“Electronic Surveillance, Security, and Privacy”

Professor Peter P. Swire

Ohio State University

InSITes -- Carnegie Mellon

February 7, 2002

Overview of the Talk

Overview of electronic surveillance, before and after September 11

Security vs. privacy Security and privacy

Wiretaps and Surveillance

History of wiretaps 2000 Administration proposal 2001 USA Patriot Act

Wiretap History

1920s Olmstead– Wiretaps permitted by police without warrant where

tap applied outside your home 1960s Katz

– Reasonable expectation of privacy, even in a phone booth

1968 Title III– Strict rules for content, more than probable cause, as

a last resort, reporting requirements

History (cont.)

1984 ECPA– Some protections for e-mail– Some protections for to/from information; pen

registers (who you call); trap and trace (who calls you)

2000 Administration Proposal

How to update wiretap and surveillance for the Internet age

15-agency White House working group Legislation proposed June, 2000

– S. 3083– Hearings and mark-up in House Judiciary,

further toward privacy than our proposal

2000 Administration Proposal

Update telephone era language Upgrade email and web protections to same

as telephone calls Identify new obstacles to law enforcement

from the new technology Sense of responsibility -- assure privacy,

give law enforcement tools it needs

2001 USA Patriot Act

Introduced less than a week after September 11

Key provisions often have a point, but maybe went too far

4 year “sunset” for many surveillance provisions and what to do next

Emergency orders

Before, “imminent threat” of serious harm to get wiretap before a court order

Now, for any ongoing computer attack, or else ability to trace back may be lost

For anything affecting “a national security interest”

Are these too broad?

Roving taps

Old days, order for each phone What if suspect buys a dozen disposable cell

phones? Uses someone else’s computer? But, how far can the order rove? Anyone in

the public library? Problem -- less of a suppression remedy for

email and web use

Nationwide trap and trace

Old days, serve order on ATT and it was effective nationwide

Today, e-mail may travel through a half-dozen providers, have needed that many court orders

New law -- one order effective nationwide Query -- order from a judge in Idaho, served

late at night, how do you challenge that?

Computer trespasser exception

Previous law:– ISP can monitor its own system– ISP can give evidence of yesterday’s attack– ISP cannot invite law enforcement in to catch

the burglars Problem for:

– DOD and many hack attacks– Small system owners who need help

Computer trespasser proposal

Law enforcement can “surf behind” if:– Targets person who accesses a computer “without

authorization”– System owner consents– Lawful investigation– Law enforcement reasonably believes that the

information will be relevant– Interception does not acquire communications other

than those transmitted to or from the trespasser

Computer trespasser

Issues of concern:– Never a hearing in Congress on it– No time limit on each use– No reporting requirement– FBI can ask the ISP to invite it in, and then

camp at ISP permanently– Limited suppression remedy if go outside

permitted scope

II. Security & Privacy After 9/11

Less tolerance for hackers and other unauthorized use

Cyber-security and the need to protect critical infrastructures such as payments system, electricity grid, & telephone system

Greater tolerance for surveillance, which many people believe is justified by greater risks

Security vs. Privacy

Security sometimes means greater surveillance, information gathering, & information sharing

USA Patriot increases surveillance powers Computer trespasser exception Moral suasion to report possible terrorists

Security and Privacy

Good data handling practices become more important -- good security protects information against unauthorized use

Audit trails, accounting become more obviously desirable -- helps fight sloppy privacy practices

Part of system upgrade for security will be system upgrade for other requirements, such as privacy

In Conclusion

USA Patriot has 4 year sunset of many of the surveillance provisions

Imagine an architecture that meets legitimate security needs and also respects privacy

Need accountability to ensure the new powers are used wisely

Our homework -- how to do that wisely

Contact Information

Professor Peter P. Swire phone: (301) 213-9587 email: pswire@law.gwu.edu web: www.osu.edu/units/law/swire.htm