Computer and Internet Lawyer
*1 USA PATRIOT ACT FOR INTERNET AND COMMUNICATIONS COMPANIES
Copyright © 2002 by Aspen Law & Business, a Division of Aspen Publishers,
Inc.; Ronald L. Plesser, James J. Halpert, Emilio W. Cividanes
The USA PATRIOT Act of 2001 (Patriot Act) [FN1] became law in October 2001. The Patriot Act is a direct response to the September 11th terrorist attacks. It contains a number of proposals that federal law enforcement agencies had sought unsuccessfully in recent years, but that Congress passed quickly during a highly unusual period. How unusual? Congressional negotiators finalized the language of the Patriot Act in a small room in the Capitol building while House and Senate offices were closed due to an anthrax attack.
The Patriot Act makes important changes to government surveillance, immigration, money laundering, and substantive criminal law, among other areas of law. This article summarizes, in as compact a manner as possible, the portions of the Patriot Act of greatest interest to Internet companies, Internet service providers (ISPs), and telecommunications carriers: The Patriot Act's changes to surveillance and computer hacking laws (in Title II and Title VIII) affecting the responsibilities and immunities of these service providers. There are important provisions in these titles that we do not discuss because they relate to internal governmental procedures, or civil liberties issues beyond the scope of our article. Nor do we evaluate the constitutionality or wisdom of policy choices reflected in the bill.
The Patriot Act expands the obligations of service providers to comply with surveillance requests. For example, the Electronic Communications Privacy Act of 1986's (ECPA's) [FN2] pen register and trap and trace provisions have been expanded significantly to give the government access to Internet address information (excluding content). Another example is the obligation to respond to nationwide service of process applicable to multiple providers that in some instances will not identify the company on the face of the service document. Many, but by no means all, of these requirements will sunset in four years.
The Patriot Act contains three favorable features for communications companies. First, it provides specifically that nothing in the Patriot Act creates any new requirements for technical assistance, such as design mandates. Therefore, the government's right, if any, to impose design mandates, or to require use of government devices such as "Carnivore" technology or other technical assistance by service providers is not affected or augmented by the Patriot Act.
Second, in several important areas, the Patriot Act expands service provider liability protections (including immunities and good faith defenses) for complying with new or existing surveillance authority, as is the case in the Foreign Intelligence Surveillance Act of 1978's (FISA's) [FN3] wiretaps and disclosures of records. The Patriot Act also creates expanded ability for the government to conduct wiretaps, at the request of service providers, of the communications of hackers and other "trespassers" on service provider networks.
Third, the Patriot Act amends and narrows the Cable Communications Policy Act's (Cable Act's) [FN4] privacy provisions to make it clear that companies offering cable-based Internet or telephone service will be subject to the requirements of the Cable Act to notify subscribers of government surveillance requests only when detailed cable viewing information is being sought. In all other instances, cable operators offering these services can respond to a government surveillance request under ECPA, which does not require service providers to notify subscribers of requests.
Section 103: Increased Funding for the FBI's Technical Support Center
Bottom Line: Significantly more money will be spent on electronic surveillance by the government.
*2 This Section authorizes $200 million each year for the next three fiscal years (FY 2002, FY 2003, and FY 2004) for the Federal Bureau of Investigation's (FBI's) technical support center. The center is a principal source of government technical surveillance initiatives, and this funding could accelerate more such proposals.
Section 202: Authority to Intercept Wire, Oral, or Electronic Communications Relating to Computer Fraud and Abuse Offenses
Bottom Line: Service providers will find it easier for the government to assist them by conducting surveillance related to hacking, denial of service attacks, and related Computer Fraud and Abuse Act (CFAA) violations.
Section 202 amends 18 U.S.C. Section 2516(1)(c) to add the CFAA [FN5] offenses to the list of predicates for obtaining Title III wiretaps, thereby facilitating government investigation of hacking offenses.
Section 203: Authority to Share Criminal Investigative Information
Bottom Line: Information obtained from grand juries and wiretaps will be accessible to a wider range of government offices and officials.
This Section amends the Federal Rules of Criminal Procedure and 18 U.S.C. Section 2517 to allow intelligence information obtained in grand jury proceedings and from wiretaps to be shared with any federal law enforcement, protective, intelligence, immigration, and national defense or security personnel, provided that recipients of the information may only use such information in connection with their official duties and subject to the disclosure limitations in existing law. In the case of grand jury information, it would require notification to the court after disclosure.
