Security and Privacy
   
Response to Sept. 11, 2001 Terrorist Attacks
 

Summary and Analysis of Key Sections of USA PATRIOT ACT of 2001

To: Interested Persons
From: E-Commerce & Privacy Group
Ron Plesser (202) 861-3969
Jim Halpert (202) 861-3938
Milo Cividanes (202) 861-3911
Date: October 31, 2001

We have tried in as compact a manner as possible to summarize those portions of the "USA Patriot Act of 2001" (hereafter "the Act" or "the Patriot Act") of interest to Internet companies, Internet service providers, and telecommunications carriers. Therefore, we are primarily interested in the responsibilities and immunities that the Patriot Act provides for various providers. There are important sections of the Act that we do not discuss because they are related to internal governmental issues, immigration law issues, or other issues beyond the scope of this memo. Nor do we evaluate here the constitutionality or wisdom of policy choices reflected in any part of this bill.

Our hope is that this will be helpful to better understand and prepare for the changes brought about by the Patriot Act.

SUMMARY

Service providers have expanded obligations under this Act. For example, the definitions of trap and trace device have been significantly expanded to allow for access to certain information (excluding content) concerning Internet activity. Another example is the obligation to respond to a nationwide service of process that in some instances may not identify your company on the face of the service document. The Act does permit you to seek clarifications.

The Patriot Act contains three favorable features for communications companies. First, it provides specifically that nothing in the Act creates any new requirements for technical assistance, such as design mandates. Therefore, the right, if any, of the government to require use of design mandates such as "Carnivore" technology or other technical assistance by service providers is not affected or augmented by the Patriot Act.

Second, in several important areas, the Act expands service provider protections (including immunities and good faith defenses) for complying with new or existing surveillance authority, as is the case in FISA wiretaps and disclosures of records. The Act also creates expanded ability for the government to conduct wiretaps, at the request of service providers, of hackers and other "trespassers" on service provider networks.

Third, the Patriot Act amends and limits the Cable Act to make it clear that companies offering cable-based Internet or telephone service will be subject to the requirements of the Cable Act to notify subscribers of government surveillance requests only where detailed cable viewing information is being sought. In all other instances, cable operators offering these services can respond to a government surveillance request under ECPA, which does not require service providers to notify subscribers of requests.

Section 103: Increased funding for the FBI's technical support center.

Bottom Line: Significantly more money will be spent on electronic surveillance by the government.

This section authorizes $200 million each year for the next three fiscal years (FY 2002, 2003, and 2004) for the FBI's technical support center. The center is a principal source of government technical surveillance initiatives, and this funding could accelerate more such proposals.

Section 202: Authority to intercept wire, oral or electronic communications relating to computer fraud and abuse offenses.

Bottom Line: Expands ability for service providers to get government help with hacking, denial of service attacks, and related Computer Fraud and Abuse Act violations.

Section 202 amends 18 U.S.C. � 2516(1)(c) to add the Computer Fraud and Abuse Act offenses (18 U.S.C. � 1030) to the list of predicates for obtaining Title III wiretaps, thereby facilitating government investigation of hacking offenses.

Section 203: Authority to share criminal investigative information.

Bottom Line: Information obtained from grand juries and wiretaps will be accessible to a wider range of government offices and officials.

This section amends the Federal Rules of Criminal Procedure and 18 U.S.C. � 2517 to allow intelligence information obtained in grand jury proceedings and from wiretaps to be shared with any federal law enforcement, protective, intelligence, immigration, and national defense or security personnel, provided that recipients of information could only use such information in connection with their official duties and subject to the disclosure limitations in existing law. In the case of grand jury information, it would require notification to the court after disclosure.

Although this section broadens the categories of individuals with whom criminal investigative information can be shared, it was narrowed in the legislative process to require these individuals to use this information only in connection with their official duties.

Section 204: Clarification of intelligence exceptions from limitations on interception and disclosure of wire, oral, and electronic communications.

