Portal de Periódicos da CAPES

Information and the War Against Terrorism Part III: New Information‐Related Laws and the Impact on Civil Liberties

2002; Association for Information Science and Technology; Volume: 28; Issue: 3 Linguagem: Inglês

10.1002/bult.238

2163-4289

Lee S. Strickland,

Information and Cyber Security

In the first article of this series (Bulletin of the American Society for Information Science and Technology, December/January 2002) we considered information and information network theory as the primary offensive war tools in the war against terrorism. In the second part (in this issue of the Bulletin), we addressed the critical question whether American intelligence and law enforcement, with their information collection, exploitation and use responsibilities, were positioned to protect the public. We answered that question in part by highlighting a number of deficiencies in the law and its execution. Here we continue that answer by surveying the newly enacted information-related laws – the USA Patriot Act of 2001 – and their impact on our civil liberties. In a subsequent article we will continue with consideration of new security processes – from the use of military tribunals to new frontiers for citizen surveillance. In doing so, we will assess at every juncture the balance between security and freedom and the interplay with technology. As we shall see, many of the criticisms raised to date take the form of an emotional antipathy toward any intrusion, especially those based on technology. I submit, however, that properly and legally managed technology may actually enhance both our privacy and our cherished concept of equality before the law. Free of bias, it may not subject us to personal embarrassment or opprobrium in public – as may a human agent of the state. Do we prefer a high technology scan of our person or the physical pat-down? If we understand these benefits, it then becomes somewhat clearer that it is not just the collection of information that should be of concern, rather its maintenance, dissemination and collation with other public and commercial information – hence uses for other purposes – that should be of paramount importance. The terrorism of September 11 posed in graphic terms the question of what legal structure is required to further our security – balanced against, of course, the impact upon our civil liberties and privacy rights. The unarguable fact in this electronic age is that very little happens in isolation and without electronic evidence. But acquiring that informational record can be difficult as information technology advances more quickly than the law. Likewise, effectively using that information can be difficult given bureaucratic borders and the risk of compromising the human or technical source. It is exactly such problems that led to the proposed and recently enacted USA Patriot Act of 2001 (often referenced as the Anti-Terrorism Act of 2001) as well as certain other proposals for future consideration. We will consider these legal issues in three broad information-related areas: expanded acquisition of electronic communications in law enforcement cases as well as sharing of law enforcement information with intelligence; expanded acquisition of electronic communications as well as business records in intelligence cases; and expanded access to other forms of terrorist information and assets. In doing so we must remain mindful of the important fact that U.S. law distinguishes between domestic criminal law enforcement activity and foreign counter-intelligence and counter-terrorism activity. As we shall see, this enhances in one manner the Constitutional freedoms of American citizens but, in another manner, sets roadblocks in the path of protecting the United States from external threats. The Electronic Communications Privacy Act (ECPA) regulates the collection of electronic communications information in the context of criminal law enforcement investigations. Enacted as amendments to the original wiretapping law passed in 1968 (often referred to as Title III), it has a four-tier approach to acquiring a very broad range of electronic communications information. (For details, see the ECPA box accompanying this text.) The USA Patriot Act makes a number of changes in this scheme, most of which accommodate advances in technology or remove inconsistencies in the protection of information based on its particular format. It expands the authority for issuance of intercept orders to crimes related to terrorism and computer fraud; facilitates the current roving wiretap authority by allowing search warrants for stored messages (e-mail and voice) and court orders for transactional records (e.g., "pen register") to be valid everywhere in the nation, issued by any court with jurisdiction over the offense, and without naming specific common carriers – all vitally necessary in this increasingly mobile society; broadens the scope of orders for transactional records to include any form of electronic communication (e.g., e-mail or web surfing) not just telephone communications; allows stored voice mail messages to be acquired by the slightly easier search warrant process, thus harmonizing the law for stored voice mail and stored e-mail; broadens slightly the scope of the subpoena authority for subscriber information by allowing for access to payment and type of service information rather than merely current name and address; makes the rules for cable company service providers the same as for all other Internet service providers (ISPs) and provides immunity for all ISPs when acting in good faith reliance on government orders of any type; changes the rules on dissemination of criminal investigation information by allowing automatic information sharing with intelligence; the reverse takes place now under existing law; and if requested, provides for assistance to ISPs or businesses under computer attack (but only where a person is the trespasser and not in an existing contractual arrangement); also allows voluntary disclosure of the content of messages and subscriber data where immediate danger is presented. The ECPA The specific legal rules for criminal law