Executive Summary
On July 15, 2002, the House of Representative passed the Cyber Security Enhancement Act in a vote of 385 to 3. The bill:
1. Reduces the amount of privacy in stored communication. CSEA would allow an ISP to disclose private information to government agent, not just law enforcement officials, if the ISP has a “good faith” belief that the information concerns a serious crime.
2. Authorizes life sentences for individuals who knowingly or recklessly commit a computer crime that results in death. Authorizes 20-year sentences for individuals who knowingly or recklessly commit a computer crime that results in serious bodily injury.
3. Increases penalties for first-time interceptors of cellular phone traffic to five years in prison and a larger fine. This eliminates a “safe harbor” that radio hobbyists had traditionally enjoyed.
Section-by-section analysis of Title I of H.R. 3482 "The Cyber Security Enhancement Act of 2002" (CSEA)
§ 101, 101A: amends sentencing guidelines for some computer crimes
This section directs the U.S. Sentencing Commission to amend sentencing guidelines related to the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030. In general, EFF does not object to considering these factors, but the real question is whether the factors are properly balanced in the resultant guidelines.
§ 102: emergency disclosure exception
This exception would dramatically reduce privacy in stored e-mail and voicemail contents.
Background: Prior to September 11, the federal Electronic Communication Privacy Act (ECPA) had generally prohibited those who provide electronic communication service to the public from knowingly divulging the contents of stored customer communications (e.g., voicemail, e-mail and attachments ). For instance, the government normally needed a search warrant, which requires a judicial determination of probable cause, to obtain the contents of e-mail that had been stored for under 181 days. 18 U.S.C. § 2703(a). Less stringent procedures were and are available for older e-mail. 18 U.S.C. § 2703(b).
After 9/11: The USA-PATRIOT Act (USAPA) created an “emergency disclosure” exception to ECPA’s disclosure prohibition. Under current law, a service provider may disclose such contents “to a law enforcement agency . . . (C) if the provider reasonably believes that an emergency involving immediate danger of death or serious physical injury to any person requires disclosure of the information without delay.” 18 U.S.C. § 2702(b)(6)(C).
EFF, along with many other civil liberties groups, objected to this exception on several grounds. Most important, because such disclosure of communications contents bypasses the search warrant requirement, no judge reviews the underlying facts before the contents are disclosed to law enforcement. Is there an “emergency”? Does it involve “immediate danger of death or serious physical injury”? Does the situation “require disclosure without delay”?
None of these phrases are defined, and no judge decides whether the facts meet the legal standards. As the U.S. Supreme Court has said, a search warrant “provides the detached scrutiny of a neutral magistrate, which is a more reliable safeguard against improper searches than the hurried judgment of a law enforcement officer ‘engaged in the often competitive enterprise of ferreting out crime.’” United States v. Chadwick, 433 U.S. 1, 9 (1977) (quoting Johnson v. United States, 333 U.S. 10, 14 (1948)).
Furthermore, there is less accountability whenever communications contents are disclosed without a warrant, because in general, notice must, within a reasonable time, be given to the target of a search warrant. 18 U.S.C. § 3103a. This notice provision simply does not apply to these “emergency disclosures.”
Finally, the Administration never presented any evidence to Congress that the exception was necessary. If there really is an emergency presenting “immediate danger of death or serious physical injury,” the police should have little difficulty in making the factual showing of probable cause needed for a search warrant. The major value of this exception, then, is to authorize searches on less than probable cause and without a neutral judicial determination.
Anecdotal evidence indicates that law enforcement has been contacting ISPs and telling them about emergency situations in order to obtain communication contents without a warrant, and that ISPs have been less concerned about their customers’ privacy than before September 11. Accordingly, law enforcement now has a strong practical incentive to claim that there is an emergency in order to get e-mail or voicemail contents without applying to a judge for a search warrant.
What CSEA would do: Under CSEA, this “emergency disclosure” exception would be greatly expanded. The new exception, which would replace the language quoted above, permits providers to disclose such contents:
“to a Federal, State, or local governmental entity, if the provider, in good faith, believes that an emergency involving danger of death or serious physical injury to any person requires disclosure without delay of communications relating to the emergency.” In simple terms, the new CSEA language expands the current USAPA language in three ways.
1. Most important, disclosure is no longer limited to law enforcement agencies. Public schools, public libraries, health departments, social services departments, the IRS or the local tax assessor -- if a governmental entity can persuade your ISP that there is an emergency, it can get your e-mail or voicemail.
2. Disclosure is no longer subject to a “reasonable belief” standard, which in the law usually means that the belief is objectively jfied on the facts. Instead, communication service providers need only have a “good-faith” belief, which probably means a subjective belief. EFF expects that “good faith” would probably allow providers to rely on government assertions of an emergency even if no facts were presented; ISPs today, especially small “mom-and-pop” ISPs, would likely be reluctant to reject a request if the government said that it could not reveal the basis for its belief. On the other hand, “good faith” probably would not exist if the provider knew or should have known that there was no emergency or danger to life or limb or if the request for disclosure was an obvious fishing expedition.
