Tracy Mitrano, Ph.D., J.D.
Director of Computer Policy and Law
The Patriot Act was passed six weeks after it was introduced, making it one of the most significant pieces of congressional legislation passed in such a short period of time. It stands within a body of governmental actions that can be grouped under the heading of "emergency measures." These are actions taken on the part of the federal government to address what are perceived to be extraordinary circumstances that threaten national security. Historians are likely to bundle the Patriot Act with other measures such as the Alien and Sedition Acts of the 1790’s, Abraham Lincoln’s suspension of habeas corpus during the Civil War, the Abrams decision suppressing free speech during the First World War and the Palmer raids immediately following it, and the First Hundred Days of New Deal legislation. The consequences of emergency measures were not always foreseen. When asked if he knew for sure whether his New Deal legislation would lift the American economy out of the depression, for example, Franklin Delano Roosevelt admitted that he did not. He quickly added, however, that he was committed to trying anything until he found something that worked! Political strategists behind the Patriot Act may not be as candid about their uncertainty as to results, but it is true that this emergency legislation, proposed by Congress and signed by President Bush, represents the country’s best legislative efforts to confront domestic terrorism.
Like Roosevelt’s New Deal legislation, the Patriot Act raises constitutional questions, and like some of the early New Deal Acts, the Patriot Act (or significant parts of it) may be found by the Supreme Court to be unconstitutional. Before the ink was dry on the Patriot Act, observers from both right and left ends of the political spectrum had First, Fourth, Fifth, Sixth, and Tenth Amendment objections to it. Ultimately, time and circumstances will reveal the efficacy and constitutionality of this Act. While the Supreme Court may eventually address some of possible issues, American institutions and citizens must respond to the law now. Given the vital role that higher education plays in American society, it’s no wonder that colleges and universities are urgently asking what the law newly requires of them.
The Patriot Act, whose formal name is the "Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act," and whose stated purpose is "to deter and punish terrorist acts in the United States and around the world, to enhance law enforcement investigatory [sic] tools, and for other purposes," was signed into law on October 26, 2001. It is well over a hundred pages.
A brief look at some of the headings used in the law give an overview of its scope:
One of the most frequently asked questions about the Act is how does it define terrorism? In fact, it defines two types of terrorism, foreign and domestic. Of the two types, domestic terrorism is more relevant to higher education. The definition of domestic terrorism in the Act can be distilled as follows:
'domestic terrorism' means activities… [that] involve acts dangerous to human life that are a violation of the criminal laws of the United States or of any State; appear to be intended (i) to intimidate or coerce a civilian population; (ii) to influence the policy of a government by intimidation or coercion; or (iii) to affect the conduct of a government by mass destruction, assassination, or kidnapping; and occur primarily within the territorial jurisdiction of the United States.
Two of the most immediate questions about the Act as it relates to information technology are:
The answer to both questions is no. No network re-architecting is proactively required, but in the presence of authorization (usually in the legal form of a subpoena), redesigns may be necessary to accommodate pen registers, trap and trace devices, or the infamous "Carnivore" device. In that event it may be helpful to note that section 222 of the Patriot Act states that "reasonable compensation" may be obtained for the "reasonable expenses" incurred in accommodating authorizations that require the application of surveillance devices. The Patriot Act also does not require that networks retain logs. Again, however, if law enforcement presents authorization requesting logging information, either the network must then begin to provide (usually with the kinds of devices mentioned above) or they must preserve the logs they have on hand specific to the information requested in the authorization.
Some of the Act’s general provisions warrant special notice for those with an eye toward developments in the information technologies sector. Section 103 of Title I, for example, demonstrates that Congress was willing to put its money where its legislation was. It provides increased funding for the already-existing national Technical Support Center to the tune of $200,000,000 each year for 2002, 2003, and 2004. This section also calls for an expansion of the national Electronic Crime Task Force Initiative on the model of the New York Electronic Crimes Task Force, for the purpose of "preventing, detecting and investigating various forms of electronic crimes." And in one of the sections celebrated by network owners and operators, a collateral provision, section 814 of Title VIII, provides for "cyber crime" damages in excess of $5000.00 against perpetrators.