enforcementare as follows: An intercept order requires greater showing than a regular search warrant and must be authorized by the most senior levels of the Department of Justice. It applies to any real time transmission – voice or data – and, until the Patriot Act, voice mail. It may be used only for specific crimes such as murder, espionage, treason, kidnapping, bribery, narcotics and racketeering. And then it may be used only when normal investigative techniques for obtaining the information have or are likely to fail or are too dangerous, and only if the intercept is conducted in a manner to ensure that the intrusion is minimized. The intercept order has two parts – one authorizing the law enforcement agency to conduct the intercept and the other to a service provider to provide necessary assistance. A traditional search warrant is used for stored electronic communications such as unretrieved e-mail at a service provider and now voice mail. This requires a determination by a federal judge that probable cause exists to believe that a crime has been committed and that the information sought is material to that offense. Of course, a general search warrant, outside of the ECPA, may be used to seize any tangible thing or search premises for evidence. Note that a search warrant is executed immediately by law enforcement officers with or without one's cooperation. Less difficult yet is a court order to obtain transactional records. Such orders must be granted automatically if the government certifies that there are " ... reasonable grounds to believe data is relevant to ongoing criminal investigation." Such records take three forms. The first is "pen register" information, which comes from devices that record the telephone number dialed by the subject. The second is "trap and trace" information, which comes from devices that identify an incoming telephone number. The third (added by the Patriot Act) is "routing and address" information, which is extracted from electronic communications and consists of relevant IP addresses and header (to and from) data. Note that a court order requires one to produce records and is thus substantially less intrusive than a search warrant. Least difficult of all is an administrative subpoena that is issued by the government itself, without judicial assistance, to obtain information identifying the subscriber. This is also termed a grand jury subpoena. As is evident in my judgment, these changes are in large part logical refinements of the law and, in the case of sharing between law enforcement and intelligence, required as a matter of common sense. Why should intelligence be barred from tracking leads which exist by virtue of a lawful criminal investigation? To do otherwise would simply invite another surprise attack. There is, however, controversy regarding several of the amendments. Some concerns are as follows: Whether the pen/trap provision includes header information in e-mail transactions and web surfing that implicitly reveals content. The Department of Justice has confirmed that this authority would not be used in that manner – that neither subject lines in e-mail, nor web surfing addresses beyond the high-level domain name corresponding to an IP address, would be acquired. What the provider's obligation is with respect to such information, for instance that of a library. There is general agreement that the Patriot Act neither requires a provider to change current data retention practices nor reconfigure the system if presented with a court order. That said, it should be noted that the FBI could insist on deployment of their Carnivore system if the provider could not comply. Whether the provision for ISPs to request law enforcement assistance could provide entrée if law enforcement were to suggest to providers that assistance is needed. Remember, this provision can only be invoked the provider. Also under the assistance provision, who is or is not in a contractual relationship with the provider since the inquiry can only be directed against a person not in such a relationship. Is the patron with an implicit agreement to the library's Acceptable Use Policy such a person? This open question requires more attention. Whether the secrecy provision that allows a court to delay immediate notification of the execution of any order if it would have an adverse result as established by a specific government showing is an unwarranted infringement of existing protections. In point of fact this authority is consistent with established case law in the various courts of appeal and is not a substantial change in individual rights. The Foreign Intelligence Surveillance Act of 1978 (FISA) regulates (a) the acquisition of electronic information, (b) physical searches and (c) access to certain types of business records for national security counter-intelligence or counter-terrorism purposes in the United States. Heretofore, the focus of the FISA statutory authority was solely counter-intelligence (CI) or counter-terrorism (CT), and it was available only where such reasons are the sole or primary purpose for the warrant. The standard for granting such warrants was a finding of probable cause to believe that the target is a member of a foreign terrorist group or an agent of a foreign power. The issues of single focus (only if solely CI or CT), limitations on scope (only business records from a few types of businesses) and standards for granting orders (proof of linkage to terrorist organization) have presented problems for the government. In sum, they have forced the government into an arbitrary and meaningless distinction between law enforcement and intelligence. Further they have unduly restricted CT and CI investigations to those instances in which an agency relationship could be established between the target and some foreign entity – often a near impossibility in this day of amorphous networks. The USA Patriot Act effected some, but not all, needed changes. It changes the basis for granting intercept orders or search warrants from the sole or primary purpose being counter-terrorism to a "significant" purpose, thus reducing to a degree the conundrum presented previously when a choice