3. The “emergency” no longer must involve “immediate” danger to life or limb; it need only involve “danger” to life or limb at some indefinite time.
The only accountability safeguard is that government entities that receive such disclosures must file a report to the U.S. Attorney General within 90 days stating the “subparagraph under which the disclosure was made, the date of the disclosure, the entity to which the disclosure was made, the number of customers or subscribers to whom the information disclosed pertained, and the number of communications, if any, that were disclosed.” The Attorney General then must aggregate this data and submit a report to Congress “one year after enactment of the bill.” This provision (§ 102(b)) does not provide for any additional reports to Congress.
§ 103: new “good faith” exception
This exception creates additional incentives for communication service providers to use the “computer trespasser” exception created by USAPA.
Background: ECPA generally prohibits anyone from intercepting wire or electronic communications. An exception had permitted computer owners to monitor the activity on their machines to protect their rights and property. Thus, if an ISP learned that it was under attack, it could intercept the attacker’s communications without violating the law.
After 9/11: USAPA defined “computer trespasser” as “a person who accesses a protected computer without authorization and thus has no reasonable expectation of privacy in any communication transmitted to, through, or from the protected computer.” It “does not include a person known by the owner or operator of the protected computer to have an existing contractual relationship with the owner or operator of the protected computer for access to all or part of the protected computer.” 18 U.S.C. § 2510(21).
Under USAPA’s “computer trespasser” exception, the owner or operator of a computer may authorize any person “acting under color of law” to intercept the communications of a person believed to be a computer trespasser. The person authorized to so intercept must "have reasonable grounds to believe that the contents of the computer trespasser’s communication will be relevant" to a lawful investigation, and must only intercept communications to or from the alleged computer trespasser.
EFF criticized the computer trespasser exception on several grounds. First, the Administration presented no evidence that the exception was necessary or that the lack of the exception had interfered with law enforcement. Second, because the exception bypasses the judicial warrant-issuing process, it creates the same problems as noted above for the emergency disclosure exception. In both cases, a judge no longer must authorize in advance the interception of communications.
What CSEA would do: § 103 provides that the owner or operator of the computer (who authorizes the interception) is immune from civil or criminal liability if it has a “good faith” reliance on “a good faith determination” that the exception applies, increasing the likelihood that the exception will be used to circumvent the warrant process.
§ 104: electronic advertising of interception equipment
Background: ECPA has long prohibited persons from manufacturing, distributing, possessing or advertising a device “knowing or having reason to know that the design of such device renders it primarily useful for the purpose of the surreptitious interception of wire, oral, or electronic communications.” 18 U.S.C. §2512 (in interstate or foreign commerce). The advertising prohibition, however, refers only to “any newspaper, magazine, handbill, or other publication.” 18 U.S.C. §2512(1)(c).
What CSEA would do: § 104 would make two changes to the advertising prohibition. It would add “or disseminates by electronic means” after “or other publication.” And it would specify that the advertiser must “know“ the content of the advertisement.” The former change may be unnecessary given that the term “publication” easily could encompass electronic publication. The latter change is a useful clarification.
§ 105: increasing computer crime penalties (18 USC §1030(c))
Background: The Computer Fraud and Abuse Act (CFAA), 18 U.S.C. §1030, is the federal computer crime law. For instance, the CFAA made it unlawful to “knowingly cause[] the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer.” 18 U.S.C. §1030(a)(5)(A) (1999) (now § 1030(a)(5)(A)(i)). Prior to September 11, first-time offenders who violated this provision could be punished by no more than five years’ imprisonment, while repeat offenders could receive up to 10 years. It contained no specific provision for computer crime that caused or was intended to cause serious bodily injury or death.
After 9/11: USAPA made many changes to the CFAA, including increasing maximum prison terms for offenders who damage protected computers from five to 10 years for first offenders, and from 10 to 20 years for repeat offenders. § 1030(c)(4). It did not add any specific provisions for computer crime that caused or was intended to cause serious bodily injury or death.
What CSEA would do: § 105 adds new penalty provisions for violations of § 1030(a)(5)(A)(i) involving serious bodily injury or death. It would impose fines and potential life sentences for offenders who either knowingly or recklessly cause or attempt to cause death to any person. It also provides for fines and prison terms up to 20 years for offenders who knowingly or recklessly cause or attempt to cause serious bodily injury.
EFF believes that it is appropriate to punish severely those who intend to cause serious bodily injury or death, but it is not clear that these terms are appropriate for merely reckless conduct under § 1030(a)(5)(A)(i).
