anti-terrorism legislation and campus computing tracy mitrano, cornell barbara simons, stanford...
TRANSCRIPT
Anti-Terrorism Legislation and Campus Computing
Tracy Mitrano, Cornell
Barbara Simons, Stanford
Rodney Petersen, MarylandCopyright Tracy Mitrano, Rodney J. Petersen and Barbara Simons, 2001. This work is the intellectual property of the author. Permission is granted for
this material to be shared for non-commercial, educational purposes, provided that this copyright appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
Dissecting the Patriot Act for Its Potential Impact on Colleges and
Universities
Tracy Mitrano
Policy Advisor
Co-Director of Computer Policy and Law
Cornell University
Patriot Act of 2001
• To deter and punish terrorist acts in the United States and around the world, to enhance law enforcement investigatory tools, and for other purposes.
• H.R.3162 Sponsor: Rep Sensenbrenner, F. James, Jr.(introduced 10/23/2001) Latest Major Action: 10/26/2001 Signed by President
Title I: Enhancing Domestic Security Against Terrorism
• Section 103: Increased funding for the Technical Support Center– Addition to established funding for section 811
of the Antiterrorism and Effective Death Penalty Act of 1996
– $200,000,000 addition each year for 2002-2004
Title I: Enhancing Domestic Security Against Terrorism
• Section 105: Expansion of National Electronic Crime Task Force Initiative– Director of US Secret Service shall create
national task force on the New York Electronic Crimes Task Force model
– Operate throughout the United States– For the purpose of “preventing, detecting and
investigating various forms of electronic crimes.”
Title II: Enhanced Surveillance Procedures
• Sharing of Information– Law enforcement with
federal agencies
• Obtaining Records– FERPA– FISA– ECPA
• Rewording to Include Electronic Communications– “routing,” “network
addresses,” “signaling”
• Creating New Categories– Computer Trespass
• Creating New Access– Rubber Stamp and National
Service for Subpoenas– Deputizing owners and
operators of IT
• Creating New Compensations– FBI compensate ISP– Civil actions for computer
abuse over $5,000.
Section 203: Sharing of Sensitive Information
• Information gathered in criminal investigations by law enforcement agencies can be shared with federal intelligence services including INS, SS, CIA and FBI– “Criminal investigations” balanced against
“unauthorized disclosure”– Includes telephone and Internet interceptions– Startling to Americans because of 1970’s Church
Committee revelations about CHAOS and the violations of the CIA’s statutory provisions in its charter toward Vietnam anti-war protesters
Obtaining Records: Implications for Higher Education
• FERPA– Family Education Rights and Privacy Act
• FISA– Foreign Intelligence Surveillance Act
• ECPA– Electronic Communications Privacy Act
Family Education Rights and Privacy Act
• Patriot Act amends to permit educational institutions to disclose educational records to federal law enforcement officials without student consent:– If a U.S. Assistant Attorney General, or similarly
ranked official, obtains a court order relevant to terrorism investigation
– Institution is not liable, and need not maintain a record of the transaction
– Distinct from the “health and safety” already existing exception
Ancillary to FERPA
• National Center for Education Statistics– Federal officials can have access to survey
information, which is otherwise held confidential
• Monitoring of Foreign Students– Full implementation of existing Immigration
and Naturalization Service law regarding information about students
Foreign Intelligence Surveillance Act
• Judicial “Rubber-Stamping” of subpoenas– Common language affecting both FISA and ECPA
• Extensive use of “Pen Registers” and other surveillance techniques for the electronic media– Common language affecting both FISA and ECPA
– Rewording of language to include electronic media such as “routing,” “network addresses” and “wire or electronic communication”
– No subpoena for recorded voice messages
Foreign Intelligence Surveillance Act
• Business Records– FBI can seize with a court order certain
business records pursuant to a terrorism or intelligence investigation
– Prohibits record keeper disclosure of FBI action
Access:ECPA Sections 2702 and 2703 Amended
• Section 210 and 216 of Patriot Act– Like FISA pen register, expands scope of subpoena to
cover electronic communications• With non-disclosure provisions and congressional oversight
• Section 222 provides for “reasonable compensation” for “reasonable expenses” to owner of network communications
– Observers have raised questions about specificity of language and interpretation:
• Routing (addresses) or content (urls) not clear
Access:ECPA Sections and 2703 Amended
Section 220 creates “nationwide service for search warrants for electronic evidence.”– Creates a “national subpoena” obtainable from
magistrates in federal district courts which can be extended to any other jurisdiction
– i.e. if FBI in Washington want something in California, they can apply for warrant in Washington federal court and have it apply to California, they do not specifically need to go to California federal court to obtain the warrant
Access:ECPA Section 2702 Amended
• Section 212 of Patriot Act: Voluntary Emergency disclosure of electronic communications– (3) a provider of remote computing service or
electronic communications service to the public shall not knowingly divulge a record or other information pertaining to a subscriber or to a customer of such service, EXCEPT
Exceptions to Section 212 Privilege
• (C) If a provider reasonably believes that an emergency involving immediate danger of death or serious physical injury to any person requires disclosure of the information without delay…
• Additional exception include: customer consent; necessary operations personnel; provider property protection, to a government entity and (mysteriously) any person “other than a government entity.”