The Patriot Act both creates new law and amends existing law. For colleges and universities, the greater impact is amendments to existing law including:
FERPA, born out of what many believed to be abuses in the sharing of students’ records with government in the civil rights and anti-Vietnam War era protests, protects students’ records from non-authorized disclosures. Title V, section 507 of the Patriot Act amends FERPA by creating a new exception to the privacy protections, "emergency disclosure." If a U.S. assistant attorney general, or similarly ranked federal official, obtains a court order relevant to a terrorist investigation, the law now requires that an educational institution must turn over the requested records without the student’s consent. Moreover, the institution need not even maintain a record of the transaction. Critics of this section of Patriot Act find it redundant to the already existing "health and safety exception." That existing exception may be deployed to protect the safety of a student, for example, if a student is missing, university officials can gain access to the student’s room or e-mail to assist in locating them. Contemporary circumstances might readily make a distinction here between the health and safety of an individual student and the health and safety of everyone else in the case of a potential terrorist attack. That this section of the Patriot Act is narrowly tailored to terrorism–unlike some others to be discussed below–may be why it does not enjoy the "sunset" provisions of those other amendments, and why it is likely to withstand constitutional challenge.
In an era marked by privacy concerns, the original FISA represented an exception, quite literally a "hostile foreign power" exception, to the liberal trend in the 1960’s and 1970’s toward protecting privacy. Presciently passed as the Iranian Revolution was mounting antipathy towards the United States, FISA has mostly slumbered for twenty some years. It stands for the proposition that if law enforcement believes a "hostile foreign power" is behind criminal activity under investigation, the investigation does not have to follow the traditional fourth amendment protection. Before the Patriot Act, a seven-member panel of judges met in a special FISA court to review sealed applications for subpoenas or warrants. The only information citizens had or will have about the applications are annual reports that the Vice President is required by law to give to the Senate each year outlining the number of applications and number of acceptances. From previous statistical reports we know that the special FISA court has historically approved almost all of the applications. Since the Patriot Act, the number of judges has been raised from seven to (in contemplation of a rise of the number of applications). Some geographic limitations concerning residency have been placed on a percentage of that panel (in contemplation of the fact that the judges have to get to the Washington office on short notice to process requests). In case law, FISA might eventually come to stand as a support for the distinction between citizens and non-citizens in the application of the Patriot Act. So, too, under extreme conditions it might be brought to bear against citizens or non-citizens whom law enforcement perceives as "hostile foreign powers" even though they reside within American borders.
Given the unusual nature of this law, it comes as no surprise that the Patriot Act’s business records amendment to FISA has raised constitutional eyebrows. Section 501 of the Patriot Act states that a federal agency armed with a court order can obtain certain business records pursuant to an investigation of "internal terrorism or other clandestine intelligence activities" so long as the investigation is "not conducted of a United States person solely upon the basis of activities protected by the first amendment." Setting aside understandable confusion about what constitutes either a "United States person" (a person in the United States? A citizen of the United States?) or "activities protected by the first amendment" (since there is a long, interesting, and shifting history of that jurisprudence), the real issue is the stipulation that prohibits the record keeper from disclosing the request to anyone "other than those persons necessary to produce the tangible things under this section." This provision has its place in the context of a desire not to tip off a bona fide terrorist, but for colleges and universities especially, this imposed silence may be antithetical to principles of free inquiry and expression. In the meantime, and on a more practical level, administrators would be well advised to establish procedures for chain of custody and command as well protocols to ensure confidentiality in order to comply with this law.
Historical Background and Legal Basics of ECPA
ECPA is the "wiretapping act" for the Internet. To place that statement in context requires a little history of that Act. In 1928 the Supreme Court declared in the Olmstead case that it was legal for law enforcement to "tap," or deploy listening and recording devices accessing the content of telephone line communications, on the jurisprudential theory that the search and seizure was on a thing–the line–and not a person per se. Almost forty years later, and in a very different political climate, the Court overruled that decision. In Katz, Justice Black made the now famous remark that the fourth amendment protects "people, not things," and in so doing declared that henceforward law enforcement would require authorization in order to tap telephone lines for content. The next year, Congress passed the Omnibus Act that set down the rules of engagement for legal authorizations of wiretapping.
