Skip to main content

IT@Cornell


The Patriot Act of 2001: Potential Implications for Information Technologies in Colleges and Universities

Copyright © 2002 Tracy Mitrano

Patriot Act of 2001

Formalities

  • H.R.3162
    Sponsor: Rep Sensenbrenner, F. James, Jr. (introduced 10/23/2001)
    Latest Major Action: 10/26/2001 Signed by President

Title:

  • Uniting and Strengthening America by Providing Appropriate Tools to Required to Intercept and Obstruct Terrorism Act [sic]

Subtitle (Stated Purpose)

  • To deter and punish terrorist acts in the United States and around the world, to enhance law enforcement investigatory tools, and for other purposes.

Patriot Act of 2001

Title I

Enhancing Domestic Security Against Terrorism

Title II

Enhanced Surveillance Procedures

Title III

International Money Laundering Abatement and Anti-Terrorism Financing Act of 2001

Title IV

Protecting the Border

Title V

Removing Obstacles to Investigating Terrorism

Title VI

Providing for Victims of Terrorism, Public Safety Officers, and Their Families

Title VII

Increased Information Sharing For Critical Infrastructure Protection

Title VIII

Strengthening the Criminal Laws Against Terrorism

Title IX

Improved Intelligence

Title X

Miscellaneous

Construction: Severability

If one part is deemed to be unconstitutional, it shall not deem the entire legislation unconstitutional, and therefore unenforceable Each part or section is severable from the others on constitutional grounds

Central Point: Definition of Terrorism

Act divides definition into two parts

Foreign Domestic

For the purposes of our discussion, the definition for domestic terrorism is the more helpful to keep in mind.Domestic

"the term 'domestic terrorism' means activities...[that] involve acts dangerous to human life that are a violation of the criminal laws of the United States or of any State; appear to be intended (i) to intimidate or coerce a civilian population; (ii) to influence the policy of a government by intimidation or coercion; or (iii) to affect the conduct of a government by mass destruction, assassination, or kidnapping; and occur primarily within the territorial jurisdiction of the United States.

History of Emergency Acts and Government Actions

  • Alien and Sedition Acts of 1790's
  • Suspension of Habeas Corpus during Civil War
  • Abrams: Muting of Free Speech during WWI
  • Red Scare and Palmer Raids in post WWI period
  • FDR, Great Depression New Deal Legislation
  • Internment of Japanese during the WWII
  • Blacklisting and Congressional Hearings in the McCarthy, Anti-Communist Era, Post WWII era
  • Wiretapping and general harassment of government critics in civil rights and Vietnam War era

General Questions about Impact of the USA-Patriot Act

  • What major legal direction does it take in order to fight terrorism?
  • Is it a significant change in existing law affecting IT infrastructures?
  • In what areas of IT does it make a difference?
  • Is the net result a dramatic diminution of privacy?
  • Does the FBI have a carte blanche to IT infrastructure?

Some Quick Answers

  • Its major legal and strategic thrust (in Title II, if not all of the legislation):
    • To facilitate the sharing of information between both
      • Private entities and government
        • By alleviating liability for disclosure
      • Federal and local law enforcement
        • By overturning agency regulations in place to separate the two since with formalistic procedures the 1970's
  • No proactive re-architecting of network systems
    • But with authorization, yes...
  • No proactive requirement to retain logs
    • But with authorization, yes,
      • 90 day usual
      • Easily extended to 180 with a follow-up letter

Some Quick Answers

  • In Title II there are a couple of potential constitutional questions
    • FISA business records
    • ISA/ECPA "rubber stamping of subpoena"
    • ECPA "computer trespass"
  • Carte blanche?
    • In the eye of the beholder, and in the balance of security v. privacy
    • Time will tell whether Patriot Act is (or in part) constitutional or not, or whether it shifts the constitutionality of contemporary jurisprudence.

Title I: Enhancing Domestic Security Against Terrorism

  • Section 103: Increased funding for the Technical Support Center
    • Addition to established funding for section 811 of the Antiterrorism and Effective Death Penalty Act of 1996
    • $200,000,000 addition each year for 2002-2004
  • Section 105: Expansion of National Electronic Crime Task Force Initiative
    • Director of US Secret Service shall create national task force on the New York Electronic Crimes Task Force model
    • Operate throughout the United States
    • For the purpose of "preventing, detecting and investigating various forms of electronic crimes."