Bottom Line: No change. Clarifies existing law.

Explicitly carves out foreign intelligence surveillance operations from the criminal procedure protections of ECPA, thereby further clarifying that these types of operations are governed exclusively by FISA.

Section 206: Roving surveillance authority under the Foreign Intelligence Surveillance Act of 1978.

Bottom Line: Will result in increased roving tap activity.

Expands FISA court orders to allow "roving" surveillance in a manner similar to ECPA wiretaps. (The federal wiretap statute, but not FISA, was amended 15 years ago to allow "roving taps.") A roving wiretap enables government investigators to intercept all of a suspect's wire or electronic communications relating to the conduct under investigation, regardless of the suspect's location when communicating. The quintessential situation requiring a roving wiretap in the past has been when a suspect goes from phone booth to phone booth numerous times in an effort to prevent his calls from being wiretapped. Since September 11, 2001, the Administration has cited surveillance challenges posed by "disposable" cell phone situations�where a suspect buys a cell phone on day one and a week later buys another cell phone with another number and moves from cell phone to cell phone seeking to avoid interception. But "roving tap" authority is not limited to voice communications; it could equally be used to intercept the e-mail communications of a suspect who changes Internet accounts every day, or several times a day.

Section 209: Seizure of voice mail messages pursuant to warrants.

Bottom Line: Stored voice mail will be treated as stored data under � 2703 and not as an intercept governed by wiretap procedures.

This section enables law enforcement to seize voice mail messages via a search warrant, instead of a Title III wiretap order, which harmonizes the manner in which both voice mail and e-mail messages can be accessed. It thereby overturns case law that requires the government to apply for a Title III warrant before it can obtain unopened voice mail messages (but not e-mail messages) held by a service provider. See U.S. v. Smith, 155 F.3d 1051 (9th Cir. 1998), cert. denied, 119 S. Ct. 804 (1999).

Section 210: Scope of subpoenas for records of electronic communications.

Bottom Line: May produce a major increase in subpoenas regarding subscribers.

Broadens the types of subscriber records that law enforcement can obtain via subpoena from service providers, including ISPs, to include "the means or sources of payment for such services," "records of session times and durations," and "any temporarily assigned network address." The means-of-payment category was broader earlier in the legislative process, but was subsequently narrowed to clarify that it encompasses credit card or bank account number used as a means of payment for the communication service. Therefore, this provision does not apply to payment information that is stored briefly on a service provider's system or information contained in a "digital wallet."

Section 211: Clarification of scope.

Bottom Line: Changes procedures that apply to cable operators responding to a subpoena and in most instances will eliminate any obligations to notify customers of cable-based Internet service.

Clarifies that ECPA governs the release of most subscriber records of cable television companies that provide Internet service. It will provide certainty to cable-based ISPs when served with lawful surveillance requests. Fixing a drafting flaw in the Administration's original proposal, Section 211 will result in cable operators responding to law enforcement requests by producing customer data about Internet service subscribers without first having to notify the subscribers. This is consistent with recent court decisions ruling that ECPA must have implicitly repealed a conflicting Cable Act requirement that subscribers receive advance notice of the government's request. One category of Internet subscriber information that still remains subject to the advance notice provisions of the Cable Act is "records revealing cable subscriber selection of video programming from a cable operator."

Section 212: Emergency disclosure of electronic communications to protect life and limb.

Bottom Line: Expanded flexibility to disclose in emergencies.

Permits service providers to disclose the content of stored e-mail messages and other customer information whenever the provider "reasonably believes" that an emergency involving immediate danger of "death or serious physical injury to any person" requires such disclosure. There was no provision in existing law expressly permitting service providers to make such emergency disclosures. This section should help resolve an ambiguity in current law that inhibits service providers from disclosing customer information in emergency situations involving death or serious physical injury.

Section 214: Pen register and trap and trace authority under FISA.

