ELECTRONIC FRONTIER FOUNDATION                                 
                                 
                                 
THIS-PAGE NAVIGATION MAP: 
                                           *** LYNX USERS CLICK HERE FOR QUICK NAVIGATION MAP FOR THIS PAGE *** Top of main content of this page Special focus (if any) Main feature Sidebar (if any) Whole-Site Navigation Bar Search/Browse Subscribe to mailing list (Back to top of page)                                                               
WHOLE-SITE NAVIGATION MENU:
  Subscribe to
EFFector Newsletter
 
    
(your e-mail address)

EFF's Privacy Policy
Search:   
 
                                                         
                                                        

EFF Analysis Of The Provisions Of The USA PATRIOT Act

That Relate To Online Activities (Oct 31, 2001)

Introduction

On October 26, 2001, President Bush signed the USA Patriot Act (USAPA) into law. With this law we have given sweeping new powers to both domestic law enforcement and international intelligence agencies and have eliminated the checks and balances that previously gave courts the opportunity to ensure that these powers were not abused. Most of these checks and balances were put into place after previous misuse of surveillance powers by these agencies, including the revelation in 1974 that the FBI and foreign intelligence agencies had spied on over 10,000 U.S. citizens, including Martin Luther King.

A Rush Job

The bill is 342 pages long and makes changes, some large and some small, to over 15 different statutes. This document provides explanation and some analysis to the sections of the bill relating to online activities and surveillance. Other sections, including those devoted to money laundering, immigration and providing for the victims of terrorism, are not discussed here.

Yet even just considering the surveillance and online provisions of the USAPA, it is a large and complex law that had over four different names and several versions in the five weeks between the introduction of its first predecessor and its final passage into law. While containing some sections that seem appropriate -- providing for victims of the September 11 attacks, increasing translation facilities and increasing forensic cybercrime capabilities -- it seems clear that the vast majority of the sections included have not been carefully studied by Congress, nor was sufficient time taken to debate it or to hear testimony from experts outside of law enforcement in the fields where it makes major changes. This concern is amplified because several of the key procedural processes applicable to any other proposed laws, including inter-agency review, the normal committee and hearing processes and thorough voting, were suspended for this bill.

Were our Freedoms the Problem?

The civil liberties of ordinary Americans have taken a tremendous blow with this law, especially the right to privacy in our online communications and activities. Yet there is no evidence that our previous civil liberties posed a barrier to the effective tracking or prosecution of terrorists. In fact, in asking for these broad new powers, the government made no showing that the previous powers of law enforcement and intelligence agencies to spy on US citizens were insufficient to allow them to investigate and prosecute acts of terrorism. The process leading to the passage of the bill did little to ease these concerns. To the contrary, they are amplified by the inclusion of so many provisions that, instead of aimed at terrorism, are aimed at nonviolent, domestic computer crime. In addition, although many of the provisions facially appear aimed at terrorism, the Government made no showing that the reasons they failed to detect the planning of the recent attacks or any other terrorist attacks were the civil liberties compromised with the passage of USAPA.

Executive Summary

Chief Concerns

The EFF's chief concerns with the USAPA include:

