More Surveillance on the Way
The USA Patriot Act was passed with much fanfare last October, but it was soon clear that lawmakers passed the package without examining all the parts. Today, we're still struggling to determine how new law enforcement powers granted by Patriot are being used.
In June, the House Judiciary Committee asked the Attorney General for specifics on this issue. On October 17, the committee released the DOJ's answers.
Much of what was learned was troubling. For example, Patriot opened loopholes that let electronic communications service providers give customer records to law enforcement officials without a warrant. In lay terms, the folks that provide your email account are an electronic service provider, and your actual emails could fall into the category of customer records.
In a letter to the House Judiciary Committee, the Attorney General's office confirmed that they have received anecdotal accounts of providers turning over records without a warrant but "there are no statistics detailing the number of times that disclosures have occurred or the basis for such disclosures."
In this context, a recent amendment to the Senate's Homeland Security bill seems all the more ominous. The amendment, offered by Orrin Hatch, was based on a bill passed in the House on July 15, just before the August recess, called the Cyber Security Enhancement Act, or CSEA. Introduced by Rep. Lamar Smith -- who brought us Patriot's computer surveillance language -- CSEA, if passed, would make it even easier for government agents to get your electronic records, without a warrant and without telling you.
Traditionally getting electronic records, which can include your actual emails, has required a warrant, and companies that handed over such information without that warrant could face penalties. The Patriot Act created an exception to that requirement: Communications providers can now voluntarily disclose customer records to law enforcement officials in situations where the provider has a reasonable belief that disclosing the records is necessary to prevent an imminent danger. The language in Hatch's amendment expands that exception in two ways. First, it removes the imminence requirement. Under the new rules, a provider would only have to believe that disclosing the records would help prevent some theoretical future danger. Second, a provider would no longer need to have a reasonable belief that the communication relates to this vaguely defined danger. He or she will only have to be acting in good faith.
These changes make it much easier for law enforcement officials to access previously difficult-to-obtain personal information without a warrant. After all, if a danger no longer has to be imminent to eliminate the need for court oversight, when will a warrant be needed? And changing the standard required of the provider to a "good faith" belief would make it harder for providers to refuse law enforcement requests. "Good faith" is a very subjective guideline -- all it means is that an employee at an ISP or phone company must sincerely believe that they are acting to avoid danger, regardless of whether a reasonable person would agree. It's easy to imagine that if an FBI agent shows up at your ISP's door and says that seeing your emails would help them avoid a future threat, that would be enough to give most employees a good faith belief that they should hand them over.
"Essentially, it's a standard that you can't ever refute," said Chris Hoofnagle, legislative counsel to the Electronic Privacy Information Center (EPIC). "Basically, it immunizes the ISPs."
Or, as Jennifer Granick, Clinical Director at Center for Internet and Society at Stanford Law School puts it, "Who knows what arrangements will be made between law enforcement and ISPs?"
Additionally, while the Patriot Act granted exemptions specifically to law enforcement operatives, the new rules would allow communications providers to turn over records to any government agency. While it's at least conceivable that the Centers for Disease Control might have a valid need for your records, the way the bill is worded, your local city council would have the same standing.
Other provisions change computer wiretap laws to allow more emergency tapping and create mandatory sentencing guidelines in cases where someone uses a computer in the commission of a crime, as if this were somehow comparable to using a gun to facilitate a criminal transgression.
How did these provisions get added to the Senate's contentious Homeland Security bill by unanimous consent? Hoofnagle explains that the bill makes most of these changes by reference -- substituting one word here and another there in an existing law. This means that unless one gets out the existing language and actually compares it to the standing statute, one can't really tell how the bill has been modified.
The bill's first placement was on the House suspension calendar, which normally contains uncontroversial legislation, for quick consideration before the August recess, so it's likely that not every representative actually did his or her homework before voting. That passage -- the House vote was 385 to 3 -- allowed Hatch to present it to the Senate as "non-controversial" and "passed with overwhelming bipartisan support."
The bill's original name -- the Cyber Security Enhancement Act -- didn't hurt either, given the government's abysmal record on cyber-security. Unfortunately this bill's focus on increasing email surveillance and lengthening prison sentences does nothing to improve the actual security of the government's computer systems.
With the uncertain timetable for Senate action on the Homeland Security bill, activists say fast action is needed to educate Senators about the problems with this amendment.
The Electronic Frontiers Foundation launched an action alert on its web site, which has so far generated more than 6,000 emails to members of Congress. Granick spoke at Def Con, an annual conference of more than 4,000 hackers and security professionals, August 2, calling on the audience to contact their representatives in Washington.
EPIC, which has followed this bill since it was introduced, sent a lengthy letter to the bill's House sponsors earlier this year. Anita Ramasastry, associate director at the Shidler Center for Law, Commerce, and Technology at the University of Washington School of Law, wrote an article on FindLaw.com when CSEA was introduced in the House, arguing for amendments to some of the bill's most egregious sections.
It's important that Senators know what the new changes will actually do and what you think about changes. So go write and call. Ask that the amendment be dropped, or at the least, that time is taken to fully analyze all of the Homeland Security bill's provisions before it is passed.
Robin Mejia is a Santa Cruz-based investigative journalist. She specializes in science and technology coverage.