Overview of Title II: Enhanced Surveillance Procedures

  • Sharing of Information
    • Law enforcement with federal agencies
  • Obtaining Records
    • FERPA (507 of Title V)
    • FISA
    • ECPA
  • Rewording to Include Electronic Communications
    • "routing," "network addresses," "signaling"
  • Computer Trespass
    • Deputizing owners and operators of IT
  • New Access
    • "Rubber Stamp" and National Service for Subpoenas
  • Compensations
    • FBI compensate ISP
    • Civil actions for computer abuse over $5,000 (814 of Title VIII)

Section 203: Sharing of Sensitive Information

  • Information gathered in criminal investigations by law enforcement agencies can be shared with federal intelligence services including INS, SS, CIA and FBI
    • "Criminal investigations" balanced against "unauthorized disclosure"
    • Includes telephone and Internet interceptions
    • Startling to Americans because of 1970's Church Committee revelations about CHAOS and the violations of the CIA's statutory provisions in its charter toward Vietnam anti-war protesters

Patriot Act Amends Existing Legislation

  • FERPA
    • Family Education Records and Privacy Act 1974
  • FISA
    • Foreign Intelligence Surveillance Act 1978
  • ECPA
    • Electronic Communications Privacy Act 1986

Family Education Records and Privacy Act

  • FERPA
    • Originally passed in 1974, subseq. amended
    • Historical foundation in anti-war protests protection for students' records
    • Already existing "health and safety" exception for the individual student

Family Education Records and Privacy Act, 507 of Title V

  • Patriot Act amends to permit educational institutions to disclose educational records to federal law enforcement officials without student consent:
    • If a U.S. Assistant Attorney General, or similarly ranked official, obtains a court order relevant to terrorism investigation
    • Institution is not liable, and need not maintain a record of the transaction
    • Distinct from the "health and safety" already existing exception directed to health and safety of others.

Ancillary to FERPA

  • National Center for Education Statistics
    • Federal officials can have access to survey information, which is otherwise held confidential
  • Monitoring of Foreign Students
    • Full implementation of existing Immigration and Naturalization Service law regarding information about students

Foreign Intelligence Surveillance Act 1978

  • Early recognition, if not prescience, about the potential for terrorist activities on American soil or affecting American interests internationally
  • Foreign relations exception to the legislative directions towards privacy as a result of the Church Committee and reflected in acts such as Freedom of Information Act and Family Educational Records Privacy Act

Foreign Intelligence Surveillance Act

  • FISA Court (pre-Patriot Act)
    • Seven federal judges
      • Post Patriot Act: eleven and with residence restrictions in contemplation of an increase in requests and need for quick process of them
    • Meet in closed session
    • Content of applications permanently closed
    • Only statistics, and annual vice-president's report to Congress of applications and approved
    • Example of Moussaoui Flight School case
    • Results in search warrant or subpoena
      • Post Patriot Act: reduced standard for approval

Patriot Act Amendments of FISA

  • (So-Called) Judicial "Rubber-Stamping" of subpoenas
    • Common language affecting both FISA and ECPA
    • So long as elements are meet, justice or magistrate must sign it
    • But: Analogy to telephonic communications:
      • "Routing" calls to and from already information available without a subpoena
      • (Content - wiretap -- requires court order)
    • So:
      • Are Patriot Act provisions any different?

Patriot Act Amendments of FISA

  • Extensive use of "Pen Registers" and other surveillance techniques for the electronic media
    • Common language affecting both FISA and ECPA
    • Rewording of language to include electronic media such as "routing," "network addresses" and "wire or electronic communication"
    • "Pen Register" or "trap and trace" is not Carnivore; pen is to tracking as carnivore is to content
  • FISA pen register and trap and trace subpoenas explicitly exclude "content" but leave open the question of what in electronic communications constitutes content:
    • Subject line?
    • Urls?

Patriot Act Amendments of FISA

  • Diminution of traditional Fourth Amendment Judicial oversight of search and seizure?
  • Sure to be challenged in the courts as a centerpiece of the constitutionality of Patriot Act, and/or measure of shifting fortunes of Fourth Amendment protections under the Constitution.

Patriot Act Amendments of FISA

  • Business Records
    • FBI can seize with a court order certain business records pursuant to an investigation of "international terrorism or other clandestine intelligence activities..."
    • Prohibits record keeper to disclosure FBI action to anyone "other than those persons necessary to produce the tangible things under this section..."
    • Investigation "not to be conducted of a United States person solely upon the basis of activities protected by the first amendment..."

Patriot Act Amendments of FISA

  • Query: Does this mean I can't tell my supervisor?
    • Chain of command
    • Chain of custody
    • But not outside that loop!
  • Potential for constitutional challenge under free speech?
  • The "whistleblower's" ethical dilemma

Electronic Communications Privacy Act of 1986

  • What is it?
    • Wiretapping Act for the Internet
  • What is the "Wiretapping Act"?
    • Olmstead 1928
    • Katz 1967
    • Omnibus Crime Control and Safe Streets Act of 1968 is the actual "Wiretapping Act"
  • ECPA brings those same legal protections of telephonic communications to electronic environment

ECPA: What Does It Protect?