  1. Expanded Surveillance With Reduced Checks and Balances. USAPA expands all four traditional tools of surveillance -- wiretaps, search warrants, pen/trap orders and subpoenas. Their counterparts under the Foreign Intelligence Surveillance Act (FISA) that allow spying in the U.S. by foreign intelligence agencies have similarly been expanded. This means:
    1. Be careful what you put in that Google search. The government may now spy on web surfing of innocent Americans, including terms entered into search engines, by merely telling a judge anywhere in the U.S. that the spying could lead to information that is "relevant" to an ongoing criminal investigation. The person spied on does not have to be the target of the investigation. This application must be granted and the government is not obligated to report to the court or tell the person spied up what it has done.
    2. Nationwide roving wiretaps. FBI and CIA can now go from phone to phone, computer to computer without demonstrating that each is even being used by a suspect or target of an order. The government may now serve a single wiretap, FISA wiretap or pen/trap order on any person or entity nationwide, regardless of whether that person or entity is named in the order. The government need not make any showing to a court that the particular information or communication to be acquired is relevant to a criminal investigation. In the pen/trap or FISA situations, they do not even have to report where they served the order or what information they received. The EFF believes that the opportunities for abuse of these broad new powers are immense. For pen/trap orders, ISPs or others who are not named in the do have authority under the law to request certification from the Attorney General's office that the order applies to them, but they do not have the authority to request such confirmation from a court.
    3. ISPs hand over more user information. The law makes two changes to increase how much information the government may obtain about users from their ISPs or others who handle or store their online communications. First it allows ISPs to voluntarily hand over all "non-content" information to law enforcement with no need for any court order or subpoena. sec. 212. Second, it expands the records that the government may seek with a simple subpoena (no court review required) to include records of session times and durations, temporarily assigned network (I.P.) addresses; means and source of payments, including credit card or bank account numbers. secs. 210, 211.
    4. New definitions of terrorism expand scope of surveillance. One new definition of terrorism and three expansions of previous terms also expand the scope of surveillance. They are 1) § 802 definition of "domestic terrorism" (amending 18 USC §2331), which raises concerns about legitimate protest activity resulting in conviction on terrorism charges, especially if violence erupts; adds to 3 existing definition of terrorism (int'l terrorism per 18 USC §2331, terrorism transcending national borders per 18 USC §2332b, and federal terrorism per amended 18 USC §2332b(g)(5)(B)). These new definitions also expose more people to surveillance (and potential "harboring" and "material support" liability, §§ 803, 805).
  2. Overbreadth with a lock of focus on terrorism. Several provisions of the USAPA have no apparent connection to preventing terrorism. These include:
    1. Government spying on suspected computer trespassers with no need for court order. Sec. 217.
    2. Adding samples to DNA database for those convicted of "any crime of violence." Sec. 503. The provision adds collection of DNA for terrorists, but then inexplicably also adds collection for the broad, non-terrorist category of "any crime of violence."
    3. Wiretaps now allowed for suspected violations of the Computer Fraud and Abuse Act. This includes anyone suspected of "exceeding the authority" of a computer used in interstate commerce, causing over $5000 worth of combined damage.
    4. Dramatic increases to the scope and penalties of the Computer Fraud and Abuse Act. This includes: 1) raising the maximum penalty for violations to 10 years (from 5) for a first offense and 20 years (from 10) for a second offense; 2) ensuring that violators only need to intend to cause damage generally, not intend to cause damage or other specified harm over the $5,000 statutory damage threshold; 3) allows aggregation of damages to different computers over a year to reach the $5,000 threshold; 4) enhance punishment for violations involving any (not just $5,000) damage to a government computer involved in criminal justice or the military; 5) include damage to foreign computers involved in US interstate commerce; 6) include state law offenses as priors for sentencing; 7) expand definition of loss to expressly include time spent investigating, responding, for damage assessment and for restoration.
  3. Allows Americans to be More Easily Spied Upon by US Foreign Intelligence Agencies. Just as the domestic law enforcement surveillance powers have expanded, the corollary powers under the Foreign Intelligence Surveillance Act have also been greatly expanded, including:
    1. General Expansion of FISA Authority. FISA authority to spy on Americans or foreign persons in the US (and those who communicate with them) increased from situations where the suspicion that the person is the agent of a foreign government is "the" purpose of the surveillance to anytime that this is "a significant purpose" of the surveillance.
    2. Increased information sharing between domestic law enforcement and intelligence. This is a partial repeal of the wall put up in the 1970s after the discovery that the FBI and CIA had been conducting investigations on over half a million Americans during the McCarthy era and afterwards, including the pervasive surveillance of Martin Luther King in the 1960s. It allows wiretap results and grand jury information and other information collected in a criminal case to be disclosed to the intelligence agencies when the information constitutes foreign intelligence or foreign intelligence information, the latter being a broad new category created by this law.
    3. FISA detour around federal domestic surveillance limitations; domestic detour around FISA limitations. Domestic surveillance limits can be skirted by the Attorney General, for instance, by obtaining a FISA wiretap against a US person where "probable cause" does not exist, but when the person is suspected to be an agent of a foreign government. The information can then be shared with the FBI. The reverse is also true.

