THE PATRIOT ACT & ECPA – Week 5

1. THE PATRIOT ACT & ECPA – Week 5 Lewis University **Legal Issues in Information Security Gary A Bannister FCMA, AICPA, CGEIT

2. Learning Objectives • Understanding of the Patriots Act & the issues of privacy • How it relates to IT • An understanding of the ECPA Electronic Communications & Privacy Act • An understanding of FATA, the Financial Anti Terrorism Act. • An understanding of CALEA – Communications Assistance for Law Enforcement.

3. Key Statutes • CFAA (Computer Fraud & Abuse Act) – 1986 • Electronic Communications Privacy Act (ECPA) – 1986 (Updated the Federal Wiretap Act) • Communications Assistance for Law Enforcement Act (CALEA) -1994 (Amended ECPA) • PATRIOT ACT – 2001

4. PATRIOT ACT • Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT ACT) Act of 2001 • Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act

5. PATRIOT ACT and Privacy • President Bush signed into law on October 26, 2001 • Passed into law just 45 days after the events of September 11, with virtually no debate. • There are serious concerns that the PATRIOT Act threatens fundamental freedoms by giving the government the power to access medical records, tax records, information about the books bought or borrowed without probable cause, and the power to break into private homes and conduct secret searches . . . . without telling residents for weeks, months, or indefinitely.

6. PATRIOT ACT • Comprised of 10 Titles • Contains more than 150 sections and amends over 15 federal statutes, including laws governing criminal procedure, computer fraud, foreign intelligence, wiretapping, and immigration

7. Key Sections The PATRIOT Act amended a number of existing federal laws. 15 statutes were changed in some way. • Enhancing domestic security against terrorism • Enhanced surveillance procedures • Detention of aliens engaged in terrorist activities • Criminal law and procedure • Provisions directed at halting financial support of terrorism • Emergency authorizations

8. The USA PATRIOT Act Increased the scope and penalties of the Computer Fraud and Abuse Act by: • raising the maximum penalty for violations to 10 years (from 5) for a first offense and 20 years (from 10) for a second offense • ensuring that violators only need to intend to cause damage generally, not intend to cause damage or other specified harm over the $5,000 statutory damage threshold • allowing aggregation of damages to different computers over a year to reach the $5,000 threshold

9. The USA PATRIOT Act Increased the scope and penalties of the Computer Fraud and Abuse Act • enhancing punishment for violations involving any (not just $5,000) damage to a government computer involved in criminal justice or the military • including damage to foreign computers involved in US interstate commerce • including state law offenses as priors for sentencing • expanding the definition of loss to expressly include time spent investigating and responding for damage assessment and for restoration.

10. PATRIOT ACTConstitutional Concerns Civil Liberties Violations • First Amendment intellectual freedom and privacy rights • Fourth Amendment rights to be free of unreasonable searches and seizures • Fifth Amendment protections of due process • Sixth Amendment rights to a public trial by an impartial jury • Fourteenth Amendment equal protection guarantees, or the constitutional assurance of the writ of habeas corpus.

11. PATRIOT ACT and Privacy Particularly troubling to free speech and privacy advocates are four provisions: Section 206, which permits the use of "roving wiretaps" and secret court orders to monitor electronic communications to investigate terrorists Sections 214 and 216, which extend telephone monitoring authority to include routing and addressing information for Internet traffic relevant to any criminal investigation

12. PATRIOT ACT and Privacy Section 215 - grants unprecedented authority to the Federal Bureau of Investigation (FBI) and other law enforcement agencies to obtain search warrants for business, medical, educational, library, and bookstore records. Section 215 includes a "gag order" provision prohibiting any person or institution served with a search warrant from disclosing what has taken place. In conjunction with the passage of the USA PATRIOT Act, the U.S. Justice Department issued revised FBI guidelines in May 2002 that greatly increase the bureau's surveillance and data collection authority to access such information as an individual's Web surfing habits and search terms

13. PATRIOT ACT and Privacy Section 215 Under the new reporting rule, Treasury Department's Financial Crimes Enforcement Network (FinCEN) can require a financial institution to search its records for a specific person or organization under investigation for terrorist or money laundering activities. The financial institution must ascertain whether the individual or group currently maintains or has maintained an account at the institution during the past twelve months, or whether the person or group has conducted any transactions with the institution during the past six months. Under the rule, if a match occurs, the financial institution must provide FinCEN with: • the individual's or group's name • the individual's or group's account numbers • the individual's or group's identifying information given by the account holder when the account was opened or when the transaction occurred • the date and type of any transaction.

14. PATRIOT ACT and PrivacySection 215 • Section 215 allows the FBI to order any person or entity to turn over "any tangible things," so long as the FBI "specifies that the order is "for an authorized investigation . . . to protect against international terrorism or clandestine intelligence activities."  • Section 215 vastly expands the FBI's power to spy on ordinary people living in the United States, including United States citizens and permanent residents.

15. PATRIOT ACT and Privacy Section 215 • Those served with Section 215 orders are prohibited from disclosing the fact to anyone else. Those who are the subjects of the surveillance are never notified that their privacy has been compromised. • If the government had been keeping track of what books a person had been reading, or what web sites she had been visiting, the person would never know.

16. PATRIOT ACT and Privacy Section 215 • Normally, the government cannot effect a search without obtaining a warrant and showing probable cause to believe that the person has committed or will commit a crime. • Privacy advocates say Section 215 violates the Fourth Amendment by allowing the government to effect Fourth Amendment searches without a warrant and without showing probable cause. • Privacy advocates say the provision violates the Fourth and Fifth Amendments by failing to require that those who are the subject of Section 215 orders be told that their privacy has been compromised.