  • Ideally the privacy of communications in electronic media
  • Pre-Patriot Act list of exceptions
    • Usual course of business
      • But not disclosure to third parties
      • Wireless: distinction between listening and disclosing
    • Authorized law enforcement
      • Court or Administrative Order
      • Search Warrant or Subpoena
      • Executive Order 12333 Letter

ECPA: To Whom Does It Apply?

  • Statutory Language:
    • "...providers of Internet service to the public"
  • Does it apply to colleges and universities?
    • No case law on point
    • Anderson Consulting: EPCA does not apply
    • Digital Millennium Copyright Act as potential model of distinction between students and staff/faculty?
    • No distinctions between faculty and non-faculty employees
  • General Rule
    • Act as if it does, but hold question as potential defense

ECPA Sections 2702 and 2703 Amended by Patriot Act

  • Section 210 and 216 of Patriot Act
    • Like FISA pen register, expands scope of subpoena to cover electronic communications
    • Vague statutory language raises legal questions:
      • The slippery slope from routing (addresses) to content (urls) and deeper linking

Compensation: Section 222 of Patriot Act

  • While the Patriot Act does not proactively require an IT infrastructure to re-architect its system, it does allow federal authorities to install technological tools.
  • The up-side of that ruling is that an entity can recover from the government "reasonable compensation" for "reasonable expenses" to the owner of network communications.

Does the Patriot Require Data Preservation?

  • No, not proactively.
  • But, if served with a warrant or subpoena, that authorization may require the preservation of the data which it specifies and for as long as 180 days.

ECPA Section 2703 Amended by Patriot Act

  • Section 220 creates "nationwide service for search warrants for electronic evidence."
    • Creates a "national subpoena" obtainable from magistrates in federal district courts which can be extended to any other jurisdiction
    • i.e. if FBI in Washington want something in California, they can apply for warrant in Washington federal court and have it apply to California, they do not specifically need to go to California federal court to obtain the warrant

ECPA Section 2702 Amended by Patriot Act

  • Section 212 of Patriot Act: Voluntary Emergency disclosure of electronic communications
    • A provider of remote computing service or electronic communications service to the public shall not knowingly divulge a record or other information pertaining to a subscriber or to a customer of such service, EXCEPT
    • If a provider reasonably believes that an emergency involving immediate danger of death or serious physical injury to any person requires disclosure of the information without delay...
    • Provider can disclose to virtually "anyone" under this exception

Purpose of an Emergency Disclosure...

  • To respond to an emergency!
  • To disclose to anyone incident to the emergency
    • Law enforcement
    • Intended victim
    • The guy sitting next to you!
  • Query: Where emergency is perceived but not real, and disclosures are made
    • Histrionic lover in an extra-marital affair example?

What Cornell IT Policy has done...

OFFICE OF CORNELL INFORMATION TECHNOLOGIES
PROCEDURE AND PROTOCOLS
UNDER THE "USA-PATRIOT ACT"
EXCEPTIONS TO THE ELECTRONIC
COMMUNICATIONS PRIVACY ACT

What Cornell has done...

  • Should you, in the course of business, reasonably believe that you have accessed information about an emergency involving immediate danger of death or serious physical injury, contact the campus police immediately. After contacting the campus police, please report that contact and underlying information immediately to the security coordinator and/or policy advisor of OIT/CIT. If they are unavailable, please contact the vice president of information technologies.

ECPA Section 2703 Amended by Patriot Act

  • Section 212 of Patriot Act: Required disclosure of customer communications or records:
    • To government with appropriate subpoena, court order or letter from Attorney General
    • Telephone connection, session times and duration, subscriber number or identity, including any temporarily assigned network address
    • Government officials may seek stored voice-mail messages without wiretap authorization

Purpose of Required Disclosure Section...

  • To bring the new standards for subpoenas and pen registers to ECPA and in concert with Patriot Act FISA amendments
  • In so doing, alleviate liability for entity releasing information to law enforcement
  • Net: facilitate the exchange of information between government and networks -- private or "to the public."

Required Disclosure Section: Voice Mail 209 Patriot Act/2703

  • Pre-Patriot Act
    • Obtainable only through highest level of court order corresponding to transmission (real time) of communications
      • Like telephone wiretap order
  • Post Patriot
    • Now obtainable like any e-mail
      • Still with court order, but lower standard

What Cornell has done...