Future Actions

The EFF urges the following:

  1. That law enforcement and the intelligence agencies will use these new powers carefully and limit their use to bona fide investigations into acts of terrorism.
  2. That if these laws are misused to spy on innocent people, that the courts will appropriately punish those who misuse them and that Congress will reexamine its decision to grant such broad, unchecked powers.
  3. That if these laws are misused to harm the rights of ordinary Americans involved in low level crimes unrelated to terrorism, the courts will refuse to allow evidence collected through use of these broad powers to be used in prosecuting them.
  4. That the many vague, undefined terms in the USAPA will be defined in favor of protecting civil liberties and privacy of Americans. These include:
    • the definition of "content" of e-mails which cannot be retrieved without a warrant.
    • the definition of "without authority" in the computer trespass statute to include only those who have intentionally broken into computers that they have no relationship with, including educational institutions and other organizations that may not have formal "contractual" relationships with users.
  5. That ISPs and others served with "roving" wiretaps and other Orders that do not specify them will require that the Attorney General give them certification that the order properly applies to them.
  6. That Congress will require the law enforcement and intelligence agencies who operate under provisions of the USAPA that are set to expire in December, 2005, to provide them with comprehensive reports about their use of these new powers to enable Congress to reasonably determine whether these provisions should be renewed. (see related EFF statement)

I. Expanded Surveillance with Reduced Checks and Balances

A. A Brief, Incomplete Introduction to Electronic Surveillance under US Law.

US law has provided four basic mechanisms for surveillance on people living in the United States: interception orders authorizing the interception of communications; search warrants authorizing the search of physical premises and seizure of tangible things like books or other evidence; "pen register" and "trap-and-trace device" orders (pen/trap orders), which authorize the collection of telephone numbers dialed to and from a particular communications device; and subpoenas compelling the production of tangible things, including records. Each mechanism has its own proof standards and procedures based on the Constitution, statutes, or both.

US law also provides two separate "tracks" with differing proof standards and procedures for each of these mechanisms depending upon whether surveillance is done by domestic law enforcement or foreign intelligence. All of these have been expanded by the USAPA.

For instance, when surveillance is conducted for domestic law enforcement purposes, the probable cause standard of the Fourth Amendment applies to interception orders and search warrants. But a court order compelling an ISP to produce e-mail logs and addresses of past e-mail correspondents uses a lower standard: the government must show specific and articulable facts showing reasonable grounds to believe that the records are relevant and material to an ongoing criminal investigation. A pen/trap order uses an even lower standard: the government need only tell the court that the surveillance is relevant to a criminal investigation. The standard for subpoenas is also very low.

Where foreign intelligence surveillance is concerned, however, the standard of proof and procedures for each mechanism has been different. One key difference is that foreign intelligence surveillance is not based on the concept of criminality. Under the Foreign Intelligence Surveillance Act (FISA), the key issue is whether the intended surveillance target is an "agent of a foreign power" or a "foreign power." Only if the target is a U.S. citizen or permanent resident alien must the government show probable cause of criminality.

Second, FISA allows a secret court to authorize US intelligence agencies to conduct surveillance using each of the four basic mechanisms listed above. For instance, FISA interception orders involving U.S. persons are issued by the secret court based on an application from the Attorney General stating reasons to believe that the surveillance target is an agent of a foreign power or a foreign power, certifying that "the purpose" of the surveillance is to gather foreign intelligence information, and several other facts and representations. The secret court's role here, however, is quite limited: it is not supposed to "second-guess" the government's certifications or representations. (Unsurprisingly, the secret FISA court has only denied one application in its over twenty-year existence.) Moreover, unlike ordinary interception orders, FISA does not require reports to the court about what the surveillance found; no reports of what is being sought or what information is retrieved are ever available to the public. Thus, the secret court's only practical accountability is in a district court when a surveillance target is prosecuted and seeks to suppress the fruits of FISA surveillance.

FISA's requirements are even weaker if the electronic surveillance is directed solely at means of communications used exclusively between or among foreign powers and when it is unlikely that communications to which a U.S. person is a party will be intercepted; in such cases, surveillance may proceed for up to a year without a court order.

Immediately after the September 11 attacks, electronic surveillance was conducted pursuant to FISA orders. There have been no reports that the limitations of FISA power posed any problems for the government.

Domestic Law Enforcement Foreign Intelligence Surveillance

1. Intercept Orders.

Title III (named after the section of the original legislation, the Omnibus Crime Control and Safe Streets Act of 1968) surveillance is a traditional wiretap that allows the police to bug rooms, listen to telephone conversations, or get content of electronic communications in real time.