Although this Section broadens the categories of individuals with whom criminal investigative information can be shared, it was narrowed in the legislative process to require these individuals to use this information only in connection with their official duties.
Section 204: Clarification of Intelligence Exceptions from Limitations on Interception and Disclosure of Wire, Oral, and Electronic Communications
Bottom Line: No change. This Section clarifies existing law.
This provision explicitly carves out foreign intelligence surveillance operations from the criminal procedure protections of ECPA, thereby further clarifying that these types of operations are governed exclusively by FISA.
Section 206: Roving Surveillance Authority under the FISA
Bottom Line: This Section will result in increased roving tap activity.
Section 206 expands FISA court orders to allow "roving" surveillance in a manner similar to ECPA wiretaps. (The federal wiretap statute, but not FISA, was amended 15 years ago to allow "roving taps.") A roving wiretap enables government investigators to intercept all of a suspect's wire or electronic communications relating to theconduct under investigation, regardless of the suspect's location when communicating. The quintessential situation requiring a roving wiretap in the past has been when a suspect goes from phone booth to phone booth numerous times in an effort to prevent his or her calls from being wiretapped. After September 11, 2001, the Bush Administration emphasized surveillance challenges posed by "disposable" cell phone situations--when a suspect buys one cell phone and a week later buys another cell phone with a different number and moves from cell phone to cell phone seeking to avoid interception. Roving tap authority is not limited to voice communications; however, it could be used just as often to intercept the email communications of a suspect who changes Internet accounts daily, or several times a day.
Bottom Line: Stored voice mail will be treated as stored data under Section 2703 and not as an intercept governed by wiretap procedures.
This Section enables law enforcement to seize voice mail messages via a search warrant, instead of a Title III *3 wiretap order, and thereby create procedural parity for government access to voice mail and email messages. It thus overturns case law that requires the government to apply for a Title III warrant before it can obtain unopened voice mail messages (but not email messages) held by a service provider. [FN6]
Section 210: Scope of Subpoenas for Records of Electronic Communications
Bottom Line: This Section may produce a major increase in subpoenas regarding subscribers.
This Section broadens the types of subscriber records that law enforcement can obtain via subpoena from service providers to include "the means or sources of payment for such services," "records of session times and durations," and "any temporarily assigned network address." The means-of-payment category was broader earlier in the legislative process, but was subsequently narrowed to clarify that it encompasses credit card or bank account numbers used as a means of payment for the communication service. Therefore, this provision does not apply to payment information that is stored briefly on a service provider's system or information contained in a "digital wallet."
Section 211: Clarification of Scope
Bottom Line: This Section changes procedures that apply to cable operators responding to a subpoena and in most instances will eliminate any obligations to notify customers of cable-based Internet service.
This Section resolves an ambiguity caused by convergence: Whether ECPA or the more restrictive privacy provisions of the Cable Act [FN7] apply to requests for subscriber records of cable Internet customers. It clarifies that ECPA, rather than the Cable Act, governs the release of cable Internet subscriber records. It provides helpful legal certainty to cable-based ISPs when served with lawful surveillance requests. The final version of Section 211 allows cable operators to respond to law enforcement requests to produce customer data about Internet service subscribers without first having to notify the subscribers, as the Cable Act had required. (A drafting flaw in the Bush Administration's original proposal would have preserved the notification requirement.) This outcome is consistent with recent court decisions ruling that ECPA must have implicitly repealed a conflicting Cable Act requirement that subscribers receive advance notice of the government's request. One category of Internet subscriber information that still remains subject to the advance notice provisions of the Cable Act is "records revealing cable subscriber selection of video programming from a cable operator."
Section 212: Emergency Disclosure of Electronic Communications to Protect Life and Limb
Bottom Line: This Section provides expanded flexibility to disclose in emergencies.
This Section permits service providers to disclose the content of stored email messages and other customer information to a law enforcement agency whenever the provider "reasonably believes" that an emergency involving immediate danger of "death or serious physical injury to any person" requires such disclosure. There was no provision in existing law expressly permitting service providers to make such emergency disclosures. This Section should help resolve an ambiguity in current law that inhibits service providers from disclosing customer information in the emergency situations set forth in the statute.
