26 February 2002

To: policy-posts@cdt.org
Sent: 25/02/02 20:18
Subject: Policy Post 8.03: House Committee Takes up New Cyber-Security Bill

CDT POLICY POST Volume 8, Number 3, February 25, 2002

A BRIEFING ON PUBLIC POLICY ISSUES AFFECTING CIVIL LIBERTIES ONLINE
from
THE CENTER FOR DEMOCRACY AND TECHNOLOGY

CONTENTS:

(1) House Committee Takes up New Cyber-Security Bill
(2) Emergency Disclosure Authority Raises Privacy, Accountability Concerns
(3) Stronger Privacy Protections Needed on Other Powers Too

------------------------------------------------------------------------

(1) HOUSE COMMITTEE TAKES UP NEW CYBER-SECURITY BILL

Months after making major changes to the surveillance and computer crime laws, Congress is considering a number of new bills dealing with cyber-crime, cyber-security, and surveillance. On February 12, 2002, the House Subcommittee on Crime held a hearing on H.R. 4382, the Cyber Security Enhancement Act of 2001. CDT Associate Director Alan Davidson testified.

CDT's testimony focused on Section 102 of the bill, which would greatly expand the authority of ISP's to disclose email and other Internet communications to the government in emergency situations.

Current law allows service providers to disclose their customers' email to law enforcement agencies without a court order if the ISP reasonably believes there is an imminent threat of death or serious injury.

Sec. 102 would substantially expand this authority to reveal private communications, by permitting service providers to disclose communications to any government agency (state, local or foreign) without judicial authority or oversight, where the threat is not immediate and where the ISP does not have any factual basis for its belief that there is an emergency other than the government's claim that there is one.

CDT's full testimony before the House Subcommittee on Crime is online at:

http://www.cdt.org/testimony/020212davidson.shtml

------------------------------------------------------------------------

(2) EMERGENCY DISCLOSURE AUTHORITY RAISES PRIVACY, ACCOUNTABILITY CONCERNS

Under the USA PATRIOT Act adopted last fall, the communications privacy law was amended to allow ISPs and other system operators (universities, portals, Web hosts) to disclose the private communications of their subscribers or users if the system operator had reason to believe that there was an emergency situation involving an immediate danger of death or serious injury. The exception to the general rule of communications privacy was meant to cover situations where ISPs or others inadvertently discovered communications suggesting an immediate threat.

In fact, reports from large and small providers, universities, and libraries indicate that the provision is not being implemented as originally expected. Instead, providers are being approached by government agents and asked to voluntarily disclose communications or other subscriber information for investigations that the government claims involve a danger to life and limb.

Understandably, many service providers comply with the requests. But there is no oversight of these disclosures - they are not treated as interceptions, so they are not reported to the courts or Congress; the persons whose communications are disclosed are never given notice, even after the investigation is closed (unless, of course, the information is used in court); and service providers are immune (appropriately) from liability for disclosure. Furthermore, the exception doesn't even say that the disclosure must be limited to the communications to or from a suspected terrorist or other criminal - as written, anyone's communications can be disclosed in an emergency.

Section 102 of H.R. 4382 would expand this already broad authority:

*       It would allow disclosures to any governmental entity, not just law enforcement agents. That could include literally thousands of federal, state, and local employees.

*       It would not require imminent danger for disclosure. It would allow these extraordinary disclosures when there is some danger, which might be considerably in the future and far more hypothetical.

*       It no longer requires a reasonable belief that there is a danger on the part of the ISP. Section 102 would allow these sensitive disclosures if there is any good faith belief of danger.

Thus as drafted, Sec. 102 would allow many more disclosures of sensitive communications without any court oversight or notice to subscribers. It would allow these disclosures based on requests from potentially hundreds of thousands of government employees, ranging from local canine control officials to school principals to Agriculture Department cotton inspectors.

CDT believes that the broad expansion would go too far. We urged the committee to maintain the requirements of a reasonable belief in imminent danger. We called for including accountability mechanisms - requiring notice to the subscriber, after the fact (and deferrable based on a judicial order), as a means of providing subscribers with some way of knowing that their communications have been disclosed. And at a bare minimum, we said Congress should mandate a reporting requirement for these emergency disclosures to federal law enforcement, to give Congress and the public some method of evaluating their use.

------------------------------------------------------------------------

(3) STRONGER PRIVACY PROTECTIONS NEEDED ON OTHER POWERS TOO

H.R. 4382 opens the door on an issue shoved aside by September 11: the need to improve privacy safeguards for a range of government surveillance activities. The digital age is making more personal information available than ever before, increasing the need for a legislative framework that protects personal information from inappropriate surveillance. The USA Patriot Act passed last fall provided substantial new government capabilities to conduct surveillance on Americans and to combat terrorism and cybercrime. H.R. 4382 would provides additional authorities. Powerful new surveillance authorities require powerful oversight and accountability. It is time for equally strong measures for oversight and accountability, and protection for all the sensitive personal information increasingly available in the digital and wireless age.

Congress could start by taking up the privacy changes to surveillance law developed and passed by the House Judiciary Committee in the last Congress, in H.R. 5018, including:

*       Heightened protections for access to wireless location information, requiring a judge to find probable cause to believe that a crime has been or is being committed before the government can use someone's cell phone as a tracking device. Tens of millions of Americans are carrying (or driving) mobile devices that could be used to track their movements over time - with little clarity over how that information could be accessed and without an appropriate legal standard for doing so.

*       An increased standard for use of expanded pen registers and trap and trace capabilities, requiring a judge to at least find that specific and particular facts reasonably indicate criminal activity and that the    information to be collected is relevant to the investigation of such conduct.

*       A rule prohibiting the government from using in court email or other Internet communications intercepted or seized in violation of the privacy standards in the law.

*       Compilation of statistical reports for government access to email, similar to those required for telephone wiretaps.

In addition, other issues - some of broader scope - need to be addressed:

*       Improve the notice requirement under ECPA to ensure that consumers receive notice (after an investigation is closed) if the government obtains information about their Internet transactions.

*       Provide enhanced protection for personal information on networks: probable cause for seizure without prior notice, and a meaningful opportunity to object for subpoena access.

*       Require notice and an opportunity to object when civil subpoenas seek personal information about Internet usage.

For more information on H.R. 5018, see

http://www.cdt.org/publications/pp_6.17.shtml

An overview of government surveillance authority (pre-PATRIOT Act) is at

http://www.cdt.org/wiretap/wiretap_overview.html

------------------------------------------------------------------------

Detailed information about online civil liberties issues may be found at

http://www.cdt.org/.

This document may be redistributed freely in full or linked to

http://www.cdt.org/publications/pp_8.03.shtml.

Excerpts may be re-posted with prior permission of ari@cdt.org

Policy Post 8.03 Copyright 2002 Center for Democracy and Technology

---------------------------------------

CDT Policy Post Subscription Information

To subscribe to CDT's Policy Post list, send mail to majordomo@cdt.org

In the BODY of the message type "subscribe policy-posts" without the quotes.

To unsubscribe from CDT's Policy Post list, send mail to majordomo@cdt.org

In the BODY of the message type "unsubscribe policy-posts" without the quotes.