  • Obtained after law enforcement makes a showing to a court that there is "probable cause" to believe that the target of the surveillance committed one of a special list of severe crimes.
  • Law enforcement must report back to the court what it discovers.
  • Up to 30 days; must go back to court for 30-day extensions

(Courts do not treat unopened e-mail at ISPs as real-time communications.)

1. FISA Intercept Orders.

  • Secret Court. No public information about what surveillance requested or what surveillance actually occurs, except for a raw annual report of number of requests made and number granted (the secret court has only refused one request)
  • Previous standard was certification by Attorney General that "the purpose" of an order is a suspicion that the target is a foreign power or an agent of a foreign power.
  • Attorney General is not required to report to the court what it does.
  • Up to 90 days, or 1 year (if foreign power)

2. Pen/Trap.

Pen/Trap surveillance was based upon the physical wiring of the telephone system. It allowed law enforcement to obtain the telephone numbers of all calls made to or from a specific phone.

  • Allowed upon a "certification" to the court that the information is relevant to an ongoing criminal investigation.
  • Court must grant if proper application made
  • Does not require that the target be a suspect in that investigation and law enforcement is not required to report back to the court.

Prior to USAPA there had been debate about how this authority is to be applied in the Internet context.

2. FISA Pen/Trap.

Previous FISA pen/trap law required not only showing of relevance but also showing that the communications device had been used to contact an "agent of a foreign power."

While this exceeds the showing under the ordinary pen/trap statute, such a showing had function of protecting US persons against FISA pen/trap surveillance.

3. Physical search warrants

Judicial finding of probable cause of criminality; return on warrant. Previously, agents were required at the time of the search or soon thereafter to notify person whose premises were searched that search occurred, usually by leaving copy of warrant. USAPA makes it easier to obtain surreptitious or "sneak-and-peek" warrants under which notice can be delayed.

3. FISA Physical search warrants

See FISA 50 USC § 1822. USAPA extends duration of physical searches.

Under previous FISA, Attorney General (without court order) could authorize physical searches for up to one year of premises used exclusively by a foreign power if unlikely that US person will be searched; minimization required. A.G. could authorize such searches up to 45 days after judicial finding of probable cause that US target is or is an agent of a foreign power; minimization required, and investigation may not be based solely on First Amendment-protected activities.

4. Subpoenas for stored information.

Many statutes authorize subpoenas; grand juries may issue subpoenas as well. EFF's main concern here has been for stored electronic information, both e-mail communications and subscriber or transactional records held by ISPs. Subpoenas in this area are governed by the Electronic Communications Privacy Act (ECPA).

4. FISA subpoenas

Previously, FISA authorized collection of business records in very limited situations, mainly records relating to common carriers, vehicles or travel, and only via court order.

USAPA permits all "tangible things," including business records, to be obtained via a subpoena (no court order).

Domestic Law Enforcement Foreign Intelligence Surveillance

II. Increased Surveillance Authority

The USAPA removes many of the checks and balances that prevented both police and the foreign intelligence agencies from improperly conducting surveillance on US citizens who are not involved in criminal or terrorist activity. For Internet users, it opens the door for widespread surveillance of web surfing, e-mails and peer to peer systems. In addition, the protections against the misuse of these authorities -- by the foreign intelligence agencies to spy on US citizens and by law enforcement to use foreign intelligence authority to exceed their domestic surveillance authority -- have been greatly reduced.

A. Law enforcement intercept orders (Wiretaps)

Wiretaps (for telephone conversations) can only be issued for certain crimes listed in 18 USC §2516. USAPA adds to this list. This restriction has never applied to interception of electronic communications.

1. Adds Terrorism.

USAPA sec. 201 adds terrorism offenses (Note: this is probably redundant since list already included most if not all terrorist acts --e.g., murder, hijacking, kidnapping, etc.)

2. Adds Computer Fraud and Abuse Act (CFAA), 18 USC §1030.

USAPA sec. 202 adds felony violations of the CFAA (see below for discussion of changes to CFAA).

3. Removes voicemail from Title III purview.

USAPA sec. 209 allows police to get voicemail and other stored wire communications without an intercept order; now, only search warrant needed.

4. Exempts certain interceptions from requirement of judicial authorization

Computer trespassers, see below.

