Anti-Terrorism Legislation and Campus Computing

Tracy Mitrano, Cornell

Barbara Simons, Stanford

Rodney Petersen, MarylandCopyright Tracy Mitrano, Rodney J. Petersen and Barbara Simons, 2001. This work is the intellectual property of the author. Permission is granted for

this material to be shared for non-commercial, educational purposes, provided that this copyright appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

Dissecting the Patriot Act for Its Potential Impact on Colleges and

Universities

Tracy Mitrano

Policy Advisor

Co-Director of Computer Policy and Law

Cornell University

Patriot Act of 2001

• To deter and punish terrorist acts in the United States and around the world, to enhance law enforcement investigatory tools, and for other purposes.

•  H.R.3162 Sponsor: Rep Sensenbrenner, F. James, Jr.(introduced 10/23/2001) Latest Major Action: 10/26/2001 Signed by President

Title I: Enhancing Domestic Security Against Terrorism

• Section 103: Increased funding for the Technical Support Center– Addition to established funding for section 811

of the Antiterrorism and Effective Death Penalty Act of 1996

– $200,000,000 addition each year for 2002-2004

Title I: Enhancing Domestic Security Against Terrorism

• Section 105: Expansion of National Electronic Crime Task Force Initiative– Director of US Secret Service shall create

national task force on the New York Electronic Crimes Task Force model

– Operate throughout the United States– For the purpose of “preventing, detecting and

investigating various forms of electronic crimes.”

Title II: Enhanced Surveillance Procedures

• Sharing of Information– Law enforcement with

federal agencies

• Obtaining Records– FERPA– FISA– ECPA

• Rewording to Include Electronic Communications– “routing,” “network

addresses,” “signaling”

• Creating New Categories– Computer Trespass

• Creating New Access– Rubber Stamp and National

Service for Subpoenas– Deputizing owners and

operators of IT

• Creating New Compensations– FBI compensate ISP– Civil actions for computer

abuse over $5,000.

Section 203: Sharing of Sensitive Information

• Information gathered in criminal investigations by law enforcement agencies can be shared with federal intelligence services including INS, SS, CIA and FBI– “Criminal investigations” balanced against

“unauthorized disclosure”– Includes telephone and Internet interceptions– Startling to Americans because of 1970’s Church

Committee revelations about CHAOS and the violations of the CIA’s statutory provisions in its charter toward Vietnam anti-war protesters

Obtaining Records: Implications for Higher Education

• FERPA– Family Education Rights and Privacy Act

• FISA– Foreign Intelligence Surveillance Act

• ECPA– Electronic Communications Privacy Act

Family Education Rights and Privacy Act

• Patriot Act amends to permit educational institutions to disclose educational records to federal law enforcement officials without student consent:– If a U.S. Assistant Attorney General, or similarly

ranked official, obtains a court order relevant to terrorism investigation

– Institution is not liable, and need not maintain a record of the transaction

– Distinct from the “health and safety” already existing exception

Ancillary to FERPA

• National Center for Education Statistics– Federal officials can have access to survey

information, which is otherwise held confidential

• Monitoring of Foreign Students– Full implementation of existing Immigration

and Naturalization Service law regarding information about students

Foreign Intelligence Surveillance Act

• Judicial “Rubber-Stamping” of subpoenas– Common language affecting both FISA and ECPA

• Extensive use of “Pen Registers” and other surveillance techniques for the electronic media– Common language affecting both FISA and ECPA

– Rewording of language to include electronic media such as “routing,” “network addresses” and “wire or electronic communication”

– No subpoena for recorded voice messages

Foreign Intelligence Surveillance Act

• Business Records– FBI can seize with a court order certain

business records pursuant to a terrorism or intelligence investigation

– Prohibits record keeper disclosure of FBI action

Access:ECPA Sections 2702 and 2703 Amended

• Section 210 and 216 of Patriot Act– Like FISA pen register, expands scope of subpoena to

cover electronic communications• With non-disclosure provisions and congressional oversight

• Section 222 provides for “reasonable compensation” for “reasonable expenses” to owner of network communications

– Observers have raised questions about specificity of language and interpretation:

• Routing (addresses) or content (urls) not clear

Access:ECPA Sections and 2703 Amended

Section 220 creates “nationwide service for search warrants for electronic evidence.”– Creates a “national subpoena” obtainable from

magistrates in federal district courts which can be extended to any other jurisdiction

