EFF Analysis Of The Provisions Of The USA PATRIOT Act
That Relate To Online Activities (Oct 31, 2001)
On October 26, 2001, President Bush signed the USA Patriot Act (USAPA) into law. With this law we have given sweeping new powers to both domestic law enforcement and international intelligence agencies and have eliminated the checks and balances that previously gave courts the opportunity to ensure that these powers were not abused. Most of these checks and balances were put into place after previous misuse of surveillance powers by these agencies, including the revelation in 1974 that the FBI and foreign intelligence agencies had spied on over 10,000 U.S. citizens, including Martin Luther King.
A Rush Job
The bill is 342 pages long and makes changes, some large and some small, to over 15 different statutes. This document provides explanation and some analysis to the sections of the bill relating to online activities and surveillance. Other sections, including those devoted to money laundering, immigration and providing for the victims of terrorism, are not discussed here.
Yet even just considering the surveillance and online provisions of the USAPA, it is a large and complex law that had over four different names and several versions in the five weeks between the introduction of its first predecessor and its final passage into law. While containing some sections that seem appropriate -- providing for victims of the September 11 attacks, increasing translation facilities and increasing forensic cybercrime capabilities -- it seems clear that the vast majority of the sections included have not been carefully studied by Congress, nor was sufficient time taken to debate it or to hear testimony from experts outside of law enforcement in the fields where it makes major changes. This concern is amplified because several of the key procedural processes applicable to any other proposed laws, including inter-agency review, the normal committee and hearing processes and thorough voting, were suspended for this bill.
Were our Freedoms the Problem?
The civil liberties of ordinary Americans have taken a tremendous blow with this law, especially the right to privacy in our online communications and activities. Yet there is no evidence that our previous civil liberties posed a barrier to the effective tracking or prosecution of terrorists. In fact, in asking for these broad new powers, the government made no showing that the previous powers of law enforcement and intelligence agencies to spy on US citizens were insufficient to allow them to investigate and prosecute acts of terrorism. The process leading to the passage of the bill did little to ease these concerns. To the contrary, they are amplified by the inclusion of so many provisions that, instead of aimed at terrorism, are aimed at nonviolent, domestic computer crime. In addition, although many of the provisions facially appear aimed at terrorism, the Government made no showing that the reasons they failed to detect the planning of the recent attacks or any other terrorist attacks were the civil liberties compromised with the passage of USAPA.
The EFF's chief concerns with the USAPA include:
The EFF urges the following:
I. Expanded Surveillance with Reduced Checks and Balances
A. A Brief, Incomplete Introduction to Electronic Surveillance under US Law.
US law has provided four basic mechanisms for surveillance on people living in the United States: interception orders authorizing the interception of communications; search warrants authorizing the search of physical premises and seizure of tangible things like books or other evidence; "pen register" and "trap-and-trace device" orders (pen/trap orders), which authorize the collection of telephone numbers dialed to and from a particular communications device; and subpoenas compelling the production of tangible things, including records. Each mechanism has its own proof standards and procedures based on the Constitution, statutes, or both.
US law also provides two separate "tracks" with differing proof standards and procedures for each of these mechanisms depending upon whether surveillance is done by domestic law enforcement or foreign intelligence. All of these have been expanded by the USAPA.
For instance, when surveillance is conducted for domestic law enforcement purposes, the probable cause standard of the Fourth Amendment applies to interception orders and search warrants. But a court order compelling an ISP to produce e-mail logs and addresses of past e-mail correspondents uses a lower standard: the government must show specific and articulable facts showing reasonable grounds to believe that the records are relevant and material to an ongoing criminal investigation. A pen/trap order uses an even lower standard: the government need only tell the court that the surveillance is relevant to a criminal investigation. The standard for subpoenas is also very low.
Where foreign intelligence surveillance is concerned, however, the standard of proof and procedures for each mechanism has been different. One key difference is that foreign intelligence surveillance is not based on the concept of criminality. Under the Foreign Intelligence Surveillance Act (FISA), the key issue is whether the intended surveillance target is an "agent of a foreign power" or a "foreign power." Only if the target is a U.S. citizen or permanent resident alien must the government show probable cause of criminality.
Second, FISA allows a secret court to authorize US intelligence agencies to conduct surveillance using each of the four basic mechanisms listed above. For instance, FISA interception orders involving U.S. persons are issued by the secret court based on an application from the Attorney General stating reasons to believe that the surveillance target is an agent of a foreign power or a foreign power, certifying that "the purpose" of the surveillance is to gather foreign intelligence information, and several other facts and representations. The secret court's role here, however, is quite limited: it is not supposed to "second-guess" the government's certifications or representations. (Unsurprisingly, the secret FISA court has only denied one application in its over twenty-year existence.) Moreover, unlike ordinary interception orders, FISA does not require reports to the court about what the surveillance found; no reports of what is being sought or what information is retrieved are ever available to the public. Thus, the secret court's only practical accountability is in a district court when a surveillance target is prosecuted and seeks to suppress the fruits of FISA surveillance.