Section 214: Pen Register and Trap and Trace Authority under FISA
Bottom Line: This Section expands FISA pen register and trap and trace authority and should lead to a significant increase in such requests.
This Section expands the government's ability to obtain a court order under FISA for pen register or trap and trace surveillance. It eliminates the requirement in 50 U.S.C. Section 1842(c)(3) that the government certify that it has reason to believe that the surveillance is being conducted on a line or device that is or was used in "communications with" someone involved in international terrorism or intelligence activities that may violate US criminal law, or a foreign power or its agent whose communication is believed to concern terrorism or intelligence activities that violate US law. Instead, Section 214 makes the FISA pen register and trap and trace requirements more closely track ECPA's requirements for such surveillance (i.e., providing a certification that the information *4 obtained would be relevant to an ongoing investigation).
Section 214 clarifies, however, that a FISA court order should not authorize the gathering of foreign intelligence information for an investigation concerning a US person or surveillance when the person has been singled out for investigation "solely upon the basis of" First Amendment activities.
Section 215: Access to Records and Other Items under FISA
Bottom Line: The Section greatly broadens the number of entities that are subject to FISA subpoenas; may include servers, but provides for immunity for good faith disclosures.
This provision substantially revises the FISA provisions governing access to business records for foreign intelligence and international terrorism investigations. Most significantly, the provision no longer limits the FBI's ability to obtain business records pursuant to an ex parte court order to specific categories of businesses. Previously, Section 501 of FISA [FN8] had subjected only common carriers, public accommodation facilities, physical storage facilities, or car rental facilities to FISA business record authority. By eliminating these categories and allowing these subpoenas to be issued to any person, Congress has, for example, included ISPs, banks, and any other business within the reach of business record authority.
Second, Section 215(e) creates immunity for good faith disclosures of business records under this provision and provides that disclosure of records does not waive any privilege in any other proceeding or context.
Third, Section 215 eliminates a previous limitation of FISA business record authority to "a foreign power or an agent of foreign power," [FN9] and expands the scope of items that may be obtained through this authority from "records" to "any tangible things," which might include, for example, a computer server on which information is stored. Fourth, the provision specifically prohibits investigations under this authority of US persons that are conducted solely based on First Amendment activities.
Finally, this Section amends 50 U.S.C. Section 1863 to require the Attorney General to fully inform and provide reports to select congressional committees, on a semiannual basis, of all requests for production of "tangible things," and to indicate in his report the total number of applications made for court orders in the preceding six-month period and, of those, the number of applications that were granted, modified, or denied.
Section 216: Modification of Authorities Relating to Use of Pen Registers and Trap and Trace Devices
Bottom Line: This Section contains probably the most significant surveillance expansion in the Patriot Act for service providers. It clarifies that pen register and trap and trace authority applies to Internet traffic, permits nationwide service of process, and requires reports on use of "Carnivore"-type technology. This Section does not sunset.
This provision makes three changes to existing law. First, by adding the terms "routing" and "addressing" to the phrase "dialing and signaling information," this amendment is intended to clarify that the pen register and trap and trace authority under ECPA applies to Internet traffic, provided that the information retrieved by these devices "shall not include the contents of any communication." Although the term "content" has a statutory definition, [FN10] it is vague and has not been tested in the context of Internet communications. It will be important to monitor law enforcement requests to determine what Internet-related information law enforcement seeks to obtain under the new law beyond the "to" and "from" header information in email communications that it already receives under existing pen register and trap and trace law.
Second, this provision also grants federal courts the authority to issue pen register and trap and trace orders that are valid anywhere in the United States, not just within their own jurisdiction. The advent of nationwide service will likely result in providers being asked with some frequency to render assistance even though they are not specifically named in the *5 order and the assistance being requested is not specifically defined in the order.
There are two modifications to this provision that permit service providers to demonstrate that they are in fact complying with this new authority, and are eligible for a statutory good-faith defense or immunity from suit. First, Section 216 provides that a service provider has the right to receive a written certification from law enforcement confirming that the order applies to the provider being served with it. Moreover, Section 216 amends 18 U.S.C. Section 3124(d) to clarify that compliance with a pen register and trap and trace "order," rather than the express "terms of such order," makes a service provider eligible for statutory immunity. Nevertheless, nationwide service could make it very difficult for local or regional service providers to oppose, modify, or contest court orders because it will require them to travel to numerous courts in multiple jurisdictions, to address concerns over the breadth of court orders.
