Last updated October 27, 2003
On October 26, 2001, President Bush signed the USA PATRIOT Act (PATRIOT) into law. PATRIOT gave sweeping new powers to both domestic law enforcement and international intelligence agencies and eliminated the checks and balances that previously gave courts the opportunity to ensure that such powers were not abused. Most of these checks and balances were put into place after previous misuse of surveillance powers by these agencies were uncovered including the revelation in 1974 that the FBI and foreign intelligence agencies had spied on over 10,000 U.S. citizens, including Martin Luther King.
The bill is 342 pages long and makes changes, some large and some small, to over 15 different statutes. This document provides explanation and some analysis to the sections of the bill relating to online activities and surveillance. Other sections, including those devoted to money laundering, immigration and providing for the victims of terrorism, are not discussed here.
Yet even just considering the surveillance and online provisions of PATRIOT, it is a large and complex law that had over four different names and several versions in the five weeks between the introduction of its first predecessor and its final passage into law. While containing some sections that seem appropriate -- providing for victims of the September 11 attacks, increasing translation facilities and increasing forensic cybercrime capabilities -- it seems clear that the vast majority of the sections included were not carefully studied by Congress, nor was sufficient time taken to debate it or to hear testimony from experts outside of law enforcement in the fields where it makes major changes. This concern is amplified because several of the key procedural processes applicable to any other proposed laws, including inter-agency review, the normal committee and hearing processes and thorough voting, were suspended for this bill.
The civil liberties of ordinary Americans have taken a tremendous blow with this law, especially the right to privacy in our online communications and activities. Yet there is no evidence that our previous civil liberties posed a barrier to the effective tracking or prosecution of terrorists. In fact, in asking for these broad new powers, the government made no showing that the previous powers of law enforcement and intelligence agencies to spy on U.S. citizens were insufficient to allow them to investigate and prosecute acts of terrorism. The process leading to the passage of the bill did little to ease these concerns. To the contrary, they are amplified by the inclusion of so many provisions that, instead of being aimed at terrorism, are aimed at nonviolent, domestic crime. In addition, although many of the provisions facially appear aimed at terrorism, the Government made no showing that the reasons they failed to detect the planning of the recent attacks or any other terrorist attacks were the civil liberties compromised with the passage of PATRIOT.
The EFF's chief concerns with PATRIOT include:
The EFF urges the following:
U.S. law has provided four basic mechanisms for surveillance on people living in the United States: interception orders authorizing the interception of communications; search warrants authorizing the search of physical premises and seizure of tangible things like books or other evidence; "pen register" and "trap-and-trace device" orders (pen/trap orders), which authorize the collection of telephone numbers dialed to and from a particular communications device; and subpoenas compelling the production of tangible things, including records. Each mechanism has its own proof standards and procedures based on the Constitution, statutes, or both.
U.S. law also provides two separate "tracks" with differing proof standards and procedures for each of these mechanisms depending upon whether surveillance is done by domestic law enforcement or foreign intelligence. All of these have been expanded by PATRIOT.
For instance, when surveillance is conducted for domestic law enforcement purposes, the probable cause standard of the Fourth Amendment applies to interception orders and search warrants. But a court order compelling an ISP to produce e-mail logs and addresses of past e-mail correspondents uses a lower standard: the government must show specific and articulable facts showing reasonable grounds to believe that the records are relevant and material to an ongoing criminal investigation. A pen/trap order uses an even lower standard: the government need only tell the court that the surveillance is relevant to a criminal investigation. The standard for subpoenas is also very low.
Where foreign intelligence surveillance is concerned, however, the standard of proof and procedures for each mechanism has been different. One key difference is that foreign intelligence surveillance is not based on the concept of criminality. Under the Foreign Intelligence Surveillance Act (FISA), the key issue is whether the intended surveillance target is an "agent of a foreign power" or a "foreign power." Only if the target is a U.S. citizen or permanent resident alien must the government show probable cause of criminality.
Second, FISA allows a secret court to authorize U.S. intelligence agencies to conduct surveillance using each of the four basic mechanisms listed above. For instance, FISA interception orders involving U.S. persons are issued by the secret court based on an application from the Attorney General stating reasons to believe that the surveillance target is an agent of a foreign power or a foreign power, certifying that "the purpose" of the surveillance is to gather foreign intelligence information, and several other facts and representations. The secret court's role here, however, is quite limited: it is not supposed to "second-guess" the government's certifications or representations. (Unsurprisingly, the secret FISA court has only denied one application in its over twenty-year existence.) Moreover, unlike ordinary interception orders, FISA does not require reports to the court about what the surveillance found; no reports of what is being sought or what information is retrieved are ever available to the public. Thus, the secret court's only practical accountability is in a district court when a surveillance target is prosecuted and seeks to suppress the fruits of FISA surveillance.