ECPA transposes these rules of engagement for telephones to network services. The central idea of the Act is to protect the "privacy of communications," but a number of exceptions exist to the rule. These exceptions include: operators in the course of business (like a telephone lineman or operator who overhears a conversation in the course of their work), consent from a party to the communication (one party in an e-mail correspondence can publish the correspondence without the permission of the other person and without incurring liability under this Act), and, of course, law enforcement acting under color of law. On that last point, it may be instructive for the non-lawyer to know that authorization could take a myriad of forms: subpoena, warrant, administrative or court orders, or an even rarer bird, an authorized 12333 Executive Order letter. Moreover, the kind of information that law enforcement seeks usually conditions the type of authorization they are require to obtain. The greater the degree of content sought, for example, will raise the stakes of the showing they must present to a higher form of authorization. For example, an administrative order is generally easy for law enforcement to obtain, but it does not usually provide for content. A court order, on the other hand, is harder to get — law enforcement must present a strong case with substantiated evidence — but it usually provides for content. The law places the content of real-time transmissions at the pinnacle of this showing-content hierarchy.
Patriot Act Amendments of ECPA: Required Disclosure
This fourth amendment primer sheds light on a controversial area of Patriot Act amendments of ECPA. Prior to the Patriot Act, law enforcement required a traditional subpoena in order to acquire "routing" information, information that by and large is in the realm of telephonic communications and would not require a high level of authorization. Since the Patriot Act, a new method of what some observers have called "rubber stamp" subpoenas has replaced that traditional authorization standard. Observers have objected to the post-Patriot Act diminishment of the showing necessary for law enforcement to obtain authorization for the pen registers and trap and trace devices that capture this kind of routing information. If it were a one-to-one equivalency between telephonic and electronic communications, precedent would weigh in on the side of constitutionality of these new provisions. While there is a similarity, there may not be a complete equivalency, however. The degree to which content–subject lines of e-mails or urls–gets "trapped and traced" will probably throw this question to the lower courts for fact finding before the Supreme Court even grants certceriori.
The purpose of the "rubber stamping" of subpoenas under ECPA is to make it easier for law enforcement to obtain information. The lower showing for the application of a subpoena coupled with the alleviation of liability under ECPA for the college or university to make this required disclosure should naturally expedite information exchange. While the net effect on colleges and universities should be salutary–that is they do not carry liability for releasing information under these rules–this net affect should not mean that administrators have no concerns. A lower showing also makes it quite possible that the volume of these required showings would increase. At the very least, colleges and universities should review their policies and procedures for the handling of legal papers or any other kind of request for information made on the part of law enforcement.
Cornell provides an example. Before the Patriot Act, and notwithstanding a centralized policy office, no university policy for handling of such requests existed. A new policy sponsored by counsel’s office is now on the docket in contemplation of these requests, and in light of the need for such a policy irrespective of any anticipated volume. Moreover, individual departments, such as the central computing and network organization, have established departmental protocols about the routing of those requests as they make their way through counsel’s office. As the policy advisor under whose name that protocol went out, I can attest that it brought to light requests from federal authorities of which departmental management had hitherto no knowledge. Routine management operations, not to mention new computer trespass provisions in the Patriot Act, to be discussed below, make regulation of such requests, formal and informal, imperative.
Patriot Act Amendments of ECPA: Voluntary Disclosure
The "rubber stamp" subpoena is one of the two new "exceptions" that the Patriot Act adds to ECPA. "Emergency disclosure" is the other. Section 212 of the Patriot Act amends section 2702 of ECPA to allow for an owner or operator of a network system who reasonably believes that they have accessed information endangering life or limb to disclose that information to virtually anyone — whether it is a law enforcement official or the guy sitting next to you (in the event that the message accessed is something to the effect that there is a bomb in the network operation center!) without fear of subsequent liability under ECPA.
Only a former law student would dream up hypothetical situations that make such an obvious exception potentially problematic. Suppose the message that the network operator accesses in the course of business is from the histrionic extra-marital lover of, say, the president of the university. "I will kill myself if I don’t see you tonight." The operator calls the police, and somehow the press gets a hold of the story. Crazier things have happened, and given that truth is often stranger than fiction, it would do well for administrators to set up protocols under this contingency. At Cornell, the Office of Information Technologies protocol states that if an operator reasonably believes they have information about immediate danger to life and limb, they are to contact the campus police and then either the policy advisor or security coordinator. The value of this protocol is to get responsible people involved to help in the case of a real threat and to control damage in the alternative.