Third, Section 216 directs law enforcement to file an ex parte and in camera report with the court whenever it uses a "Carnivore" device (defined as "installing and using its own pen register or trap and trace device on a packet-switched network" of a provider). The report would identify, inter alia, "the configuration of the device at the time of its installation" and "any information which has been collected by the device." The existence of these reports may help to inform future public policy debates regarding the propriety of compelling ISPs to install Carnivore devices and the extent of the use of such devices. This provision is a permanent change to federal law and is exempted from the sunset provision of Section 224.
Section 217: Interception of Computer Trespasser Communications
Bottom Line: This Section protects the government from liability for warrantless interceptions of hackers and similar "trespassers" at the request of a service provider; service providers' protection is less clear.
This Section provides new protection from liability for government officials if they conduct warrantless wiretaps of computer "trespassers" (persons who are not known to the owner or operator of the computer to have a contractual relationship with that owner or operator and who gain unauthorized access to the system). The drafters presume that, under the pre-existing "switchboard" provision of ECPA, [FN11] owners or operators of computers have the authority to intercept the communications of trespassers. Section 217 is designed to protect law enforcement officials when the owner or operator delegates that authority to law enforcement. (Under the "switchboard" exception, a service provider can intercept or disclose a user's communications when "necessary ... to the protection of the right or property of the provider.")
Although the House Judiciary Committee version of the Patriot Act contained language that would have explicitly protected the service provider from liability for authorizing or providing facilities or technical assistance for this surveillance, the final legislation does not contain this language. If a court were to determine that the switchboard exception does not authorize owners or operators of computers to intercept the communications of trespassers, this omission might present a problem in some circumstances. There is case law indicating that ECPA's good faith defenses are not a basis for avoiding liability when actions are taken on the basis of an erroneous belief that a statutory provision authorizes the action. Nevertheless, Section 217 does not compel service providers to permit law enforcement to engage in the warrantless surveillance of trespassers, but rather leaves that decision entirely to the discretion of the service provider.
Section 218: Foreign Intelligence Information Requirement for FISA Authority
Bottom Line: This Section contains a relaxed standard for FISA surveillance.
This provision amends FISA to require a certification that "a significant purpose," rather than "the purpose," of surveillance or search under FISA is to obtain foreign intelligence information. This reflects a compromise between existing law and a lower standard requested by the Bush Administration.
*6 Section 219: Single-Jurisdiction Search Warrants for Terrorism
Bottom Line: This Section greatly facilitates nationwide warrants for terrorism investigations.
This provision amends the Federal Rules of Criminal Procedure to allow federal judges to issue nationwide search warrants for investigations involving domestic or international terrorism. Under this provision, federal magistrate judges may issue search warrants from any jurisdiction where activities related to the terrorism may have occurred for a search of property or for a person within or outside the district. It will be much more difficult to seek review of orders that are issued from a remote jurisdiction.
To the extent that this modification makes government investigations easier, providers can expect to see an increased volume of requests. Also, the government in some instances will be able to choose a forum that is more likely to approve its requests.
Section 220: Nationwide Service of Search Warrants for Electronic Evidence
Bottom Line: This Section provides for expanded nationwide search warrants.
This provision amends ECPA to allowa single court having jurisdiction over the offense to issue a search warrant for stored data, such as email, that is valid anywhere in the United States. In its final form, this provision seeks to address forum-shopping concerns raised in response to the Bush Administration's initial proposal by requiring that the court issuing the warrant have jurisdiction over the offense under investigation.
Again, to the extent that this modification makes government investigations easier, providers can expect to see an increased volume of requests for assistance.
Section 222: Assistance to Law Enforcement Agencies
Bottom Line: This is a critical provision for service providers making clear that the Patriot Act does not affect the ability of the government to require technical mandates.
