1. Electronic Surveillance, Security, and Privacy Professor Peter P. Swire Ohio State University InSITes -- Carnegie Mellon February 7, 2002

2. Overview of the Talk n Overview of electronic surveillance, before and after September 11 n Security vs. privacy n Security and privacy

3. Wiretaps and Surveillance n History of wiretaps n 2000 Administration proposal n 2001 USA Patriot Act

4. Wiretap History n 1920s Olmstead – Wiretaps permitted by police without warrant where tap applied outside your home n 1960s Katz – Reasonable expectation of privacy, even in a phone booth n 1968 Title III – Strict rules for content, more than probable cause, as a last resort, reporting requirements

5. History (cont.) n 1984 ECPA – Some protections for e-mail – Some protections for to/from information; pen registers (who you call); trap and trace (who calls you)

6. 2000 Administration Proposal n How to update wiretap and surveillance for the Internet age n 15-agency White House working group n Legislation proposed June, 2000 – S. 3083 – Hearings and mark-up in House Judiciary, further toward privacy than our proposal

7. 2000 Administration Proposal n Update telephone era language n Upgrade email and web protections to same as telephone calls n Identify new obstacles to law enforcement from the new technology n Sense of responsibility -- assure privacy, give law enforcement tools it needs

8. 2001 USA Patriot Act n Introduced less than a week after September 11 n Key provisions often have a point, but maybe went too far n 4 year sunset for many surveillance provisions and what to do next

9. Emergency orders n Before, imminent threat of serious harm to get wiretap before a court order n Now, for any ongoing computer attack, or else ability to trace back may be lost n For anything affecting a national security interest n Are these too broad?

10. Roving taps n Old days, order for each phone n What if suspect buys a dozen disposable cell phones? Uses someone elses computer? n But, how far can the order rove? Anyone in the public library? n Problem -- less of a suppression remedy for email and web use

11. Nationwide trap and trace n Old days, serve order on ATT and it was effective nationwide n Today, e-mail may travel through a half- dozen providers, have needed that many court orders n New law -- one order effective nationwide n Query -- order from a judge in Idaho, served late at night, how do you challenge that?

12. Computer trespasser exception n Previous law: – ISP can monitor its own system – ISP can give evidence of yesterdays attack – ISP cannot invite law enforcement in to catch the burglars n Problem for: – DOD and many hack attacks – Small system owners who need help

13. Computer trespasser proposal n Law enforcement can surf behind if: – Targets person who accesses a computer without authorization – System owner consents – Lawful investigation – Law enforcement reasonably believes that the information will be relevant – Interception does not acquire communications other than those transmitted to or from the trespasser

14. Computer trespasser n Issues of concern: – Never a hearing in Congress on it – No time limit on each use – No reporting requirement – FBI can ask the ISP to invite it in, and then camp at ISP permanently – Limited suppression remedy if go outside permitted scope

15. II. Security & Privacy After 9/11 n Less tolerance for hackers and other unauthorized use n Cyber-security and the need to protect critical infrastructures such as payments system, electricity grid, & telephone system n Greater tolerance for surveillance, which many people believe is justified by greater risks

16. Security vs. Privacy n Security sometimes means greater surveillance, information gathering, & information sharing n USA Patriot increases surveillance powers n Computer trespasser exception n Moral suasion to report possible terrorists

17. Security and Privacy n Good data handling practices become more important -- good security protects information against unauthorized use n Audit trails, accounting become more obviously desirable -- helps fight sloppy privacy practices n Part of system upgrade for security will be system upgrade for other requirements, such as privacy

18. In Conclusion n USA Patriot has 4 year sunset of many of the surveillance provisions n Imagine an architecture that meets legitimate security needs and also respects privacy n Need accountability to ensure the new powers are used wisely n Our homework -- how to do that wisely

19. Contact Information n Professor Peter P. Swire n phone: (301) 213-9587 n email: pswire@law.gwu.edu n web: www.osu.edu/units/law/swire.htm