B. Law enforcement search warrants.

1. Single-jurisdiction search warrants for terrorism and for electronic evidence.

In general, search warrants must be obtained within a judicial district for searches in that district. Fed.R.Crim.Pro. 41. USAPA relaxes this rule. USAPA sec. 219 Adds terrorist investigations to the list of items where single-jurisdiction search warrants may be issued. Allows issuance in any district in which activities related to terrorism may have occurred for search of property or person within or outside the district. USAPA sec. 220. Once a judge somewhere approves a warrant for seizing unopened e-mail less than 180 days old, that order can be served on any ISP/OSP or telecommunications company nationwide, without any need that the particular service provider be identified in the warrant.

2. "Sneak-and-peek" warrants greatly expanded.

USAPA sec. 213. Can delay notification for "a reasonable period" and can be "extended for good cause shown" to court for any wire or electronic communication or tangible property. Problematic because notice to a searched person is a key component of Fourth Amendment reasonableness.

C. Law enforcement Pen/Trap orders

Pen/trap orders are issued by a court under a very low standard; USAPA does not change this standard. USAPA instead expands the reach of pen/trap orders.

1. Expressly includes Internet information, e.g., e-mail and Web browsing information.

USAPA sec. 216 modifies 18 USC § 3121(c) to expressly include routing, addressing information, thus expressly including e-mail and electronic communications. "Contents" of communications excluded, but USAPA does not define what it includes (dialing, routing, addressing, signalling information) or what it excludes (contents). Serious questions about treatment of Web "addresses" and other URLs that identify particular content. DOES NOT SUNSET.

Applies to those not named (nationwide). Previously, pen/trap orders limited by court's jurisdiction, so had to be installed in judicial district. Now, court shall enter ex parte order authorizing use anywhere within the US if court has jurisdiction over crime being investigated and attorney for US Government has certified that information "likely to be obtained" is "relevant to an ongoing criminal investigation." Order applies to any provider "whose assistance may facilitate the execution of the order, " whether or not within the jurisdiction of the issuing court. But if entity is not named, may require that US attorney provide written or electronic certification that the order applies to the person or entity being served. DOES NOT SUNSET.

IF government agency uses its own technology (e.g., Carnivore), then and "audit trail" is required, e.g., 30 day report back to court.

No mandate that equipment facilitate surveillance. sec. 222 (prevents CALEA application here).

D. Law enforcement subpoenas (and some court orders) for stored information

1. USAPA sec. 210 amends Electronic Communications Privacy Act (ECPA).

Expands records that can be sought without a court order to include: records of session times and durations, temporarily assigned network addresses; means and source of payments, including any credit card or bank account number.

Allows disclosure of customer records by the service provider on the same basis that it currently allows content.

Expands "emergency" voluntary disclosure to government of both content and customer records if reason to believe immediate danger of death or serious physical injury. Also expands ECPA 2703(d) court-ordered mandatory disclosure to government. USAPA Sec. 212.

2. USAPA sec. 211. Reduction of Privacy for Cable Records.

Previously, the Cable Act had mandated strong privacy protection for customer records of cable providers; USAPA overrides these protections for customer records related to telecommunications services. This is a major change because several courts have already held that these privacy protections don't apply for telecommunications services.

E. Information sharing between law enforcement and intelligence community

Because foreign intelligence surveillance does not require probable cause of criminality and because of the fear that foreign intelligence surveillance aimed at foreign agents would violate the rights of US persons, the law has tried to keep foreign intelligence surveillance (including evidence gained therefrom) separate from law enforcement investigations. USAPA greatly blurs the line of separation between the two.

1. Easier to Use FISA authority for Criminal Investigations.

USAPA Sec. 218 Foreign intelligence gathering now only needs to be "a significant purpose" not "the purpose" (edits to 50 USC § 1804(a)(7)(b), and 1823 (a)(7)(B)). FISA court only looks to see that certifications present and are not "clearly erroneous".

Courts have said that it is not the function of the courts to "second guess" the certifications.

2. Now Can Disclose Formerly Secret Grand Jury Information to Intelligence Services.

USAPA §203(a). Amends Federal Rule of Civil Procedure 6. Grand jury information now can be disclosed to intelligence services when "matters involve foreign intelligence or counterintelligence per 50 USC §401a or foreign intelligence information (defined below)"

3. Foreign Intelligence Information.

New category of information that can be disclosed to foreign intelligence agents.