Bottom Line: Expansion of FISA pen register/trap and trace authority in FISA that should lead to a significant increase in such requests.

Makes it easier for the government to obtain a court order under FISA for pen register or trap and trace surveillance. Eliminates the requirement in 50 U.S.C. � 1842(c)(3) that the government certify that it has reason to believe that the surveillance is being conducted on a line or device that is or was used in "communications with" someone involved in international terrorism or intelligence activities that may violate U.S. criminal law, or a foreign power or its agent whose communication is believed to concern terrorism or intelligence activities that violate U.S. law. Instead, Section 214 makes the FISA pen register/trap & trace requirements more closely track ECPA's requirements for such surveillance (i.e., providing a certification that the information obtained would be relevant to an ongoing investigation).

However, Section 214 clarifies that a FISA court order should not authorize the gathering of foreign intelligence information for an investigation concerning a U.S. person or surveillance where the person has been singled out for investigation "solely upon the basis of" First Amendment activities.

Section 215. Access to records and other items under the Foreign Intelligence Surveillance Act.

Bottom Line: Potentially a broad expansion of the types of items which may be subject to FISA subpoena; may include servers, but provides for immunity for good faith disclosures.

This provision substantially revises the FISA provisions governing access to business records for foreign intelligence and international terrorism investigations. Most significantly, the provision no longer limits the FBI's ability to obtain business records pursuant to an ex parte court order to specific categories of businesses. Previously, section 501 of FISA (50 U.S.C. � 1862) had subjected only common carriers, public accommodation facilities, physical storage facilities, or car rental facilities to FISA business record authority. By eliminating these categories and allowing these subpoenas to be issued to any person, Congress has, for example, included Internet service providers, banks, and any other business within the reach of business record authority.

Second, Section 215(e) creates immunity for good faith disclosures of business records under this provision, and provides that disclosure of records does not waive any privilege in any other proceeding or context. Third, Section 215 eliminates a previous limitation of FISA business record authority to "a foreign power or an agent of foreign power," 18 U.S.C. � 1862(b)(2)(B), and expands the scope of items that may be obtained through this authority from "records" to "any tangible things," which might include, for example, a computer server on which information is stored. Fourth, the provision specifically prohibits investigations under this authority of U.S. persons that are conducted solely based on First Amendment activities.

Finally, this section amends 50 U.S.C. � 1863 to require the Attorney General to fully inform and provide reports to select congressional committees, on a semiannual basis, of all requests for production of "tangible things," and to indicate in his report the total number of applications made, in the preceding six-month period, for court orders and, of those, the number of applications that were granted, modified, or denied.

Section 216: Modification of authorities relating to use of pen registers and trap and trace devices.

Bottom Line: Probably the most significant surveillance expansion in the Act. Clarifies that pen register/trap and trace authority applies to Internet traffic, permits nationwide service of process, and requires reports on use of "Carnivore"-type technology. Does not sunset.

This provision makes three changes to existing law. First, by adding the terms "routing" and "addressing" to the phrase "dialing and signaling information," this amendment is intended to clarify that the pen register and trap and trace authority under ECPA applies to Internet traffic, provided that the information retrieved by these devices "shall not include the contents of any communication." Although the term "content" has a statutory definition, see 18 U.S.C. � 2510(8) (the term content "includes any information concerning the substance, purport, or meaning of [the] communication"), it is vague and has not been tested in the context of Internet communications. It will be important to monitor law enforcement requests to determine what Internet-related information law enforcement seeks to obtain under the new law beyond the "to" and "from" header information in e-mail communications that it already receives under existing pen register and trap trace law.

Second, this provision also grants federal courts the authority to issue pen register and trap and trace orders that are valid anywhere in the United States, not just within their own jurisdiction. The advent of nationwide service will likely result in providers being asked with some frequency to render assistance even though they are not specifically named in the order and the assistance being requested is not specifically defined in the order.