FISA's requirements are even weaker if the electronic surveillance is directed solely at means of communications used exclusively between or among foreign powers and when it is unlikely that communications to which a U.S. person is a party will be intercepted; in such cases, surveillance may proceed for up to a year without a court order.
Immediately after the September 11 attacks, electronic surveillance was conducted pursuant to FISA orders. There have been no reports that the limitations of FISA power posed any problems for the government.
|Domestic Law Enforcement||Foreign Intelligence Surveillance|
|1. Intercept Orders.
Title III (named after the relevant section of the original legislation, the Omnibus Crime Control and Safe Streets Act of 1968) surveillance is a traditional wiretap that allows the police to bug rooms, listen to telephone conversations, or get content of electronic communications in real time.
(Courts do not treat unopened e-mail at ISPs as real-time communications.)
1. FISA Intercept Orders.
Pen/Trap surveillance was based upon the physical wiring of the telephone system. It allowed law enforcement to obtain the telephone numbers of all calls made to or from a specific phone.
Prior to PATRIOT there had been debate about how this authority is to be applied in the Internet context.
2. FISA Pen/Trap.
Previous FISA pen/trap law required not only showing of relevance but also showing that the communications device had been used to contact an "agent of a foreign power."
While this exceeds the showing under the ordinary pen/trap statute, such a showing had the function of protecting U.S. persons against FISA pen/trap surveillance.
|3. Physical search warrants
Judicial finding of probable cause of criminality; return on warrant.
Previously, agents were required at the time of the search or soon thereafter to notify person whose premises were searched that search occurred, usually by leaving copy of warrant.
PATRIOT makes it easier to obtain surreptitious or "sneak-and-peek" warrants under which notice can be delayed.
|3. FISA Physical search warrants
See FISA 50 USC §1822. PATRIOT extends duration of physical searches.
Under previous FISA, Attorney General (without court order) could authorize physical searches for up to one year of premises used exclusively by a foreign power if unlikely that U.S. person will be searched; minimization required. A.G. could authorize such searches up to 45 days after judicial finding of probable cause that U.S. target is or is an agent of a foreign power; minimization required, and investigation may not be based solely on First Amendment-protected activities.
|4. Subpoenas for stored information.
Many statutes authorize subpoenas; grand juries may issue subpoenas as well. EFF's main concern here has been for stored electronic information, including e-mail communications and subscriber or transactional records held by ISPs. Subpoenas in this area are governed by the Electronic Communications Privacy Act (ECPA).
|4. FISA subpoenas
Previously, FISA authorized collection of business records in very limited situations, mainly records relating to common carriers, vehicles or travel, and only via court order.
PATRIOT permits any "tangible things," including business records, to be obtained via a subpoena.
PATRIOT removes many of the checks and balances that prevented both police and the foreign intelligence agencies from improperly conducting surveillance on U.S. citizens who are not involved in criminal or terrorist activity. For Internet users, it opens the door for widespread surveillance of web surfing, e-mails and peer-to-peer systems. In addition, the protections against the misuse of these authorities -- by the foreign intelligence agencies to spy on U.S. citizens and by law enforcement to use foreign intelligence authority to exceed their domestic surveillance authority -- have been greatly reduced.
Wiretaps (for telephone conversations) can only be issued for certain crimes listed in 18 USC §2516. PATRIOT adds to this list. This restriction has never applied to interception of electronic communications.
PATRIOT §201 adds terrorism offenses, which is probably redundant since the list already included most if not all terrorist acts -- e.g., murder, hijacking, kidnapping, etc.
PATRIOT §202 adds felony violations of the CFAA (see below for discussion of changes to CFAA).
PATRIOT §209 allows police to get voicemail and other stored wire communications without an intercept order; now, only a search warrant needed.
Computer trespassers, see below.
In general, search warrants must be obtained within a judicial district for searches in that district. Fed.R.Crim.Pro. 41. PATRIOT relaxes this rule. PATRIOT §219 adds terrorist investigations to the list of situations where single-jurisdiction search warrants may be issued. PATRIOT also allows issuance in any district in which activities related to terrorism may have occurred for search of property or person within or outside the district. §220. Once a judge somewhere approves a warrant for seizing unopened e-mail less than 180 days old, that order can be served on any ISP or telecommunications company nationwide, without any need that the particular service provider be identified in the warrant.
PATRIOT §213 allows delayed notification of a search for "a reasonable period" that can be "extended for good cause shown" to a court for any wire or electronic communication or tangible property. This is problematic because notice to a searched person is a key component of Fourth Amendment reasonableness.