Access:ECPA Section 2703 Amended
• Section 212 of Patriot Act: Required disclosure of customer communications or records:– To government with appropriate subpoena, court order
or letter from Attorney General (already existing “hostile nation provision” with its own requirements)
• Telephone connection, session times and duration, subscriber number or identity, including any temporarily assigned network address
– Government officials may seek stored voice-mail messages without wiretap authorization
Access:ECPA Section 2510 Amended
• Section 217 (1) of Patriot Act: Computer Trespass– (A) person who accesses a protected computer without
authorization and thus has no reasonable expectation of privacy in any communication transmitted to, through, or from the protected computer
– (B) does not include a person known by the owner or operator of the protected computer to have an existing contractual relationship with the owner or operator of the protected computer for access to all or part of the protected computer
Access:ECPA Section 2511(2) Amended• Section 217 (2) of Patriot Act:
– (i) It shall not be unlawful under this chapter for a person acting under color of law to intercept the wire or electronic communications of a computer trespasser transmitted to, though, or from the protected computer…
Access:ECPA Section 2511(2) Amended• Section 217 (2) of Patriot Act:
– If –• Owner/operator “authorizes”
• Owner/operator acts “under color of law” (when a person acts or purports to act in the performance of official duties under any law, ordinance or regulation) and lawfully engaged in investigation
• Owner/operator has “reasonable grounds” to believe information is relevant to an investigation
• Owner/operator acquires only trespass communications, and no others.
Nota Bene!
• Sections 210, 212, 217 (1) and (2) of the Patriot Act that amend sections 2510, 2511, 2702 and 2703 of the Electronic Communications Privacy Act have nothing to do with terrorism per se – no particular motive or citizenship or immigration status is required to make it actionable.
• Sections 217(1) and (2) simply alleviates owners and operators of protected computers of potential ECPA liability for their investigations and/or disclosures under certain circumstances.
Nota Bene!
• Moreover, these new provisions make “hacking” (more clearly) illegal!*– Criminal offense with criminal sanctions– Hackers face civil liability with damages beginning at
$5,000– *Section 1030 of Title 18 of USC criminal code
“computer abuse;” scope and damage rights now clearer without fear of ECPA liability**
– **But, case law has not refined statutory definition of a “protected computer” as defined under section 1030
Problem Areas for Potential Abuses and Concerns
• Constitutional – First Amendment; speech– Fourth, Fifth and Sixth
criminal procedure– Separation of powers
(agencies as 4th branch)
• Privacy– Colleges/University
Autonomy– FISA “business records”– FERPA new exception– Content and Exceptions to
disclosure
• Federalism– National service
• Case law definitions– “Public”– “Emergency” – “Color of law”– “Protected Computer”– “Network Addresses,”
“Routing,” “Customer Information”
• Deputized “Owner”– Policy and Procedure
Small Consolation
• Sunset Provisions:– Emergency segments of the ECPA will expire without
further congressional action after four years.
– If took only a matter of weeks to enact this legislation.
– If Congress wants to extend, it easily can do so in the future
– Whether colleges and universities care will depend on how the politics between them and law enforcement/government over these provisions play out over time.
What Must Be Done
• Work together to address crime and terrorism• Maintain free speech and inquiry• Hold forth on our constitutional protections• Import that sensibility of constitutional protections
and due process into internal policies and procedures
• Watch and react politically depending on how this legislation makes its way into the daily life of American society