FISA's requirements are even weaker if the electronic surveillance is directed solely at means of communications used exclusively between or among foreign powers and when it is unlikely that communications to which a U.S. person is a party will be intercepted; in such cases, surveillance may proceed for up to a year without a court order.
Immediately after the September 11 attacks, electronic surveillance was conducted pursuant to FISA orders. There have been no reports that the limitations of FISA power posed any problems for the government.
II. Increased Surveillance Authority
The USAPA removes many of the checks and balances that prevented both police and the foreign intelligence agencies from improperly conducting surveillance on US citizens who are not involved in criminal or terrorist activity. For Internet users, it opens the door for widespread surveillance of web surfing, e-mails and peer to peer systems. In addition, the protections against the misuse of these authorities -- by the foreign intelligence agencies to spy on US citizens and by law enforcement to use foreign intelligence authority to exceed their domestic surveillance authority -- have been greatly reduced.
A. Law enforcement intercept orders (Wiretaps)
Wiretaps (for telephone conversations) can only be issued for certain crimes listed in 18 USC §2516. USAPA adds to this list. This restriction has never applied to interception of electronic communications.
1. Adds Terrorism.
USAPA sec. 201 adds terrorism offenses (Note: this is probably redundant since list already included most if not all terrorist acts --e.g., murder, hijacking, kidnapping, etc.)
2. Adds Computer Fraud and Abuse Act (CFAA), 18 USC §1030.
USAPA sec. 202 adds felony violations of the CFAA (see below for discussion of changes to CFAA).
3. Removes voicemail from Title III purview.
USAPA sec. 209 allows police to get voicemail and other stored wire communications without an intercept order; now, only search warrant needed.
4. Exempts certain interceptions from requirement of judicial authorization
Computer trespassers, see below.
B. Law enforcement search warrants.
1. Single-jurisdiction search warrants for terrorism and for electronic evidence.
In general, search warrants must be obtained within a judicial district for searches in that district. Fed.R.Crim.Pro. 41. USAPA relaxes this rule. USAPA sec. 219 Adds terrorist investigations to the list of items where single-jurisdiction search warrants may be issued. Allows issuance in any district in which activities related to terrorism may have occurred for search of property or person within or outside the district. USAPA sec. 220. Once a judge somewhere approves a warrant for seizing unopened e-mail less than 180 days old, that order can be served on any ISP/OSP or telecommunications company nationwide, without any need that the particular service provider be identified in the warrant.
2. "Sneak-and-peek" warrants greatly expanded.
USAPA sec. 213. Can delay notification for "a reasonable period" and can be "extended for good cause shown" to court for any wire or electronic communication or tangible property. Problematic because notice to a searched person is a key component of Fourth Amendment reasonableness.
C. Law enforcement Pen/Trap orders
Pen/trap orders are issued by a court under a very low standard; USAPA does not change this standard. USAPA instead expands the reach of pen/trap orders.
1. Expressly includes Internet information, e.g., e-mail and Web browsing information.
USAPA sec. 216 modifies 18 USC § 3121(c) to expressly include routing, addressing information, thus expressly including e-mail and electronic communications. "Contents" of communications excluded, but USAPA does not define what it includes (dialing, routing, addressing, signalling information) or what it excludes (contents). Serious questions about treatment of Web "addresses" and other URLs that identify particular content. DOES NOT SUNSET.
Applies to those not named (nationwide). Previously, pen/trap orders limited by court's jurisdiction, so had to be installed in judicial district. Now, court shall enter ex parte order authorizing use anywhere within the US if court has jurisdiction over crime being investigated and attorney for US Government has certified that information "likely to be obtained" is "relevant to an ongoing criminal investigation." Order applies to any provider "whose assistance may facilitate the execution of the order, " whether or not within the jurisdiction of the issuing court. But if entity is not named, may require that US attorney provide written or electronic certification that the order applies to the person or entity being served. DOES NOT SUNSET.
IF government agency uses its own technology (e.g., Carnivore), then and "audit trail" is required, e.g., 30 day report back to court.
No mandate that equipment facilitate surveillance. sec. 222 (prevents CALEA application here).