Pen/trap orders are issued by a court under a very low standard; PATRIOT does not change this standard. PATRIOT instead expands the reach of pen/trap orders to the Internet.
PATRIOT §216 modifies 18 USC §3121(c) to expressly include routing and addressing information, thus expressly including e-mail and electronic communications. "Contents" of communications are excluded, but there remain serious questions about the treatment of Web "addresses" and other URLs that identify particular content.
Pen/trap orders can now apply even to those not named in an order (nationwide). Previously, pen/trap orders were limited by a court's jurisdiction, so they had to be installed within the judicial district. Now, a court shall enter an ex parte order authorizing use anywhere within the U.S. if that court has jurisdiction over crime being investigated and the attorney for the U.S. Government has certified that information "likely to be obtained" is "relevant to an ongoing criminal investigation." The order applies to any provider "whose assistance may facilitate the execution of the order, " whether or not within the jurisdiction of the issuing court. But if the entity is not named, it may require that the U.S. attorney provide written or electronic certification that the order applies to the person or entity being served.
If a government agency uses its own technology (e.g., Carnivore) to conduct pen/trap surveillance, then an "audit trail" is required, e.g., 30 day report back to court. There is no mandate that the served entity's equipment facilitate the surveillance. §222 (prevents CALEA application here).
PATRIOT §210 expands the records that can be sought without a court order to include: records of session times and durations, temporarily assigned network addresses, and means and source of payments, including any credit card or bank account number.
PATRIOT §212 expands "emergency" voluntary disclosure to government of both content and customer records if there is reason to believe that there exists immediate danger of death or serious physical injury (The Homeland Security Act further expanded this exception for cases where there is a good faith basis to believe the same).
Previously, the Cable Act had mandated strong privacy protection for customer records of cable providers; PATRIOT overrides these protections for customer records related to telecommunications services. This is not a major change because several courts have already held that these privacy protections don't apply for telecommunications services.
Because foreign intelligence surveillance does not require probable cause of criminality and because of the fear that foreign intelligence surveillance aimed at foreign agents would violate the rights of U.S. persons, the law has tried to keep foreign intelligence surveillance (including evidence gained therefrom) separate from law enforcement investigations. PATRIOT greatly blurs the line of separation between the two.
Under PATRIOT §218, foreign intelligence gathering now only needs to be "a significant purpose" rather than "the purpose" of FISA surveillance (edits to 50 USC §1804(a)(7)(b), and 1823 (a)(7)(B)). The FISA court only looks to see that the required certifications are present in the application and are not "clearly erroneous". Courts have said that it is not their function to "second guess" the certifications.
PATRIOT §203(a) amends Federal Rule of Criminal Procedure 6 so that grand jury information can now be disclosed to intelligence services when "matters involve foreign intelligence or counterintelligence per 50 USC §401a or foreign intelligence information" (defined below).
This is a new category of information that can be disclosed to foreign intelligence agents. It includes any information, whether or not concerning a U.S. person, that "relates" to the ability of the U.S. to protect against an actual or potential attack, sabotage or international terrorism or clandestine intelligence activities, as well as any information, whether or not concerning a U.S. Person, that "relates" to the national defense or security or the conduct of foreign affairs.
PATRIOT §203(b) amends 18 USC §2517, allowing disclosure of the contents of wiretaps or evidence derived therefrom to any other government official, including intelligence, national defense and national security, "to the extent such contents include foreign intelligence or counterintelligence or foreign intelligence information" (defined above).
Notwithstanding other law, PATRIOT §203(d) makes it lawful for foreign intelligence or counterintelligence or foreign intelligence information (see definition above) to be disclosed to anyone to assist in performance of official duties. PATRIOT §504 also authorizes general coordination between law enforcement and FISA surveillance.
PATRIOT §206 amends 50 USC §1805. FISA court now may authorize intercepts on any phones or computers that the target may use. The foreign intelligence authorities can require anyone to help them wiretap. Previously they could only serve such orders on common carriers, landlords, or other specified persons. Now they can serve them on anyone and the Order does not have to specify the name of the person required to assist. Such roving wiretap authority raises serious Fourth Amendment problems because it relaxes the "particularity" requirements of the Warrant Clause. Such authority already exists under Title III.
PATRIOT §207 increases the duration of FISA intercept orders, amending 50 USC §1805(e)(1) to increase the duration of surveillance on agents of a foreign power (not U.S. persons) from 90 to 120 days.
PATRIOT §207 extends the time period during which a FISA search warrant may be used, amending 50 USC §1824(d) to increase the period for judicially authorized physical searches a) to 90 days (up from 45), or b) if agent of a foreign power (employee or member of a foreign power but not U.S. persons), to 120 days.
