which identify . . . routing, addressing, and signaling information reasonably likely to identify the source of a wire or

rights or property provision states that a provider of electronic communication service to the public may divulge the contents of a stored communication “as may be necessarily incident . . . to the protection of the rights or property of the provider of that service.” 18 U.S.C. § 2702(b)(5). Another provision in the SCA permits a provider of electronic communication service to the public to disclose non-content information regarding a subscriber or a customer “as may be necessarily incident to . . . the protection of the rights or property of the provider of that service.” Id. § 2702(c)(3). In light of the similarities in wording and subject matter between the SCA’s rights or property exceptions and the Wiretap Act’s parallel provision, we construe them in pari materia. See supra pp. 105, 110. A crucial difference, however, between the “rights or property” exceptions in the SCA and the one in the Wiretap Act is that the SCA provisions apply only to a provider of electronic communication service to the public, whereas the Wiretap Act provision applies to any provider of such service, whether to the public or otherwise. As we noted, it is debatable whether the government is a “provider” of electronic communication service to the public under the SCA. See supra pp. 94, 108. Assuming that the govern- ment is a public provider of electronic communication service, the SCA’s rights or property exceptions apply to any action under EINSTEIN 2.0 divulging the contents of stored electronic communications or non-content information concerning a subscriber or a customer that is reasonably necessary to protect Federal Systems. See supra Part III.A.2. Of course, if the government is not a public provider, then the provisions of the SCA do not apply to it in any event.

111 33 Op. O.L.C. 63 (2009)

electronic communication, provided, however, that such information shall not include the contents of any communication.” Id. § 3127(4). 13 We assume for the purposes of this memorandum that the use of EINSTEIN 2.0 technology would fall within the definitions of both a pen register and a trap-and-trace device, because they can both “record” and “capture,” 18 U.S.C. § 3127(3) & (4), information that identifies routing, addressing, and signaling information for data packets that are part of Federal Systems Internet Traffic. See supra pp. 66–68, 71. Hence, absent an exception, we assume that the government would be required to obtain a court order before the deployment, testing, and use of EINSTEIN 2.0 technology. See 18 U.S.C. § 3123 (2006). As with the Wiretap Act, FISA, and the SCA, obtaining the valid con- sent of Executive Branch employees also exempts EINSTEIN 2.0 opera- tions from any applicable requirement of the Pen/Trap Act. Section 3121(a) “does not apply with respect to the use of a pen register or a trap-and-trace device by a provider of electronic or wire communication service . . . where the consent of the user of that service has been ob- tained.” 18 U.S.C. § 3121(b)(3). 14 We believe that an EINSTEIN 2.0 Participant providing Internet service to its employees through govern- ment-owned information systems and its Federal Systems would qualify as a “provider of electronic . . . communication service” within the mean- ing of the Pen/Trap Act. See supra p. 98; 18 U.S.C. § 2510(15). Accord- ingly, the government would be exempt from the prohibitions of the Pen/Trap Act with respect to EINSTEIN 2.0 operations where the “con- sent” of the “user[s]” of their electronic communication service “has been obtained.” With respect to both entities, we believe that the “user” whose consent needs to be obtained is the Executive Branch employee using a government-owned computer at an IP address that is subject to EINSTEIN 2.0 operations. For the same reasons discussed above we believe that EINSTEIN 2.0 Participants could obtain proper consent from their em-

13 Title III of FISA also establishes a statutory basis for the government to obtain an

authorization from the FISC to install a pen register or a trap-and-trace device in order to acquire certain foreign intelligence information. See 50 U.S.C. §§ 1841–1846 (2006 & Supp. II 2008). Under FISA, the terms “pen register” and “trap and trace device” have the same meanings as used in 18 U.S.C. § 3127(3) and (4). See 50 U.S.C. § 1841(2). 14 The consent exception in section 3121(b)(3) also applies to the provisions in FISA

authorizing the installation or use of such devices to acquire foreign intelligence infor- mation.

112 Use of the EINSTEIN 2.0 Intrusion-Detection System

ployees under section 3121(b)(3) through the consistent adoption, imple- mentation, and enforcement of appropriate log-on banners or computer- user agreements, as discussed in this memorandum. Therefore, we con- clude that the deployment, testing, and use of EINSTEIN 2.0 technology would not constitute the unauthorized installation or use of a pen register or a trap-and-trace device under 18 U.S.C. § 3121(a). 15

STEVEN G. BRADBURY Principal Deputy Assistant Attorney General Office of Legal Counsel

15 EINSTEIN 2.0 operations also may fall within the “rights or property” exception to the Pen/Trap Act. Section 3121(b)(1) provides that the prohibitions of that Act do not apply with respect to the use of such technology “by a provider of electronic or wire communication service . . . relating to . . . the protection of the rights or property of such provider, or to the protection of users of that service from abuse of service or unlawful use of service.” 18 U.S.C. § 3121(b)(1). We believe there is a strong argument that EINSTEIN 2.0 operations are subject to this “rights or property” exception. The rights or property exception in the Pen/Trap Act is more expansive than the parallel provisions in the Wiretap Act and the SCA. There is no requirement under the Pen/Trap Act provision that the action of a provider be “necessary” to protecting its rights or property. Furthermore, the Pen/Trap Act provision also permits a provider to protect not only its own rights or property, but also its users against “abuse of service or unlawful use of service.” 18 U.S.C. § 3121(b)(1). Accordingly, under EINSTEIN 2.0 operations the government is protecting the Executive Branch “users” of the Internet service and the government’s own rights and property. For these reasons and the reasons noted with respect to the narrower exception in the Wiretap Act, see supra Part III.A.2, we believe the rights or property exception to the Pen/Trap Act provides an additional basis to believe that EINSTEIN 2.0 operations are consistent with the Pen/Trap Act.