The privacy of parties to electronic communication sessions is protected by federal law, regulation and most state law. However, under the provisions of the Electronic Communication Privacy Act of 1986, electronic communications service providers are permitted to monitor the contents of data communication sessions, to which they are a party, to protect their property rights. According to these provisions whenever communications from a specific telephone line are suspected to be engaged in illegal and unauthorized activities commonly known as "hacking" which threaten the property of the service providers, the service providers are authorized to monitor the communications and collect evidence of the unauthorized activities. However, data collected under such circumstances that are intended to be used as evidence in subsequent criminal prosecutions must be based on court established standards of reasonableness. Thus, the collection of data on threatening activities cannot be arbitrary, and indiscriminate, and should only be based on the detection of telltale signs that the provider's host computer systems are being accessed without authorization and their property rights are indeed being violated.
Fraud on the property rights of the service providers is not new. A past example was the activity known as "blue box" toll fraud. In this type of activity a telephone subscriber intent on defrauding the telephone service providers would make a toll free telephone call and then send a single 2600 Hz tone on the telephone line causing the switching equipment to release the connection but allow the caller to originate another call for which no billing would be rendered. Because the 2600 Hz tone for the duration and signal strength to cause such a release back would not normally occur on a subscriber's line, the presence of such a tone was construed as probable cause for further investigation and recording activity on the line. In order to combat such toll fraud, Dialed Number Recorders (DNRs) were developed to monitor for the presence of inband signaling indicative of this type of fraud. The DNR would record the new called address and record the progress of a call whenever a 2600 Hz tone of sufficient signal strength and duration was encountered. When monitoring is restricted in this fashion, the courts have held that the information collected does not violate an individual's privacy rights and is admissible as evidence in criminal proceedings.
The situation with regard to data communications fraud is more difficult. Although it is relatively easy to monitor modem-based data communications using commercially available equipment, it is not easy to see how such data can be selectively collected to meet the reasonableness and probable cause requirements for evidentiary purposes. The information collected using data monitors currently in the art could not be used without a court order because there has not been any way to restrict recording of communications activity to those sessions or calls that could be reasonably construed as threatening. Indeed, monitoring communications sessions without adhering to the reasonableness requirements indicated above can open a communications carrier to liability to their users. Compounding the problem, unlike the blue box fraud described above, the indication of a possible threatening or fraudulent communication is not always at the beginning of the communications session. Many times the determination that a threatening call is in progress cannot be made until later in the call whereas the important evidence for property rights protection are those activities during the session prior to the determination. Therefore, there is a need to non-intrusively monitor a suspect telephone line, record only those calls that are deemed threatening, and to capture and record the entire call even if the determination that the session is threatening is made later in the call.
In attempting to obtain evidence of possible improper communication from a suspected intruder, the security people involved are aware of the possible intruder's telephone line. What is needed is also to become aware that the intruder, using their terminal or other equipment connected to their line, is attempting to gain access to equipment within the communications network for which he does not have authorization. If one could determine from the access codes or dialed numbers emanating from the suspected intruder's terminal equipment that such access is being attempted, the problem would be quite simple to resolve. Unfortunately, the dialed numbers appearing on the potential intruder's line do not necessarily indicate the ultimate destination sought.
There may be a number of reasons why the dialed numbers will not identify a threatened destination point or system. One reason is that potential intruders do not usually directly address their destination but will approach it indirectly, by proceeding through a number of intermediate systems or locations using a technique commonly known as weaving. Thus the number dialed appearing on the suspect's line may be that of a computer system to which the suspect may properly have authority to access but which is not the ultimate system destination. Another reason is that in accessing packet networks, the access signals or dial signals first appearing on the intruder's line would be merely the identification of the packet network and not of the ultimate destination sought.
Therefore, it is the primary objective of the present invention to collect evidence of communication to a service provider's host computer that threatens to violate the service provider's property rights. It is an additional objective of the present invention to collect evidence of such activities that would be admissable in court. In order to achieve these objectives it is a further objective of the present invention to identify only those communication sessions or calls which are deemed threatening. It is a further objective of the present invention to be able to develop a record of the entire communication session or call even if the determination that the call is threatening or that the determination that the communications provider is a party to the call isn't made until late in the communications session without ever recording in non-volatile media the contents of the session until such a determination is made.