PATRIOT §214 amends 50 USC 1842 and 1843 (emergency) to allow pen/trap orders when they are concerning foreign intelligence information and:
PATRIOT grants broad authority for compelling business records. Under previous law, only records of common carriers, public accommodation facilities, physical storage facilities and vehicle rental facilities could be obtained with a court order.
PATRIOT §215 amends 50 USC §1862 to allow application to the FISA court for an order to compel the production of any business record or tangible thing from anyone for any investigation to protect against international terrorism or clandestine intelligence activities (but cannot investigate a U.S. person solely for First Amendment activities).
PATRIOT §217 changes 18 USC §2510, adding another area where any government employee, not just law enforcement, may conduct content surveillance of U.S. persons. This is when a computer owner and operator "authorizes" surveillance and a law enforcement agent "has reasonable grounds to believe contents of communication will be relevant" to investigating computer trespass and does not acquire anyone else's communications. This section authorizes interception of messages suspected of being sent through a computer without "authorization."
PATRIOT §223. This provision provides a small bit of relief for those who discover that law enforcement or the foreign intelligence authorities have disclosed information about them improperly.
PATRIOT §§507-8 amends 20 USC §1232g:
PATRIOT §505 authorizes issuance of “National Security Letters," administrative subpoenas for certain phone billing records, bank records, credit records on the same showing as for FISA pen/trap (but no court order).
The EFF is deeply dismayed to see that the Attorney General seized upon the legitimate Congressional concern following the September 11, 2001 attacks to pad PATRIOT with provisions that have at most a tangential relationship to preventing terrorism. Instead, these provisions appear targeted at low and mid-level computer defacement and damage cases which, although clearly criminal, are by no means terrorist offenses and have no business being included in the Act.
The CFAA provides for civil and criminal liability for acts exceeding the "authority" to access or use a computer connected to the Internet. It is used to prosecute those engaging in computer graffiti, website defacement and more serious computer intrusion and damage. It has also been applied in civil cases to spammers and those sending unwanted bots to gather information from the websites of others. PATRIOT makes several changes to this law, none of which seems aimed at preventing or prosecuting terrorist offenses -- which are separately defined and already include the use of computers to commit terrorism. An earlier version of the bill would have made many violations of the statute "terrorist" offenses. After outcry from EFF members and many others, most (but not all, see below) of the offenses under §1030 were removed from the "terrorist" definition. However, the penalties and scope of §1030 were instead greatly expanded. The changes include:
"Loss" under the statute now expressly includes time spent responding and assessing damage, restoring data, program, system or information, any revenue lost, cost incurred or other consequential damages. §814.
As far as the investigation has revealed so far, computer crime played no role in the September 11, 2001 attacks or in any previous terrorist attacks suffered by the United States. Computer crime, especially when it results in danger to lives, is a serious offense, but PATRIOT adds it to the list of "terrorist offenses." Although it is obviously possible that a computer crime in the future could be part of a terrorist offense, the definition of "terrorism" already includes murder, hijacking, kidnapping and similar crimes that would be the result of a "cyber-terrorist" attack. Yet without explanation, early versions of PATRIOT included even low-level computer intrusion and web defacement as "terrorist offenses." The final bill was not so draconian, but still includes the following (among others unrelated to computer crime) as "terrorist offenses" under 18 USC §2332b(g)(5)(B):
Previously, 2339A included "training"; statute requires "knowing or intending that they [material support or resources] are to be used in preparation for, or in carrying out, a violation . . .. [of, inter alia, 2332b]" -- so this requires knowing or intentional facilitation.
Under 2339A a facilitator may be culpable whether or not the underlying offense is committed; also, scienter does not require "specific intent to commit the underlying action," but only knowledge that material support or resources "are to be used" for a specified offense -- however, normally this is interpreted to mean that the facilitator be "aware that that result is practically certain to follow from his conduct.'" If a facilitator was virtually certain that particular recipients would in fact use the provided resources to commit a terrorist crime, it would be immaterial whether the facilitator knew precisely when or where the criminal conduct would occur.
Under PATRIOT §224, several of the surveillance portions of PATRIOT will expire on December 31, 2005.
The EFF is pleased that at least some of the more severe changes in the surveillance of U.S. persons contained in PATRIOT will expire on December 31, 2005 unless renewed by Congress. We are concerned, however, that there is no way for Congress to review how several of these key provisions have been implemented, since there is no reporting requirement to Congress about them and no requirements of reporting even to a judge about several others. Without the necessary information about how these broad new powers have been used, Congress will be unable to evaluate whether they have been needed and how they have been used in order to make an informed decision about whether and how they should continue or whether they should be allowed to expire without renewal.