17. Electronic Communications Privacy Act (ECPA) The ECPA was passed in the 1960s to give privacy protection to electronic transmissions. It prohibits owners and operators of Internet services from revealing information gathered in the course of business to third parties, and makes it illegal for third parties to intercept transmissions or access stored data. Law enforcement agencies could not access the data either, except under certain conditions. Some sections of the PATRIOT Act affect the ECPA by broadening the authority of law enforcement officials substantially.

18. Electronic Communications Privacy Act (ECPA) • Under Section 210, the scope of subpoenas is expanded to cover electronic communications. • Law enforcement officials can now obtain from ISPs information such as means and sources of payment, telephone records of sessions and their duration, and temporarily assigned network addresses. • Section 212 permits service providers to disclose the content of stored e-mail messages and other customer information to a governmental entity, if the provider "reasonably believes that an emergency involving the immediate danger of death or serious physical injury" justifies disclosure of the information.

19. Schools must cope with Patriot Act • As a recipient of federal funds, Universities must comply with a federal law commonly referred to as either FERPA (the Family Educational Rights and Privacy Act) or the Buckley Amendment. • FERPA makes most records maintained about students confidential and requires the students' permission before disclosing an "educational record" or any information it contains. • When a school is served with a subpoena or other legal process requiring the production of a student's educational record, FERPA requires that the student be notified so that he or she may seek judicial protection.

20. Schools must cope with Patriot Act • Section 507 was amended to allow educational institutions to disclose educational records without court order or student consent when relevant to a terrorism investigation. • The institution is not liable for disclosures made in good faith and need not retain a record of the transaction.

21. IT departments must cope with Patriot Act • The USA PATRIOT Act eases the requirements for the government to obtain access to electronic communications or records. • Law enforcement officials do not need wiretap authorization to gain access to voice mails; a search warrant is sufficient. • Law enforcement officials are authorized to install devices to intercept and track Internet activity. • The statute increases penalties for certain computer hacking crimes.

22. IT departments must cope with Patriot Act • The USA Patriot Act remains not just a political but also a technological issue • Unprepared business, schools, etc can find themselves facing network problems, service disruptions, and in the worse case FBI agents armed with subpoenas, who haul off PCs, servers, and computer log data.

23. IT departments must cope with Patriot Act • Investigations under the act often require a complete information blackout. • IT groups are forbidden to tell the subjects they're being investigated, or even acknowledge that an investigation is under way. • Law enforcement agencies may direct IT groups to take certain actions or to not take actions, either leading to network problems. They may be ordered to leave compromised or damaged computers and networks untouched while the investigation is under way. "This can disrupt work patterns,"A given subnet could be taken offline or required to stay online… and you can't explain why to the affected users." • Investigators could require some network or computer log data to be preserved up to 180 days. But what if parts or all of that data is, by IT policy, automatically deleted every 10 days?

24. The Financial Anti-Terrorism Act (FATA) A major component of the PATRIOT legislation was the International Money Laundering Abatement and Financial Anti-Terrorism Act of 2001, a collection of powerful new anti-money laundering measures designed to help stem the flow of money to terrorists and other criminals.

25. FATA Provisions that Impact Financial Privacy • Authorizes the Treasury Department to create new record-keeping and reporting requirements. • Requires closer scrutiny of private banking accounts opened for anyone who is not a U.S. citizen or a legal permanent U.S. resident. • Requires financial institutions to verify the identity of customers opening accounts and maintain records. • Requires investment firms and futures and commodities traders to file Suspicious Activity Reports (SARs). • Creates new currency reporting requirements for transactions over $10,000 • Requires a consumer reporting agency (CRA) to provide consumer credit reports to a government agency for terrorism investigations.

26. Communications Assistance for Law Enforcement (CALEA) In October 1994, Congress took action to protect public safety and ensure national security by enacting the Communications Assistance for Law Enforcement Act The law further defines the existing statutory obligation of telecommunications carriers to assist law enforcement in executing electronic surveillance pursuant to court order or other lawful authorization. The objective of CALEA implementation is to preserve law enforcement's ability to conduct lawfully-authorized electronic surveillance while preserving public safety, the public's right to privacy, and the telecommunications industry's competitiveness. • Who must be CALEA-compliant? • All telecommunications carriers as defined by Section 102(8) of CALEA.  Basically, this includes all entities engaged in the transmission or switching of wire or electronic communications as a common carrier for hire.

27. What is CALEA? CALEA is the Communications Assistance for Law Enforcement Act. It was originally enacted in 1994. It requires providers of commercial voice services to engineer their networks in such a way as to assist law enforcement agencies in executing wiretap orders. Until August 5, 2005 that is…..

28. CALEA: New Report and Order On August 5, 2005, in response to a request by law enforcement, the FCC voted to extend CALEA to include facilities-based Internet service providers. Facilities-based Internet service providers are defined as: "entities that provide transmission or switching over their own facilities between the end user and the Internet Service Provider."

29. Law Enforcement The Internet is increasingly the communication of choice for criminal activity Legal intercepts need to be easier and less expensive for LE An “exempt” system is a magnet for criminal activity Education and Libraries Congress should decide not the FCC or DoJ LE has sufficient access now Cost to comply can’t be justified Will slow innovation Arguments for/against extending CALEA to ISPs

30. Questions?