1. Privacy and National Security After September 11 Professor Peter P. Swire Ohio State University FLICC 2002 Forum Library of Congress March 19, 2002

2. Overview of the Talk n My background and Clinton Administration on privacy and security n Wiretaps and surveillance, before and after September 11 n Lessons going forward for privacy and security

3. I. My Background n Law professor since 1990 -- law of cyberspace, etc. n 1999 & 2000 -- Clinton Administration – Chief Counselor for Privacy n This year, visit at GW n The future -- OSU and summer DC program

4. Why the interest in privacy? n First wave of privacy activity – 1970, Fair Credit Reporting Act – 1974, Privacy Act (federal agencies) – Rise of the mainframes – Possibility of giant databases – Develop fair information practices of notice, choice, access, security, and accountability

5. Second wave of privacy activity n Modern laptop or desktop -- everyone can have a mainframe n Rise of the Internet n Transfers are free, instant, and global n How do we respond to more databases and more transfers?

6. Clinton Administration -- Privacy n Legal protections for sensitive data – Medical privacy proposed and final rule – Financial privacy law and rules – Childrens Online Privacy Protection Act n Self-regulation as path to progress – Internet privacy policies, rise from 14% to 88% n Government as a model – Website privacy policies – Cookies on website policy

7. II. Wiretaps and Surveillance n History of wiretaps n 2000 Administration proposal n 2001 Bush/Ashcroft proposal and the USA Patriot Act

8. Wiretap History n 1920s Olmstead – Wiretaps permitted by police without warrant where tap applied outside your home n 1960s Katz – Reasonable expectation of privacy, even in a phone booth n 1968 Title III – Strict rules for content, more than probable cause, as a last resort, reporting requirements

9. History (cont.) n 1970s Church Committee and FISA – Keep CIA out of domestic spying – Secret wiretaps in U.S., but only where primarily for foreign intelligence n 1984 ECPA – Some protections for e-mail – Some protections for to/from information; pen registers (who you call); trap and trace (who calls you)

10. 2000 Administration Proposal n How to update wiretap and surveillance for the Internet age n Headed 15-agency White House working group n Legislation proposed June, 2000

11. 2000 Administration Proposal n Update telephone era language n Upgrade email and web protections to same as telephone calls n Identify new obstacles to law enforcement from the new technology n Sense of responsibility -- assure privacy, give law enforcement tools it needs

12. 2001 USA Patriot Act n Uniting and Strengthening America Act by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism n USA PATRIOT Act n Introduced less than a week after September 11

13. Nationwide trap and trace – Old days, serve order on ATT and it was effective nationwide – Today, e-mail may travel through a half-dozen providers, have needed that many court orders – New law -- one order effective nationwide – Query -- order from a judge in Idaho, served late at night, how do you challenge that?

14. Roving taps – Old days, order for each phone – What if suspect buys a dozen disposable cell phones? – But, how far can the order rove? Anyone in the public library? – Problem -- less of a suppression remedy for email and web use

15. Updating scope of data n Previously, pen/trap orders (to/from information) authorized to get telephone numbers n New law, any dialing, routing, addressing, or signaling information n Amendment -- not including content, but that was left undefined n Legally allows urls? Technically, can content be excluded?

16. Computer trespasser exception n Previous law: – ISP can monitor its own system – ISP can give evidence of yesterdays attack – ISP cannot invite law enforcement in to catch the burglars n Problem for: – DOD, other agencies, and many hack attacks – Small system owners who need help

17. Computer trespasser exception n Law enforcement can surf behind if: – Targets person who accesses a computer without authorization – System owner consents – Lawful investigation – Law enforcement reasonably believes that the information will be relevant – Interception does not acquire communications other than those transmitted to or from the trespasser

18. Computer trespasser n Issues of concern: – Never a hearing in Congress on it – No time limit – No reporting requirement – FBI can ask the ISP to invite it in, and then camp at ISP permanently – Limited suppression remedy if go outside permitted scope

19. Law Enforcement vs. Foreign Intelligence n From the 1970s -- separate law enforcement (domestic, rule of law) from foreign intelligence (foreign, laws of war) n Lawyers in DOJ policed transfers, pretty strict n FBI official this fall: all the walls are down now

20. Supporting this change n Terrorism is both domestic and foreign – World Trade Center shows a risk from keeping investigatory databases separate – As a legislator, would you want to insist on the separation and risk another catastrophe? n The Internet – E-mail and other communications are routinely across borders – Intelligence gathering should be shared

21. All the walls are down now n To law enforcement, get information from secret FISA wiretaps: – Rule was if purpose was foreign intelligence – Rule now if a significant purpose n To foreign intelligence, secret grand jury testimony can now go to CIA, etc., with no re-use limits in the law

22. Concerns with FBI/CIA changes n History from 1960s and 1970s of abuses n Risks insertion of foreign intelligence in domestic political groups n Already new proposals to have FBI surveil domestic groups n Possibility of large increase in secret wiretaps n Possibility of prosecutors using broad grand jury powers for non-criminal matters

23. Security and Privacy n After 9/11, greater focus on (cyber) security n Security vs. privacy n Security and privacy n Our homework

24. Greater Focus on Security n Less tolerance for hackers and other unauthorized use n Cyber-security and the need to protect critical infrastructures such as payments system, electricity grid, & telephone system n Greater tolerance for surveillance, which many people believe is justified by greater risks

25. Security vs. Privacy n Security sometimes means greater surveillance, information gathering, & information sharing n USA Patriot increases in surveillance powers n Computer trespasser exception

26. Security and Privacy n Good data handling practices become more important -- good security protects information against unauthorized use n Audit trails, accounting become more obviously desirable n Part of system upgrade for security will be system upgrade for other requirements, such as privacy (medical privacy)

27. Our Homework n USA Patriot has 4 year sunset on many of the surveillance provisions n An invitation to get engaged, to study the pros and cons of the new provisions n Hearings are needed on computer trespasser, foreign/domestic, etc. n What can be the new forms of accountability? How stop potential abuses?

28. In Conclusion n USA Patriot Act is a work in progress n Imagine an architecture that meets legitimate security needs and also respects privacy n Better data handling often results in both n But need accountability to ensure that the new powers are used wisely n Lets get to work on that.

29. Contact Information n Professor Peter P. Swire n phone: (301) 213-9587 n email: pswire@law.gwu.edu n web: www.osu.edu/units/law/swire.htm