We worked on two modifications to this provision that permit service providers to demonstrate that in they are in fact complying with this new authority, and are eligible for a statutory good-faith defense or immunity from suit. First, Section 216 provides that a service provider has the right to receive a written certification from law enforcement confirming that the order applies to the provider being served with it. Moreover, Section 216 amends 18 U.S.C. � 3124(d) to clarify that compliance with a pen register/trap and trace "order," rather than the express "terms of such order" makes a service provider eligible for statutory immunity. Nevertheless, nationwide service could make it very difficult for local or regional service providers to oppose, modify, or contest court orders because it will require service providers to travel to numerous courts, in multiple jurisdictions, to address concerns over the breadth of court orders.

Third, Section 216 directs law enforcement to file an ex parte and in camera report with the court whenever it uses a "Carnivore" device (defined as "installing and using its own pen register or trap and trace device on a packet-switched network" of a provider). The report would identify, inter alia, "the configuration of the device at the time of its installation" and "any information which has been collected by the device." The existence of these reports may help in future public policy debates on the propriety of the government compelling ISPs to install "Carnivore" devices and the extent of the use of such devices.

The provision is a permanent change to federal law and is exempted from the sunset provision of Section 224.

Section 217: Interception of computer trespasser communications.

Bottom Line: Protects the government from liability for warrantless interceptions of hackers and similar "trespassers" at the request of a service provider; service providers' protection is less clear.

This section provides new protection from liability for government officials if they conduct warrantless wiretaps of computer "trespassers" (persons who are not known to owner or operator of the computer to have a contractual relationship with that owner or operator and who gain unauthorized access to the system). The drafters presume that, under the "switchboard" provision of existing law (18 U.S.C. � 2511(2)(a)(i)), owners or operators of computers have the authority to intercept the communications of trespassers. Section 217 is designed to protect law enforcement officials when the owner or operator delegates that authority to law enforcement. (Under the "switchboard" exception, a service provider can intercept or disclose a user's communications when "necessary . . . to the protection of the right or property of the provider.")

Although the House Judiciary Committee bill contained language that would have explicitly protected the service provider from liability for authorizing or providing facilities or technical assistance for this surveillance, the final legislation does not contain this language. To the extent that a court determines that the "switchboard" exception does not authorize owners or operators of computers to intercept the communications of trespassers, this omission could present a problem because there is case law indicating that ECPA's good faith defenses are not a basis for avoiding liability where actions are taken on the basis of an erroneous belief that a statutory provision authorizes the action. Nevertheless, Section 217 does not compel service providers to permit law enforcement to engage in the warrantless surveillance of trespassers, but rather leaves that decision entirely to the discretion of the service provider.

Section 218: Foreign intelligence information requirement for FISA authority.

Bottom Line: Relaxed standard for FISA surveillance.

This provision amends FISA to require a certification that "a significant purpose," rather than "the purpose," of surveillance or search under FISA is to obtain foreign intelligence information. This reflects a compromise between existing law and a lower standard requested by the Administration.

Section 219: Single-jurisdiction search warrants for terrorism.

Bottom Line: Greatly facilitates nationwide warrants for terrorism investigations.

This provision amends the Federal Rules of Criminal Procedure to allow federal judges to issue nationwide search warrants for investigations involving domestic or international terrorism (i.e., federal magistrate judges may issue search warrants in any jurisdiction where activities related to the terrorism may have occurred for a search of property or for a person within or outside the district). It will be much more difficult to seek review of orders that are issued remotely.

To the extent that this modification makes government investigations easier, providers can expect to see an increased volume of requests. Also, the government in some instances will be able to choose a forum that is more likely to approve its requests.

Section 220: Nationwide service of search warrants for electronic evidence.

Bottom Line: Provides for expanded nationwide search warrants.

This provision amends ECPA to allow a single court having jurisdiction over the offense to issue a search warrant for stored data such as e-mail that would be valid anywhere in the U.S. In its final form, this provision seeks to address forum-shopping concerns raised in response to the Administration's initial proposal by requiring that the court issuing the warrant have jurisdiction over the offense under investigation.