D. Law enforcement subpoenas (and some court orders) for stored information
1. USAPA sec. 210 amends Electronic Communications Privacy Act (ECPA).
Expands records that can be sought without a court order to include: records of session times and durations, temporarily assigned network addresses; means and source of payments, including any credit card or bank account number.
Allows disclosure of customer records by the service provider on the same basis that it currently allows content.
Expands "emergency" voluntary disclosure to government of both content and customer records if reason to believe immediate danger of death or serious physical injury. Also expands ECPA 2703(d) court-ordered mandatory disclosure to government. USAPA Sec. 212.
2. USAPA sec. 211. Reduction of Privacy for Cable Records.
Previously, the Cable Act had mandated strong privacy protection for customer records of cable providers; USAPA overrides these protections for customer records related to telecommunications services. This is a major change because several courts have already held that these privacy protections don't apply for telecommunications services.
E. Information sharing between law enforcement and intelligence community
Because foreign intelligence surveillance does not require probable cause of criminality and because of the fear that foreign intelligence surveillance aimed at foreign agents would violate the rights of US persons, the law has tried to keep foreign intelligence surveillance (including evidence gained therefrom) separate from law enforcement investigations. USAPA greatly blurs the line of separation between the two.
1. Easier to Use FISA authority for Criminal Investigations.
USAPA Sec. 218 Foreign intelligence gathering now only needs to be "a significant purpose" not "the purpose" (edits to 50 USC § 1804(a)(7)(b), and 1823 (a)(7)(B)). FISA court only looks to see that certifications present and are not "clearly erroneous".
Courts have said that it is not the function of the courts to "second guess" the certifications.
2. Now Can Disclose Formerly Secret Grand Jury Information to Intelligence Services.
USAPA §203(a). Amends Federal Rule of Civil Procedure 6. Grand jury information now can be disclosed to intelligence services when "matters involve foreign intelligence or counterintelligence per 50 USC §401a or foreign intelligence information (defined below)"
3. Foreign Intelligence Information.
New category of information that can be disclosed to foreign intelligence agents.
Any info, whether or not concerning a US person, that "relates" to the ability of the US to protect against an actual or potential attack, sabotage or international terrorism or clandestine intelligence activities; any info, whether or not concerning a US Person, that "relates" to the national defense or security or the conduct of foreign affairs. DOES NOT SUNSET.
4. Disclose Criminal Wiretap Information With Any Government Official, Including Foreign Intelligence Services
Section 203(b) amends 18 USC §2517. Allows disclosure of contents of wiretaps or evidence derived therefrom to any other government t official, including intelligence, national defense and national security, "to the extent such contents include foreign intelligence or counterintelligence or foreign intelligence information (see definition above)
5. General Authority to Disclose
Section 203(d). Notwithstanding other law, lawful for foreign intelligence or counterintelligence or foreign intelligence information (see definition above) to be disclosed to anyone to assist in performance of official duties.
USAPA Sec. 504 also authorizes general coordination between law enforcement and FISA surveillance.
1. Intercept orders: adds "roving wiretap" authority to FISA.
USAPA §206 amends 50 USC §1805. FISA court now may authorize intercepts on any phones or computers that the target may use. The foreign intelligence authorities can require anyone to help them wiretap. Previously they could only serve such orders on common carriers, landlords, or other specified persons. Now they can serve them on anyone and the Order does not have to specify the name of the person required to assist. No requirement that request for authority identify those.
Roving wiretap authority raises serious Fourth Amendment problems because it relaxes the "particularity" requirements of the Warrant Clause. Such authority already exists under Title III. Increases duration of FISA intercept orders. USAPA §207 amends 50 USC §1805(e)(1) concerning surveillance on agents of a foreign power (not US persons) from 90 to 120 days.
2. FISA search warrants
Extend time for surveillance. USAPA §207 amends 50 USC §1824(d) for judicially authorized physical searches to a) 90 days (up from 45), or b) if agent of a foreign power (employee or member of a foreign power but not US persons), 120 days.
3. FISA pen/trap orders
USAPA Sec. 214. Amends 50 USC 1842 and 1843 (emergency) to allow pen/trap orders when they are concerning foreign intelligence information and:
4. FISA subpoenas and similar authorities
Broad authority for compelling business records. Under current law, only records of common carriers, public accommodation facilities, physical storage facilities and vehicle rental facilities can be obtained with a court order.
USAPA 215: Amends 50 USC §1862 to allow application to FISA court for an order to compel the production of any business record from anyone for any investigation to protect against international terrorism or clandestine intelligence activities (but cannot investigate a US person solely for First Amendment activities).