  • Should an individual or individuals representing themselves as law enforcement agents approach you and ask you to provide the content of electronic communication or any information about users of or traffic on the Cornell network with or without any form of written authorization, do not disclose any information. Contact either the OIT/CIT security coordinator or the policy advisor. If they are unavailable, please contact the vice president of information technologies. OIT will make the necessary communication to Counsel's Office.

ECPA Section 2510 Amended by Patriot Act

  • Section 217 (1) of Patriot Act: Computer Trespass
    • (A) person who accesses a protected computer without authorization and thus has no reasonable expectation of privacy in any communication transmitted to, through, or from the protected computer
    • (B) does not include a person known by the owner or operator of the protected computer to have an existing contractual relationship with the owner or operator of the protected computer for access to all or part of the protected computer

ECPA Section 2511(2) Amended by Patriot Act

  • Section 217 (2) of Patriot Act:
    • (i) It shall not be unlawful under this chapter for a person acting under color of law to intercept the wire or electronic communications of a computer trespasser transmitted to, though, or from the protected computer...
    • If --
      • Owner/operator "authorizes"
      • Owner/operator acts "under color of law" (when a person acts or purports to act in the performance of official duties under any law, ordinance or regulation) and lawfully engaged in investigation
      • Owner/operator has "reasonable grounds" to believe information is relevant to an investigation
      • Owner/operator acquires only trespass communications, and no others.

Nota Bene!

  • Sections 210, 212, 217 (1) and (2) of the Patriot Act that amend sections 2510, 2511, 2702 and 2703 of the Electronic Communications Privacy Act have nothing to do with terrorism per se --no particular motive or citizenship or immigration status is required to make it actionable.
  • These new provisions reinforce criminal sanctions against "hacking" under Title 18, section 1030.
    • Criminal offense with criminal sanctions
    • Hackers face civil liability with damages beginning at $5,000
    • Internet has made a "protected computer" ubiquitous rather than unique

What is Purpose of New Computer Trespass

  • Sections 217(1) and (2) simply alleviates owners and operators of protected computers of potential ECPA liability for their investigations and/or disclosures under certain circumstances.
  • Facilitate communications between networks -- private and public -- and federal law enforcement

So What is the Worry?

  • Autonomy of higher education to maintain its networks
    • The "router" and the FBI story
  • Fine line between requesting and inquiry?
    • IP hopping or rogue scans as sign
    • Helpful call from federal law enforcement
    • Diminution of Fourth Amendment:
      • No "probable cause"
      • No "judicial oversight"
      • No "reasonable expectation of privacy" means no exclusionary rule in court

What Cornell Has Done...

  • Any member of OIT/CIT who knows or believes that their system or systems have been compromised by a computer trespasser and who would like to have federal law enforcement investigate the matter, should first report this request to either the OIT/CIT security coordinator or policy advisor who will decide whether to contact law enforcement.

Small Consolation

  • Sunset Provisions:
    • Emergency segments of the ECPA will expire without further congressional action after four years.
    • It took only a matter of weeks to enact this legislation.
    • If Congress wants to extend, it easily can do so in the future
    • Whether colleges and universities care will depend on how the politics between them and law enforcement/government over these provisions play out over time.

Areas of Potential Abuse and/or Concern

  • Constitutional
    • First Amendment; speech
    • Fourth, Fifth and Sixth criminal procedure
    • Separation of powers (agencies as 4th branch)
  • Privacy
    • Colleges/University Autonomy
    • FISA "business records"
    • FERPA new exception
    • ECPA disclosures
  • Federalism
    • National service
  • Case law definitions
    • "Public"
    • "Emergency"
    • "Color of law"
    • "Network Addresses," "Routing," "Customer Information"
  • Deputized "Owner"
    • Computer Trespass
    • Policy and Procedure

What Must Be Done?

  • Work together to address crime and terrorism
  • Maintain free speech and inquiry
  • Hold forth on our constitutional protections
  • Import that sensibility of constitutional protections and due process into internal policies and procedures
  • Watch and react politically depending on how this legislation makes its way into the daily life of American society

What Must Be Done: Proactively...

OFFICE OF CORNELL INFORMATION TECHNOLOGIES PROCEDURE AND PROTOCOLS UNDER THE "USA-PATRIOT ACT" EXCEPTIONS TO THE ELECTRONIC COMMUNICATIONS PRIVACY ACT

www.cit.cornell.edu/policies/esurveillance

Conclusion

Where angels have feared to tread, let not fools rush in...

Copyright © 2002 Tracy Mitrano

Download PowerPoint file for this presentation