– i.e. if FBI in Washington want something in California, they can apply for warrant in Washington federal court and have it apply to California, they do not specifically need to go to California federal court to obtain the warrant

Access:ECPA Section 2702 Amended

• Section 212 of Patriot Act: Voluntary Emergency disclosure of electronic communications– (3) a provider of remote computing service or

electronic communications service to the public shall not knowingly divulge a record or other information pertaining to a subscriber or to a customer of such service, EXCEPT

Exceptions to Section 212 Privilege

• (C) If a provider reasonably believes that an emergency involving immediate danger of death or serious physical injury to any person requires disclosure of the information without delay…

• Additional exception include: customer consent; necessary operations personnel; provider property protection, to a government entity and (mysteriously) any person “other than a government entity.”

Access:ECPA Section 2703 Amended

• Section 212 of Patriot Act: Required disclosure of customer communications or records:– To government with appropriate subpoena, court order

or letter from Attorney General (already existing “hostile nation provision” with its own requirements)

• Telephone connection, session times and duration, subscriber number or identity, including any temporarily assigned network address

– Government officials may seek stored voice-mail messages without wiretap authorization

Access:ECPA Section 2510 Amended

• Section 217 (1) of Patriot Act: Computer Trespass– (A) person who accesses a protected computer without

authorization and thus has no reasonable expectation of privacy in any communication transmitted to, through, or from the protected computer

– (B) does not include a person known by the owner or operator of the protected computer to have an existing contractual relationship with the owner or operator of the protected computer for access to all or part of the protected computer

Access:ECPA Section 2511(2) Amended• Section 217 (2) of Patriot Act:

– (i) It shall not be unlawful under this chapter for a person acting under color of law to intercept the wire or electronic communications of a computer trespasser transmitted to, though, or from the protected computer…

Access:ECPA Section 2511(2) Amended• Section 217 (2) of Patriot Act:

– If –• Owner/operator “authorizes”

• Owner/operator acts “under color of law” (when a person acts or purports to act in the performance of official duties under any law, ordinance or regulation) and lawfully engaged in investigation

• Owner/operator has “reasonable grounds” to believe information is relevant to an investigation

• Owner/operator acquires only trespass communications, and no others.

Nota Bene!

• Sections 210, 212, 217 (1) and (2) of the Patriot Act that amend sections 2510, 2511, 2702 and 2703 of the Electronic Communications Privacy Act have nothing to do with terrorism per se – no particular motive or citizenship or immigration status is required to make it actionable.

• Sections 217(1) and (2) simply alleviates owners and operators of protected computers of potential ECPA liability for their investigations and/or disclosures under certain circumstances.

Nota Bene!

• Moreover, these new provisions make “hacking” (more clearly) illegal!*– Criminal offense with criminal sanctions– Hackers face civil liability with damages beginning at

$5,000– *Section 1030 of Title 18 of USC criminal code

“computer abuse;” scope and damage rights now clearer without fear of ECPA liability**

– **But, case law has not refined statutory definition of a “protected computer” as defined under section 1030

Problem Areas for Potential Abuses and Concerns

• Constitutional – First Amendment; speech– Fourth, Fifth and Sixth

criminal procedure– Separation of powers

(agencies as 4th branch)

• Privacy– Colleges/University

Autonomy– FISA “business records”– FERPA new exception– Content and Exceptions to

disclosure

• Federalism– National service

• Case law definitions– “Public”– “Emergency” – “Color of law”– “Protected Computer”– “Network Addresses,”

“Routing,” “Customer Information”

• Deputized “Owner”– Policy and Procedure

Small Consolation

• Sunset Provisions:– Emergency segments of the ECPA will expire without

further congressional action after four years.

– If took only a matter of weeks to enact this legislation.

– If Congress wants to extend, it easily can do so in the future

– Whether colleges and universities care will depend on how the politics between them and law enforcement/government over these provisions play out over time.

What Must Be Done

• Work together to address crime and terrorism• Maintain free speech and inquiry• Hold forth on our constitutional protections• Import that sensibility of constitutional protections

and due process into internal policies and procedures

• Watch and react politically depending on how this legislation makes its way into the daily life of American society

Conclusion

Where angels have feared to tread, let not fools rush in…