Technology mandates and data retention requirements (to store data that service providers do not retain in the ordinary course of their business operations) have been highly controversial issues for both service providers and privacy advocates. This Section makes clear that the Patriot Act preserves the status quo with regard to technical mandates and other obligations on service providers to provide technical assistance to law enforcement. The language recognizes that there are technical mandates in other areas (namely the Communications Assistance for Law Enforcement Act (CALEA), [FN12] which applies to telecommunications services, but generally does not apply to the Internet), while at the same time making clear that the Patriot Act does not require service providers to reconfigure their systems in any way to allow interception of, or to store, Internet protocol traffic.
Section 223: Civil Liability for Certain Unauthorized Disclosures
Bottom Line: This Section provides for somewhat greater accountability of government agents for willful unauthorized disclosures of fruits of wiretaps and production of stored data.
This provision makes a number of changes to prohibitions against unauthorized disclosure by the government of information obtained through the surveillance authority provided by ECPA. The most significant of these changes is an explicit clarification that civil lawsuits are not available against the federal government under 18 U.S.C. Section 2520 or Section 2707 for unauthorized interceptions or disclosures. It does not preclude actions against government agents, however, and specifically prohibits willful unauthorized disclosure or use of information that the government obtains through surveillance and increases the accountability of the government to discipline employees who willfully violate these Sections. The end result is nonetheless more favorable to the government than the initial version of this provision, an amendment by Rep. Barney Frank (D-MA) approved in the House Judiciary Committee mark-up of the bill, which would have allowed lawsuits against the federal government for certain ECPA violations.
*7 Section 224: Sunset
Bottom Line: This Section provides a four-year sunset for many relevant portions of the Patriot Act.
This Section, subject to a laundry list of exceptions, sunsets in four years the surveillance and intelligence gathering provisions (all of Title I and Title II) of the bill. The list of exceptions not covered by the sunset is as follows:
. Section 203(a)--broadening the authority to share grand jury information;
. Section 203(c)--establishment of procedures regarding the sharing of criminal investigative information;
. Section 208--designation of FISA judges;
. Section 210--broadening the scope of subpoenas for electronic communications service providers by requiring disclosure of the means and source of payment, including bank account or credit card numbers;
. Section 211--treating cable companies that provide Internet services the same as other ISPs and telcos for such services;
. Section 213--broadening the authority to delay notification of search warrants in criminal investigations if prior notice would have an adverse effect;
. Section 216--extending trap and trace to Internet traffic so long as it excludes "content";
. Section 219--single-jurisdiction search warrants for terrorism;
. Section 221--trade sanction amendments; and
. Section 222--no imposition of technical obligations on provider of a wire or electronic communication service, landlord, custodian, or other person who furnishes facilities or technical assistance.
Section 225: Immunity for Compliance with FISA Wiretap
Bottom Line: This Section contains a very important expansion of service provider immunity for compliance with FISA.
This Section provides immunity from civil liability to subscribers, tenants, and others related to entities that comply with FISA wiretap orders. This language creates complete immunity for providing "any information, facilities, or technical assistance in accordance with a court order or request for emergency assistance under [FISA]." Before this provision was adopted, FISA had strangely failed to include protection for complying with FISA wiretaps. Section 225's liability protection is important because FISA wiretaps are likely to increase in the current climate.
Amendments and Related Improvements
Bottom Line: This Section expands the Bank Secrecy Act in connection with bank records.
These Sections generally amend the law to permit increased government access to information from banks that relates to terrorism. At the same time, institutions and their directors, officers, employees, and agents are protected from liability for such reporting of suspicious banking activities. Similar provisions also apply to securities brokers and dealers regulated by the Securities Exchange Act of 1934. [FN14] Likewise, the Fair Credit Reporting Act [FN15] is amended to allow consumer reporting agencies to provide consumer reports to government agencies for counterterrorism purposes.
The provisions also require financial institutions to develop anti- money laundering programs. The banking provisions allow the Secretary of the Treasury to impose sanctions, including cutting off all dealings with US financial institutions, on banks in a nation whose bank secrecy laws deny information to the FBI or other agencies. Foreign banks maintaining correspondent accounts in US banks must designate someone in the United States to receive subpoenas related to those accounts and their depositors. If those subpoenas are not answered, the accounts could be ordered closed.
These amendments also bar US banks from doing business with "shell banks" overseas that have no physical facilities and are not part of a regulated banking system. In addition, they empower the Treasury Secretary to require US banks to exercise enhanced "due diligence" to find out who their private banking *8 depositors are if they come from nations that will not assist US officials.
