I'm going to try to answer your questions. I'm not a lawyer, but I've spend a good deal of time reading up in this space. My answers probably aren't exactly right, but they are probably fairly close. Elonka wrote: ] This is a question that I've been following closely, ] especially as regards the war on terrorism. If an ISP or ] other online service provider were to discover that one of the ] names on the "FBI's Most Wanted Terrorists" list showed up in ] their user list, what are they legally allowed to do? You are always allowed to call the cops. If you see something that you think is suspicious you are allowed to inform the police about it. Sometimes, particularily with respect to intellectual property, you are legally compelled to remove offending content, etc if you happen upon it... ] How much information can the ISP legally volunteer to law ] enforcement (name/address/credit card/surfing habits/etc), and ] at what point should the line be drawn about requiring ] oversight of which information is released? Its fuzzy. It depends on the situation. You can't provide the police with any information that you shouldn't have. If you're an ISP you shouldn't be logging the contents of the emails of your users without informing them clearly that you do this. For the most part, if you hook up something that collects emails from someone because you decided that they are suspicious, and then you turn that information over to the police, the data may not be admissible, because the person has a reasonable expectation of privacy and you violated that. This is why your privacy policy is important. If you tell your customers that you are going to defend their privacy, then you are contractually obligated to actually do it. For the most part, the rules have more to do with what you are compelled to provide rather then what you are required to keep secret. It is assumed that the market will sort out the rest, as customers tend to prefer that their privacy be protected, and choose companies that agree to do so. ] Also, which law enforcement agencies should be entitled to ] which? If an ISP volunteers the full set of info to the FBI, ] can or should they also volunteer that information to their ] local police? You can call any police agency that you want, and offer what you want to them (notwithstanding the above issue). Whether they actually act on it is a matter of jurisdiction, and severity. ] Or what if a police department from another ] state contacts the ISP and asks for the info? Or a lawyer ] from another state? You are not COMPELLED to respond to either request without court authorization, except in the case of a DMCA notice (intellectual property.) You can respond to them if you want, presuming you are not violating your privacy policy in doing so. ] How much burden should the ISP assume in ] order to confirm that they're getting a bonafide request from ] a legitimate law enforcement agency? This is a good reason to require a subpoena. The fact that the law enforcement agency is legitimate doesn't mean that the request is. Allow the court system to make these decisions for you. Thats what they are there for. In the case of DMCA notices, this is extremely messy. You can decide that the request isn't bonafide, but a court could later determine that you should have known that it was bonafide, and fine you. I think this occured with Netcom re: the scientologists under an earlier law which simply said that content had to be taken down based on a request. ] I hear that some ISPs ] require a subpoena for *any* info request. They are within their rights to do so. You aren't compelled to provide information without a subpoena, except in the case of a DMCA notice. If your privacy policy says that you aren't going to provide your customer's personal information to third parties, then you are contractually obligated to protect it unless their is a legitimate request (backed by a court). ] Another ISP that I've heard about won't release any info ] unless an agent *personally visits their offices*, which ] obviously places a huge, expensive (and in my opinion ] unreasonable) burden on agents attempting to investigate a ] cyberspace crime which may span across multiple states. Any multistate agency is going to have agents in your town unless you live in the sticks. Furthermore, if you get a subpoena the agents will probably show up at your location anyway. Multistate agencies only investigate serious crimes for which the resouces required to pursue the investigation are reasonable. (I think that the internet creates an evironment where you need multistate agencies who investigate petty crimes, but this hasn't occured yet.) A good place to dig around for information about this (which you may be aware of already) is www.epic.org... EPIC has done a lot of work on trying to educate ISPs about what they are compelled to provide, and furthermore, has encouraged ISPs to protect information that they are not compelled to provide. Basically, the 4th amendment is only useful to the extent that we uphold it. RE: LawMeme: eBay's Policies on Cooperation with Law Enforcement |