had to be made between law enforcement and intelligence. broadens the scope of court orders for the production of business records. Previously limited to common carriers and public accommodations, orders now may be directed to any entity, to any "tangible thing" (previously just technical business records), and with a required showing only of "relevance" to an intelligence or terrorism investigation (previously agent of foreign power requirement). extends the duration of warrants for individual targets from 45 days (agent of foreign power) and 90 days (terrorist) to a full year, the current duration for warrants against foreign establishments. provides for "roving wiretaps" as now exist in the criminal arena – by expanding the scope to any third party who might possess information (for example, any service provider) without the necessity to return to court with new names. makes the standard for "pen register" orders the same as in the criminal arena whereas it had previously and anachronistically been more difficult. These changes in substantial part simply eliminate the inherent conflict between intelligence and law enforcement, mirror previous changes in the generally more restrictive ECPA and bring intelligence practices into conformity with law enforcement practices. However, the authority vis-à-vis business records has generated substantial controversy. It is a significant increase in scope and reduction in judicial oversight from the original 1998 authority where, for the first time, intelligence and terrorism investigations could access a limited scope of records on a showing that the person to whom the records pertain was an agent of a foreign power. Thus, the original authority required a rather specific showing and the exercise of judicial discretion. The Patriot Act amendments, in the views of critics, effectively remove the limitations on scope, mandate automatic judicial issuance on a simple statement by the government of relevance to an investigation, and could result in government seizure of entire databases (rather than business records concerning a given person). In essence, critics argue that the amendments effectively overrule any state or federal law that heretofore protected or insured the privacy of business records. I do not believe this is the likely effect. First, this authority was seldom used in the past. More important is the fact that the most senior government officials must certify relevance under oath. Given this, it is not readily conceivable that a federal judge would issue such a broad order without inquiry into the validity of the relevance certification and substantial details as to how the government would justify the collection of information on persons unrelated to the investigation. Thus, could the government seize entire hard drives and entire banks of e-mail servers? I believe that while it is technically and legally a possibility, it is most doubtful given precedents to date that have invalidated broad, general, non-particularized warrants as well as warrants for seizure of equipment that are not elements of the criminal enterprise. Other Provisions of the Patriot Act Beyond the changes related to the acquisition of information discussed in the text of the article, the Patriot Act has other provisions of note. One allows access to education records of students now protected by the Federal Educational Rights and Privacy Act (FERPA) for both criminal and intelligence investigations. Another will permit Department of State consular officers to have access to U.S. criminal record databases such as the FBI's NCIC. Another will authorize the Secretary of State to share visa records with foreign governments on a broader basis (now only for U.S. law enforcement purposes or pursuant to court order) and both on a one-time and on a negotiated basis. Other changes relate to assets, given that money is the lifeblood of any enterprise. Until the Patriot Act, the United States had less authority to seize assets of terrorists than of drug dealers – only direct proceeds of terrorist acts. Now, for drug dealers and terrorists alike, the United States can seize any assets used to support their activity. In a similar vein, the President now has the authority to confiscate and vest in the United States the property of enemies in undeclared wars (as we have now) as previously existed in times of declared war by Congress. The Patriot Act also strengthens many banking reporting laws but more remains to be done, such as addressing the problems of the Hawalas (the informal, off-the-record international currency laundering businesses). Lastly, the Patriot Act also makes numerous amendments to the U.S. criminal code in terms of new offenses. While a full discussion is beyond the scope of this article, they include, for example, harboring terrorists, possession rather than intended use of weapons of mass destruction, and conspiracy to commit terrorism. Despite these changes for business records, more perhaps remains to be done with respect to traditional intercept and physical search warrants under FISA. It is unclear whether the change to "significant" purpose will reduce the conflicting purposes problem; perhaps "a" purpose would be a more suitable factor. Even more significant is the problem regarding the standard for granting these warrants. Currently, suspicious behavior on the part of an alien with links to the bin Laden organization is insufficient to get a FISA warrant (no probable cause of terrorist membership), much less a criminal warrant (no probable cause of a crime). However, it appears that my arguments here for liberalization of the FISA warrant requirement may be under consideration – the December 2, 2001, issues of the Washington Post and the New York Times have reported that a still-secret proposal to eliminate this restriction has been submitted to Congress at the request of the Senate and House intelligence oversight committees. Other reported, proposed amendments would give intelligence agencies the same authority as the FBI currently has with regard to access to subscriber information for non-U.S. persons living overseas. A sharp legal and political battle