Section 814: Deterrence and Prevention of Cyber-Terrorism (CFAA Amendments: Narrowing Civil Liability)
Bottom Line: This Section expands the government's authority to prosecute hacking and denial of service attacks, codifies In re DoubleClick decision for threshold to bring private lawsuits under the CFAA, clarifies the meaning of damage/loss under the CFAA, and precludes private lawsuits for negligent design or manufacture of hardware or software.
At the Bush Administration's request, Section 814 makes a number of changes to the CFAA's criminal provisions. First, it increases criminal penalties by, for example, doubling the maximum prison term for a first offense from 10 years to 20 years. It adds computers located outside the United States to the definition of "protected computers" covered by the statute, thereby allowing US authorities to respond more quickly and aggressively to international hacking incidents in which perpetrators attack or route communications through computers in other countries. The provision also adds a definition for the important, but previously undefined, statutory term "loss," and clarifies that criminal prosecutions for hacking or unauthorized transmissions may be brought under 18 U.S.C. Section 1030(a)(5) if a "related course of conduct" causes $5,000 in loss. It clarifies that prosecutors need only prove that hackers intended to damage a protected computer, rather than providing very difficult proof that the hacker intended to cause loss exceeding the $5,000 threshold. Finally, Section 814 prohibits damaging computers used in furtherance of the administration of justice, the national defense, or national security, even if the harm in question does not reach $5,000.
At the same time, Section 814 contains several improvements on current law for civil defendants, who have increasingly become a target of plaintiff class actions that include claims under the CFAA. First, Section 814(a) provides that the CFAA $5,000 damage threshold is satisfied through loss caused by a related course of conduct "for purposes of an investigation, prosecution, or other proceeding brought by the United States only." The negative implication of this language appears to be that a single act, not a related course of conduct, producing $5,000 in harm is necessary for anyone other than the government to bring a private lawsuit under the CFAA. If this interpretation prevails in the courts, then this provision will codify a recent decision in In re DoubleClick Privacy Litigation, [FN16] that a civil action under Section 1030(g) generally may be brought only if a "single act" produces $5,000 of loss within the meaning of the statute.
Second, Section 814(d) generally preserves the current $5,000 threshold for private lawsuits under Section 1030(g) of the CFAA for "loss" to a computer system, except for cases involving damage to a system used by the government for the administration of justice, national defense, or national security. It also clarifies that the $5,000 threshold required for a private lawsuit under Section 1030(g) applies both to actions for "damage" and "loss," thereby eliminating a statutory ambiguity that plaintiffs' class action lawyers had attempted to use to avoid the $5,000 threshold.
Third, Section 814(d) contains a provision stating, "No action may be brought under this subsection for the negligent design or manufacture of computer hardware, computer software, or firmware." Although this language could be somewhat clearer, this provision likely will be very helpful in obtaining dismissal of CFAA claims similar to those raised in several large class actions challenging alleged defects in software or hardware.
Section 815: Additional Defense to Civil Actions Relating to Preserving Records in Response to Government Requests
Bottom Line: This Section expands service provider defense in civil actions alleging disclosure to governments.
Section 815 adds a new defense to civil or criminal liability under ECPA or any other law for service providers that preserve stored data at the request of a law enforcement official under 18 U.S.C. Section 2703(f). This defense is added to 18 U.S.C. Section 2707(e), a provision setting forth defenses to private lawsuits for unauthorized access to, or disclosure *9 of, stored data. Although a service provider would not be liable under ECPA for preserving subscriber data, the provision is helpful in clarifying that service providers may not be held liable under state law.
By reducing procedural hurdles to government surveillance authority, the Patriot Act has helped to increase the number of electronic surveillance requests presented to communications companies and other businesses. Consequently, communications and many other companies are likely to be called on sooner, rather than later, to familiarize themselves with its surveillance provisions. Although the Patriot Act broadens significantly in a number of areas the government's surveillance power, it also avoids imposing additional technical mandates or data storage requirements that burden service provider functions. It also does a good job of matching civil liability protections with the Patriot Act's new responsibilities. Companies should be certain that they comply with conditions for liability protection; however, and that government requests are within the bounds prescribed by the Patriot Act.
END OF DOCUMENT