Any info, whether or not concerning a US person, that "relates" to the ability of the US to protect against an actual or potential attack, sabotage or international terrorism or clandestine intelligence activities; any info, whether or not concerning a US Person, that "relates" to the national defense or security or the conduct of foreign affairs. DOES NOT SUNSET.

4. Disclose Criminal Wiretap Information With Any Government Official, Including Foreign Intelligence Services

Section 203(b) amends 18 USC §2517. Allows disclosure of contents of wiretaps or evidence derived therefrom to any other government t official, including intelligence, national defense and national security, "to the extent such contents include foreign intelligence or counterintelligence or foreign intelligence information (see definition above)

5. General Authority to Disclose

Section 203(d). Notwithstanding other law, lawful for foreign intelligence or counterintelligence or foreign intelligence information (see definition above) to be disclosed to anyone to assist in performance of official duties.

USAPA Sec. 504 also authorizes general coordination between law enforcement and FISA surveillance.

F. FISA

1. Intercept orders: adds "roving wiretap" authority to FISA.

USAPA §206 amends 50 USC §1805. FISA court now may authorize intercepts on any phones or computers that the target may use. The foreign intelligence authorities can require anyone to help them wiretap. Previously they could only serve such orders on common carriers, landlords, or other specified persons. Now they can serve them on anyone and the Order does not have to specify the name of the person required to assist. No requirement that request for authority identify those.

Roving wiretap authority raises serious Fourth Amendment problems because it relaxes the "particularity" requirements of the Warrant Clause. Such authority already exists under Title III. Increases duration of FISA intercept orders. USAPA §207 amends 50 USC §1805(e)(1) concerning surveillance on agents of a foreign power (not US persons) from 90 to 120 days.

2. FISA search warrants

Extend time for surveillance. USAPA §207 amends 50 USC §1824(d) for judicially authorized physical searches to a) 90 days (up from 45), or b) if agent of a foreign power (employee or member of a foreign power but not US persons), 120 days.

3. FISA pen/trap orders

USAPA Sec. 214. Amends 50 USC 1842 and 1843 (emergency) to allow pen/trap orders when they are concerning foreign intelligence information and:

  1. are not concerning a US person or;
  2. ARE concerning a US person, and to protect against international terrorism or clandestine intelligence activities, provided that such investigation is not conducted solely upon the basis of 1st Amendment activities.
4. FISA subpoenas and similar authorities

Broad authority for compelling business records. Under current law, only records of common carriers, public accommodation facilities, physical storage facilities and vehicle rental facilities can be obtained with a court order.

USAPA 215: Amends 50 USC §1862 to allow application to FISA court for an order to compel the production of any business record from anyone for any investigation to protect against international terrorism or clandestine intelligence activities (but cannot investigate a US person solely for First Amendment activities).

  1. No showing needed that the person is the agent of a foreign power.
  2. Order to a court--MUST be granted if application meets requirements
  3. Order won't say that it is under this section
  4. Persons served by it are gagged
  5. Semiannual list of applications and list granted, denied but no reporting of actual documents seized or their usefulness required to court or to Congress.

G. Other changes related to surveillance

1. New surveillance of communications "relevant" to computer trespasser investigation

USAPA sec. 217; Changes to 18 USC § 2510. In addition to the three traditional forms of surveillance, the USAPA adds another area where any government employee, not just law enforcement, may conduct content surveillance of US persons. This is when computer owner and operator "authorizes" surveillance and law enforcement agent "has reasonable grounds to believe contents of communication will be relevant" to investigating computer trespass and does not acquire anyone else's communications.

Allows interception of messages suspected of being sent through a computer without "authorization."

  1. The term "authorization" is not defined, giving the owner/operator of protected computer and the government agent great discretion.
  2. BUT this does not include someone who is known to have an existing contractual relationship to access all or part of the computer. According to DOJ, ISP customers who send spam in violation of ISP's terms of service would not be trespassers.
2.Civil liability for certain unauthorized disclosures.

USAPA sec. 223. This provision provides a small bit of relief for those who discover that law enforcement or the foreign intelligence authorities have disclosed information about them improperly.