To the extent that this modification makes government investigations easier, providers can expect to see an increase in volume of requests for assistance.

Section 222. Assistance to law enforcement agencies.

Bottom Line: Critical provision that makes it clear that the Act does not affect, either way, the ability of the government to require technical mandates.

Makes clear that the legislation preserves the status quo with regard to technical mandates and other obligations on service providers to provide technical assistance to law enforcement. The language recognizes that there are technical mandates in other areas (namely CALEA, which applies to telecommunications services, but generally does not apply to the Internet), while at the same time making clear that the Act does not require ISPs to reconfigure their systems in any way to allow interception of, or to store, Internet Protocol traffic.

Section 223. Civil liability for certain unauthorized disclosures.

Bottom Line: Somewhat greater accountability of government agents for willful unauthorized disclosures of fruits of wiretaps and production of stored data.

This provision makes a number of changes to prohibitions against unauthorized disclosure of by the government of information obtained through the surveillance authority provided by ECPA. The most significant of these changes is an explicit clarification that civil lawsuits are not available against the federal government under 18 U.S.C. �� 2520 or 2707 for unauthorized interceptions or disclosures. However, it does not preclude actions against government agents, specifically prohibits willful unauthorized disclosure or use of information that the government obtains through surveillance, and increases the accountability of the government to discipline employees who willfully violate these sections. The end result is nonetheless more favorable to the government than the initial version of this provision, an amendment by Rep. Barney Frank (D-MA) approved in the House Judiciary Committee mark-up of the bill, which would have allowed lawsuits against the federal government for certain ECPA violations.

Section 224: Sunset.

Bottom Line: Four-year sunset for many relevant portions of this Act.

This section, subject to a laundry list of exceptions, sunsets in four years the surveillance and intelligence gathering provisions (all of Title I and Title II) of the bill. The list of exceptions not covered by the sunset is as follows:

  • Section 203(a)�broadening the authority to share grand jury information.
  • Section 203(c)�establishment of procedures regarding the sharing of criminal investigative information.
  • Section 205�expedition of employment of translators to support counterterrorism.
  • Section 208�designation of FISA judges.
  • Section 210�broadening the scope of subpoenas for electronic communications service providers by requiring disclosure of the means and source of payment, including bank account or credit card numbers.
  • Section 211�treating cable companies that provide Internet services the same as other ISPs and telcos for such services.
  • Section 213�broadening the authority to delay notification of search warrants in criminal investigations if prior notice would have an adverse effect.
  • Section 216�extending trap and trace to Internet traffic so long as excludes "content."
  • Section 219�single-jurisdiction search warrants for terrorism.
  • Section 221�trade sanction amendments.
  • Section 222�no imposition of technical obligations on provider of a wire or electronic communication service, landlord, custodian, or other person who furnishes facilities or technical assistance.

Section 225: Immunity for compliance with FISA wiretap.

Bottom Line: Very important expansion of service provider immunity for compliance with FISA.

This section provides immunity for civil liability from subscribers, tenants, etc. for entities that comply with FISA wiretap orders. This is language that we worked on creating complete immunity for providing "any information, facilities, or technical assistance in accordance with a court order or request for emergency assistance under [FISA]." Previously, FISA had failed to include protection for complying with FISA wiretaps. Section 225's liability protection is important because FISA wiretaps are likely to increase in the current climate.

Section 351 et. seq. Bank Secrecy Act amendments and related improvements.

Bottom Line: Expansion of Bank Secrecy Act in connection with bank records.

These sections generally amend the law in ways that will permit increased government access to information from banks that relates to terrorism. At the same time, institutions and their directors, officers, employees, and agents are protected from liability for such reporting of suspicious banking activities. Similar provisions also apply to securities brokers and dealers regulated by the Securities and Exchange Act of 1934. Likewise, the Fair Credit Reporting Act is amended to allow consumer reporting agencies to provide consumer reports to government agencies for counterterrorism purposes.