G. Other changes related to surveillance
1. New surveillance of communications "relevant" to computer trespasser investigation
USAPA sec. 217; Changes to 18 USC § 2510. In addition to the three traditional forms of surveillance, the USAPA adds another area where any government employee, not just law enforcement, may conduct content surveillance of US persons. This is when computer owner and operator "authorizes" surveillance and law enforcement agent "has reasonable grounds to believe contents of communication will be relevant" to investigating computer trespass and does not acquire anyone else's communications.
Allows interception of messages suspected of being sent through a computer without "authorization."
2.Civil liability for certain unauthorized disclosures.
USAPA sec. 223. This provision provides a small bit of relief for those who discover that law enforcement or the foreign intelligence authorities have disclosed information about them improperly.
3. Disclosure of Educational Records. amends 20 USC §1232g.
USAPA sec. 507-8.
4. Similarly expands quasi-subpoena power for many other records.
USAPA §505 authorizes issuance of national security letters for certain phone billing records, bank records, credit records on same showing as for FISA pen/trap (but no court order).
III. Changes With Little Relationship to Fighting Terrorism.
The EFF is also deeply dismayed to see that the Attorney General seized upon the legitimate Congressional concern following the September 11, 2001 attacks to pad the USAPA with provisions that have at most, a tangential relationship to preventing terrorism. Instead, they appear targeted at low and mid-level computer defacement and damage cases which, although clearly criminal, are by no means terrorist offenses and have no business being included in this bill.
A. Computer Fraud and Abuse Act (CFAA 18 USC § 1030).
The CFAA provides for civil and criminal liability for acts exceeding the "authority" to access or use a computer connected to the Internet. It is used to prosecute those engaging in computer graffiti, website defacement and more serious computer intrusion and damage. It has also been applied in civil cases to spammers and those sending unwanted bots to gather information from the websites of others. The USAPA makes several changes to this law, none of which seems aimed at preventing or prosecuting terrorist offenses -- which are separately defined and already include the use of computers to commit terrorism . An earlier version of the bill would have made many violations of the statute "terrorist" offenses. After outcry from EFF members and many others, most, but not all see below, of the offenses under §1030 were removed from the "terrorist" definition. However, instead the penalties and scope of §1030 were greatly expanded. The changes include:
"Loss" under the statute now expressly includes time spent responding and assessing damage, restoring data, program, system or information, any revenue lost, cost incurred or other consequential damages. Sec. 814.
B. Computer Crimes under CFAA Defined as "Terrorist Offenses"
As far as the investigation has revealed so far, computer crime played no role in the September 11, 2001 attack or in any previous terrorist attacks suffered by the United states. Computer crime, especially when it results in danger to lives, is a serious offense, the USAPA adds it to the list of "terrorist offenses." Although it is obviously possible that a computer crime in the future could be part of a terrorist offense, the definition of "terrorism" already includes murder, hijacking, kidnapping and similar crimes that would be the result of a "cyberterrorist" attack. Yet without explanation, early versions of the USAPA included even low level computer intrusion and web defacement as "terrorist offenses." The final bill was not so draconian, but still includes the following (among others unrelated to computer crime) as a "terrorist offense" under 18 USC §2332b(g)(5)(B):
Previous 2339A included "training"; statute requires "knowing or intending that they [material support or resources] are to be used in preparation for, or in carrying out, a violation . . .. [of, inter alia, 2332b] -- so this requires knowing or intentional facilitation.
Under 2339A facilitator may be culpable whether or not underlying offense committed; also, scienter does not require "specific intent to commit the underlying action," but only knowledge that "are to be used" for a specified offense -- however, normally this is interepreted to mean that facilitator "aware �that that result is practically certain to follow from his conduct.'" If a facilitator was virtually certain that particular recipients would in fact use the provided resources to commit a terrorist crime, it would be immaterial whether the facilitator knew precisely when or where the criminal conduct would occur. Major First Amendment problem for information otherwise available in the public domain.
IV. Sunset Provisions
USAPA sec. 224. Several of the surveillance portions of the USAPA will expire on December 31, 2005.
The EFF is pleased that at least some of the more severe changes in the surveillance of U.S. persons contained in the USAPA will expire on December 31, 2005 unless renewed by Congress. We are concerned, however, that there is no way for Congress to review how several of these key provisions have been implemented, since there is no reporting requirement to Congress about them and no requirements of reporting even to a judge about several others. Without the necessary information about how these broad new powers have been used, Congress will be unable to evaluate whether they have been needed and how they have been used in order to make an informed decision about whether and how they should continue or whether they should be allowed to expire without renewal.
A. The provisions that expire include:
B. The following provision do not expire:
Please send any questions or comments to firstname.lastname@example.org.