  1. Allows Administrative discipline. Amends 18 USC §§ 2520, 2707
  2. Allows §2712 Civil actions with a $10,000 recovery limit, but only for willful disclosures. [It's a $10K statutory damages minimum ("actual damages, but not less than $10,000, whichever amount is greater")]
3. Disclosure of Educational Records. amends 20 USC §1232g.

USAPA sec. 507-8.

  1. Upon written application to a court (pen/trap standard), the Attorney General may require an educational agency to collect educational records "relevant" to an authorized investigation of a listed terrorist offense or "domestic or international terrorist offense." If application correct, court shall grant. (pen/trap standard)
  2. Same for National Education Statistics Act surveys
4. Similarly expands quasi-subpoena power for many other records.

USAPA §505 authorizes issuance of national security letters for certain phone billing records, bank records, credit records on same showing as for FISA pen/trap (but no court order).

III. Changes With Little Relationship to Fighting Terrorism.

The EFF is also deeply dismayed to see that the Attorney General seized upon the legitimate Congressional concern following the September 11, 2001 attacks to pad the USAPA with provisions that have at most, a tangential relationship to preventing terrorism. Instead, they appear targeted at low and mid-level computer defacement and damage cases which, although clearly criminal, are by no means terrorist offenses and have no business being included in this bill.

A. Computer Fraud and Abuse Act (CFAA 18 USC § 1030).

The CFAA provides for civil and criminal liability for acts exceeding the "authority" to access or use a computer connected to the Internet. It is used to prosecute those engaging in computer graffiti, website defacement and more serious computer intrusion and damage. It has also been applied in civil cases to spammers and those sending unwanted bots to gather information from the websites of others. The USAPA makes several changes to this law, none of which seems aimed at preventing or prosecuting terrorist offenses -- which are separately defined and already include the use of computers to commit terrorism . An earlier version of the bill would have made many violations of the statute "terrorist" offenses. After outcry from EFF members and many others, most, but not all see below, of the offenses under §1030 were removed from the "terrorist" definition. However, instead the penalties and scope of §1030 were greatly expanded. The changes include:

  1. Adds an "attempt to commit an offense" under §1030 to the list of illegal activities with the same penalties as an offense. Sec. 814.
  2. The law now applies if the damage is done to computers outside the US that affect US Interstate commerce. Sec. 814
  3. Includes state court convictions under similar statutes as priors for purposes of a second conviction with increased penalties. Sec. 814.
  4. Increases penalties for violations of the statute. Sec. 814(1)

"Loss" under the statute now expressly includes time spent responding and assessing damage, restoring data, program, system or information, any revenue lost, cost incurred or other consequential damages. Sec. 814.

B. Computer Crimes under CFAA Defined as "Terrorist Offenses"

As far as the investigation has revealed so far, computer crime played no role in the September 11, 2001 attack or in any previous terrorist attacks suffered by the United states. Computer crime, especially when it results in danger to lives, is a serious offense, the USAPA adds it to the list of "terrorist offenses." Although it is obviously possible that a computer crime in the future could be part of a terrorist offense, the definition of "terrorism" already includes murder, hijacking, kidnapping and similar crimes that would be the result of a "cyberterrorist" attack. Yet without explanation, early versions of the USAPA included even low level computer intrusion and web defacement as "terrorist offenses." The final bill was not so draconian, but still includes the following (among others unrelated to computer crime) as a "terrorist offense" under 18 USC §2332b(g)(5)(B):

  1. An act calculated to influence or affect the conduct of government by intimidation or coercion or to retaliate against government conduct (this lsnguage was in existing law AND EITHER
  2. violates 18 USC §1030(a)(1) accessing restricted or classified information on computers that require protection for reasons of national security, national defense or §11(y) of Atomic Energy Act of 1954 with reason to believe could that the information could injure US or advantage a foreign nation, and who willfully communicates the information to one not entitled to it, OR
  3. violates 18 USC §1030(a)(5)(A)(i) resulting in damage that:
    1. causes medical care problem, physical injury, public health or safety, OR
    2. affects computer system used by or for a government entity in furtherance of the administration of justice, national defense, or national security.
  4. If an offense is a federal terrorism offense per 18 USC 2332b(g)(5)(B):
    1. RICO procedures apply. Sec. 813. This includes seizure of assets pre-conviction, forfeiture post-conviction and many other procedural provisions previously applicable just to organized crime and the drug war.
    2. 8 year statute of limitation §3286 (sec. 809)
    3. Alternate maximum penalties (sec. 810) 15 year max penalty 810(c)(1) and if death of a person results, for any term or for life.
    4. Included in 803: harboring or concealing terrorists
    5. Included in 805: Material support 18 USC 2339A
    6. 806 Assets: "of any individual, entity or organization engaged in planning or perpetrating any act of domestic or international terrorism" and all assets, "affording any person a source of influence over any such entity or organization."
    7. USAPA sec. 805. Amends 18 USC 2339A. Material support for terrorists now includes "expert advice or assistance"; e.g., biochemist's advice on how to increase lethality of biological agents.