may be expected. (For further details, see Other Provisions of the Patriot Act.) As an aside, neither Title III nor FISA has any application to electronic surveillance activities outside the United States. Such activities are controlled by Executive Order 12333 issued by President Reagan in 1982. If a U.S. citizen or permanent resident alien is so targeted, the Executive Order requires the approval of the Attorney General, who, by internal guidelines, must find that there is probable cause to believe that such person is an agent of a foreign power. Decisions to target non-U.S. persons are left to the intelligence community. And the vacuum cleaner approach that does not involve targeting of U.S. persons also requires no approval from outside the intelligence community, although there are limits on the dissemination of information about U.S. persons that is collected "incidental" to an intelligence collection activity. What does this complex world of law enforcement warrants, orders and subpoenas, FISA orders and National Security Letters (see the NSL box) mean for the reader? Quite simply and graphically they highlight the importance of initially and immediately involving your legal counsel whenever government orders are received. Secondarily it mandates the importance of negotiation of the scope and execution of any orders with government law enforcement – generally FBI, U.S. Marshals or the Secret Service. CIA officers never issue any form of process in the United States. Thirdly, it suggests that providers carefully review their data retention practices and their adopted retention schedules. I have found all too often that management is unaware of the full scope of data acquired by their technical staff or that it is maintained at some variance with their schedule. For example, the daily erasing of cache files and circulation records may be illusory if the system is configured to retain logging files that allow the recreation of those records. Lastly, the discussion should caution providers on the importance of good public relations when dealing with such matters. The imbroglios resulting from certain statements by information professionals in the aftermath of September 11 require caution and a continual emphasis that the legal rules we have considered exist to balance individual Constitutional rights and effective law enforcement. When we request compliance it is to ensure that both objectives are met. National Security Letters (NSL) There also exists a little known, FISA-related provision known as the National Security Letter (NSL) authorityin three separate statutes. They are the ECPA (18 USC § 2709) for telephone and electronic communications records, the Right to Financial Privacy Act (RFPA), (12 U.S.C. 3414(a)(5)(A)) for financial records, and the Fair Credit Reporting Act (15 U.S.C. 1681u) for credit records. The NSL authority is essentially the intelligence corollary to the administrative subpoena provisions for criminal investigations. Likewise, § 505 of the USA Patriot Act also modified the provisions by which the Director of the FBI may use this authority from both a showing of relevance and an "agent of a foreign power" to only a certification of relevance to an intelligence or terrorism investigation. More specifically, the ECPA allows for access to subscriber information and toll billing records information, or electronic communication transactional records. The FCRA allows for access to names and addresses of all financial institutions at which a consumer maintains or has maintained an account, and identifying information respecting a consumer – limited to name, address, former addresses, places of employment or former places of employment. And the FCRA data provides the input to the RFPA authority by which the FBI can access an individual's institution-specific banking and credit records. Note that the NSL authority also prohibits any disclosure at any time of the fact that the FBI has sought such information. This is in substantial contrast to the process for warrants and court orders where, even under the new secrecy provisions, there must be disclosure at some point in time. There is an interesting library-related history to the NSL authority. The so-called Bork Bill – the Video Privacy Act of 1988 – was enacted without a library privacy provision because, during the debate, the FBI had requested an NSL exemption to enable them to obtain library records. It was thus believed better to rely on state privacy laws and the traditional requirement for a search warrant. The war against terrorism will be long, and there will be a great political temptation to confuse a tactical victory in the coming weeks with a strategic victory over terrorism and state sponsorship of terrorism in general. If that is the case, the lives lost to date will be in vain. But in holding ourselves to the necessary mission defined by the President, we must be mindful of our important individual roles as citizens in a representative democracy. Civil liberties must not be mindlessly exchanged for temporal security measures. It is thus incumbent upon our political body to understand and join the debate and hopefully reach an appropriate balance. In doing so, it is important to remember that there are no absolutes either in terms of rights or security needs. No amendment to the Constitution is absolute; each, from freedom of speech to prohibitions on government intrusion, has significant limitations. Indeed the words of several of the justices of our Supreme Court about the relationship between security and individual rights are instructive: "It is obvious and unarguable that no governmental interest is more compelling than the security of the Nation [and while] the Constitution protects against invasions of individual rights, it is not a suicide pact." See, Haig v. Agee, 453 U.S. 280 (1981) and cited cased. Finding that reasonable balance is our task. In the next article, we will continue our examination of the legal impact of the events of September to include new security processes and how technology will affect the traditional functions of government and, as with new laws, our Constitutional expectations.