Patriot Act Amendments of ECPA: Computer Trespass
At first glance, the new computer trespass additions to EPCA may seem like a no-brainer. Essentially it makes legal a network owner/operator’s request for law enforcement to investigate a computer abuse so long as the owner/operator reasonably believes such is the case and that the investigation remains limited to the trespass. Given that people call the police all the time when they believe that a crime has been committed on or to their property, and moreover that the Patriot Act (under Title VIII, section 814) provides for a claim of action against trespasses for damage in excess of $5,000.00, which provides owners and operators with added incentive to use all the resources that they can to locate trespassers, this provision should not raise eyebrows. Once again, however, real life introduces so many other variations on this simple theme. The nature of electronic communications being what they are, namely more transparent to outsiders than traditional wire telephonic communications, it is not entirely impossible for law enforcement to observe from the outside potential trespass occurring inside a system. For example, they may be monitoring the activities of a potential trespasser, and from that angle observe "IP hopping" or "electronic interloping" in particular airspaces that are as easy to identify as area codes and phone numbers. The government may even be the recipient of scans that shoot out as the result of a computer compromise. University networks have historically been favored sites to launch denial of service attacks, which also bring colleges and universities under governmental scrutiny.
What prevents a federal law enforcement official from initiating a call to the owner/operator to offer their resources and services in such cases? Nothing, of course, and because all reasonable people are interested in fighting crime in general and terrorism in particular such moments come charged with a propulsion to be gracious and help. Here is where the consequences may be unforeseen. With the approval of an owner/operator of a network system for federal law enforcement to investigate computer trespass (which the Patriot Act does not tie to terrorism per se) officials come without any additional authorization. There is nothing in the legislation that ensures the owner/operator’s specific control of the investigation "limited to the investigation of trespass" is a broad statement. Even before the Patriot Act it was not unheard of to have federal law enforcement investigate a computer crime with the unfortunate result that unsophisticated agents walked a router out the door causing the complete paralysis of the system for months. It is not clear that owners/operators can ask investigators to leave as precipitously as they can ask them to come, and, of course, there is nothing in the law that prevents them from returning armed with authorization based on the information they gathered without it.
Finally, such open-ended, loosey-goosey forms of investigations are the very fodder for constitutional violations. What are the consequences there? A potentially innocent defendant does not enjoy the usual constitutional fourth amendment protections of probable cause and judicial oversight while a potentially guilty one, clever enough to raise the question, might enjoy the exclusionary relief accorded to constitutional violations. The result in that kind of case is usually that there is not enough other evidence to convict, and voila, the bona fide trespasser gets off. Colleges and universities are not likely to get sued, although section 1983 actions always remain a remote possibility. But even with the best of intentions and a law designed, if nothing else, to alleviate liability and encourage the sharing of information with law enforcement, they may nonetheless find themselves complicit in a legal formula that has potential constitutional infirmities.
What is the best course of action for a college or a university contemplating an invitation to federal law enforcement to investigate computer trespass? Once again, a proactive protocol is well advised. That protocol might begin with the requirement that no individual member of the college or university community be allowed to make the request of federal law enforcement without administrative and legal consultation. A routing procedure would facilitate the direction of that request, as well as a pre-established selection of officers or officials of the institution designated to evaluate the situation such as the Vice President or CIO of Information Technologies, an IT security and/or policy advisor, and an informed representative of counsel’s office. Some questions they might want to ask are: why federal intervention, how to oversee and control the search, is it possible to negotiate in advance with authorities about checkpoints or release of information or the ability to terminate the investigation at any time? Of course, nothing prevents federal authorities from returning to the institution with authorization based on information gathered during an invited search, but at least pre-negotiated limits build in a degree of autonomy for the institution left entirely open by the legislation.
The Patriot Act does not create an absolute requirement for new policy at American colleges and universities, but it does prompt an evaluation of existing policies and suggest circumstances whereby the creation of proactive protocols could save institutions from administrative confusion, mistakes or even legal liability. The Patriot Act does not require the retention of logs or re-architecting of a network system, and contrary to some civil libertarian concerns, it does not allow federal law enforcement to act without any of the traditional constitutional protections. The Patriot Act does, however, make it easier for law enforcement to request some kinds of information, which may increase the probability of those requests. Moreover, it presents administrators with some new challenges such as whether to keep records on law enforcement requests under the new FERPA exception, how to maintain confidentiality of requests for business records under FISA, and who should decide to request federal intervention for a computer trespass, and how that request should be made. The robust character of American political discourse almost guarantees that the Patriot Act will raise constitutional questions; a gross deprivation of constitutional protections would be the final victory of terrorists. But in the meantime, college and university administrators must continue to provide stewardship for their institutions and would do well to review policy, process and protocols at their institutions in the light of these new historical circumstances and legal demands.