Previous 2339A included "training"; statute requires "knowing or intending that they [material support or resources] are to be used in preparation for, or in carrying out, a violation . . .. [of, inter alia, 2332b] -- so this requires knowing or intentional facilitation.

Under 2339A facilitator may be culpable whether or not underlying offense committed; also, scienter does not require "specific intent to commit the underlying action," but only knowledge that "are to be used" for a specified offense -- however, normally this is interepreted to mean that facilitator "aware ‘that that result is practically certain to follow from his conduct.'" If a facilitator was virtually certain that particular recipients would in fact use the provided resources to commit a terrorist crime, it would be immaterial whether the facilitator knew precisely when or where the criminal conduct would occur. Major First Amendment problem for information otherwise available in the public domain.

IV. Sunset Provisions

USAPA sec. 224. Several of the surveillance portions of the USAPA will expire on December 31, 2005.

The EFF is pleased that at least some of the more severe changes in the surveillance of U.S. persons contained in the USAPA will expire on December 31, 2005 unless renewed by Congress. We are concerned, however, that there is no way for Congress to review how several of these key provisions have been implemented, since there is no reporting requirement to Congress about them and no requirements of reporting even to a judge about several others. Without the necessary information about how these broad new powers have been used, Congress will be unable to evaluate whether they have been needed and how they have been used in order to make an informed decision about whether and how they should continue or whether they should be allowed to expire without renewal.

A. The provisions that expire include:

  • Sec. 201. Authority To Intercept Wire, Oral, And Electronic Communications Relating To Terrorism.
  • Sec. 202. Authority To Intercept Wire, Oral, And Electronic Communications Relating To Computer Fraud And Abuse Offenses.
  • Sec. 203(b), (d). Authority To Share Criminal Investigative Information.
  • Sec. 206. Roving Surveillance Authority Under The Foreign Intelligence Surveillance Act Of 1978.
  • Sec. 207. Duration Of FISA Surveillance Of Non-United States Persons Who Are Agents Of A Foreign Power.
  • Sec. 209. Seizure Of Voice-Mail Messages Pursuant To Warrants.
  • Sec. 212. Emergency Disclosure Of Electronic Communications To Protect Life And Limb.
  • Sec. 214. Pen Register And Trap And Trace Authority Under Fisa.
  • Sec. 215. Access To Records And Other Items Under The Foreign Intelligence Surveillance Act.
  • Sec. 217. Interception Of Computer Trespasser Communications.
  • Sec. 218. Foreign Intelligence Information.
  • Sec. 220. Nationwide Service Of Search Warrants For Electronic Evidence.
  • Sec. 223. Civil Liability For Certain Unauthorized Disclosures.

B. The following provision do not expire:

  • Sec. 203(a),(c): Grand jury sharing of info
  • Sec. 208. Designation Of Judges: increases number of FISA judges
  • Sec. 210: ECPA Scope of Subpoenas for records of electronic communications--clearly allowing e-mails routing information :
  • Sec. 211: ECPA Clarification of scope: privacy provisions of Cable Act overridden for communication services offered by cable providers (but not for records relating to cable viewing)
  • Sec. 213: Sneak & Peek: delay notification of execution of a warrant
  • Sec. 216: Modification of pen/trap authorities: (in original PATRIOT, would have sunsetted)
  • Sec. 219: Single jurisdiction search warrants for terrorism
  • Sec. 222 Assistance to law enforcement
  • Sec. 225. Immunity For Compliance With Fisa Wiretap. Can continue all investigations active at the time of expiration.

Search:   
 

Please send any questions or comments to webmaster@eff.org.