The provisions also require financial institutions to develop anti-money laundering programs. The banking provisions allow the Secretary of the Treasury to impose sanctions, including cutting off all dealings with United States financial institutions, on banks in a nation whose bank secrecy laws deny information to the Federal Bureau of Investigation or other agencies. Foreign banks maintaining correspondent accounts in United States banks must designate someone in the United States to receive subpoenas related to those accounts and their depositors. If those subpoenas are not answered, the accounts could be ordered closed.

These amendments also bar United States banks from doing business with "shell banks" overseas that have no physical facilities and are not part of a regulated banking system. In addition, they empower the Treasury Secretary to require United States banks to exercise enhanced "due diligence" to find out who their private banking depositors are if they come from nations that will not assist United States officials.

Section 814: Deterrence and prevention of cyber-terrorism. (Computer Fraud and Abuse Act Amendments: Narrowing Civil Liability)

Bottom Line: Expands government's authority to prosecute hacking and denial of service attacks, codifies In re DoubleClick decision for private litigation under the Computer Fraud and Abuse Act, clarifies the meaning of damage/loss under the CFAA, and precludes private lawsuits for negligent design or manufacture of hardware or software.

At the Administration's request, Section 814 increases criminal penalties for Computer Fraud and Abuse Act (CFAA) violations, adds computers located outside the U.S. to the definition of "protected computers" covered by the statute, adds a definition for the important, but previously undefined, statutory term "loss," and clarifies that criminal prosecutions for hacking or unauthorized transmissions may be brought under 18 U.S.C. � 1030(a)(5) if a "related course of conduct" causes $5,000 in loss. At the same time, Section 814 contains several improvements upon current law for civil defendants, who have increasingly become a target of plaintiff class actions brought using the private right of action contained in the CFAA.

First, � 814(a) provides that the CFAA $5,000 damage threshold is satisfied through loss caused by a related course of conduct "for purposes of an investigation, prosecution, or other proceeding brought by the United States only." The negative implication of this language appears to be that a single act, not a related course of conduct, producing $5,000 in harm is necessary for anyone other than the government to bring a private lawsuit under the CFAA. If this interpretation prevails in the courts, then this provision will codify a recent decision in In re DoubleClick Privacy Litigation, 154 F. Supp.2d 497 (S.D.N.Y. 2001), that a civil action under � 1030(g) generally may be brought only if a "single act" produces $5,000 of loss within the meaning of the statute.

Second, � 814(d) generally preserves the current $5,000 threshold for private lawsuits under � 1030(g) of the CFAA for "loss" to a computer system, except for cases involving damage to a system used by the government for the administration of justice, national defense, or national security. It also clarifies that the $5,000 threshold required for a private lawsuit under � 1030(g) applies both to actions for "damage" and "loss," thereby eliminating a statutory ambiguity that plaintiffs' class action lawyers had attempted to use to avoid the $5,000 threshold.

Third, � 814(d) contains a provision from the original Senate bill stating that "[n]o action may be brought under this subsection for the negligent design or manufacture of computer hardware, computer software, or firmware." Although this language could be somewhat clearer, this provision likely will be very helpful in obtaining dismissal of CFAA claims such as the ones challenging alleged defects in software or hardware that have been brought by several large class actions.

Section 815: Additional defense to civil actions relating to preserving records in response to government requests.

Bottom Line: Expands service provider defense in civil actions alleging disclosure to governments.

Section 815 adds a new defense to civil or criminal liability under ECPA for service providers who preserve stored data at the request of a law enforcement official under 18 U.S.C. � 2703(f). The defense, which is added to 18 U.S.C. � 2707(e) (a provision providing defenses to private lawsuits for unauthorized access to or disclosure of stored data), provides additional protection for service providers against civil liability under ECPA.