§ 106: provider assistance
Background: ECPA has long provided that communication service providers who assist the government in communications surveillance or by disclosing information are immune from liability. 18 U.S.C. §2703(e) (providing “information, facilities, or assistance in accordance with the terms of a court order, warrant, subpoena, or certification”); 18 U.S.C. §2511(2)(a)(ii) (“court order directing such assistance” and “certification in writing” by specified officials).
After 9/11: Neither of these sections was changed by USAPA.
What CSEA would do: § 106 would adds “statutory authorization” to both of these sections, allowing any government entity to rely on statutory authority alone (such as CSEA §106’s “emergency disclosure” exception) to compel disclosure of information or assistance in communications interception. While the scope of this change is not entirely clear, it definitely creates a new way for government to obtain information or communications contents without judicial oversight.
§ 107: emergency pen-trap authority
Background: In general, no one may use a pen register or trap-and-trace device (http://www.eff.org/sc/eff_wiretap_bill_analysis.html) without a court order. 18 U.S.C. §3121(a); but see 18 U.S.C. §3121(b) (limited exception for service providers). In an emergency, designated law enforcement officials may use pen/trap devices without a court order, but must apply for a court order within 48 hours of the installation and meet other conditions. 18 U.S.C. §3125. An emergency is defined as a situation involving: “immediate danger of death or serious bodily injury to any person”; “conspiratorial activities characteristic of organized crime,” when a court order cannot be obtained before the pen/trap device must be used. 18 U.S.C. §3125(a)(1)(A), (B). Although the designated law enforcement officials must have “reasonable” grounds to believe that an emergency exists and that a court order should be entered, there is no provision for excluding information gained by emergency pen/trap surveillance if the standard is not met.
After 9/11: USAPA did not change the emergency provision. It did, however, expressly expand the scope of pen/trap authority to include the Internet and the use by the government of packet-sniffing technologies like Carnivore.
What CSEA would do: §107 would expand the definition of emergency to include: “(C) an immediate threat to a national security interest; or (D) an ongoing attack on a protected computer (as defined in section 1030 [CFAA]) that constitutes a crime punishable by a term of imprisonment greater than one year.”
These changes are both vague and broad. In particular, there is no definition of “immediate threat to a national security interest,” and it should be expected that the government will read “national security interest” broadly. Nor is “ongoing attack” defined, and many CFAA violations are punishable by a prison term of more than one year. Given that the legal standard for obtaining a pen/trap order is hardly more than a rubber stamp, that there is no exclusion of improperly gained evidence, and that the government is now clearly empowered to use Carnivore, this provision is likely to encourage claims of a national security emergency. To counterbalance this likely effect, the provision should at least require a showing of such exigency that a court order cannot be obtained.
§ 108: “protecting privacy”
This section would make several changes to surveillance law. §108(a) would eliminate 18 U.S.C. §2511(4)(b), which serves as a “safe harbor” for radio hobbyists. §108(b) would amend 18 U.S.C. §2701(b), increasing penalties for unauthorized access to electronic communication service facilities. §108(c) would amend 18 U.S.C. §3105, which governs the procedure for executing search warrants. USAPA did not change any of these sections.
Background, § 108(a): It is generally unlawful to intentionally intercept wire and electronic communications, or to use or disclose communications contents known to have been intercepted. 18 U.S.C. §2511(1). Violations are subject to fines and up to five years in prison. 18 U.S.C. §2511(4)(a).
Many types of wire and electronic communications, however, like cellular telephone or pager communications, travel through the air without encryption and are therefore easily accessed using ordinary radio equipment. 18 U.S.C. §2511(4)(b) operates as a “safe harbor” for radio hobbyists by providing much lower penalties (no more than one year in prison, and thus not a federal felony) for (1) first-time offenses of intentionally intercepting (2) certain unprotected radio communications that are “not scrambled, encrypted, or transmitted using modulation techniques the essential parameters of which have been withheld from the public with the intention of preserving the privacy of such communication” (3) if not for a tortious or illegal purpose or for purposes of commercial advantage or private financial gain.
For instance, when a Florida couple, the Martins, used a police scanner in their car and intercepted a cellular phone conversation between former House Speaker Newt Gingrich and other congressmen, they were charged with misdemeanor unlawful interception under 18 U.S.C. §2511(4)(b)(ii) and, after pleading guilty, were each fined $500. The Justice Department stated publicly that stiffer prosecution was unwarranted because the couple had no commercial purpose.
What CSEA would do: By eliminating 18 U.S.C. §2511(4)(b), simply intentionally tuning a common scanner to cordless phone frequencies could be prosecuted as a felony. Unlawful interception of the sort engaged in by the Martins would be a felony, and they would be subject to imprisonment for up to five years. Radio hobbyists should take serious note of this change.
Background, § 108(b): Under current law, it is unlawful to intentionally access electronic communication service facilities (e.g., ISPs) without or in excess of authorization. 18 U.S.C. §2701(b). If the unlawful access is for purposes of commercial advantage, private financial gain, or malicious damage, first-time offenders may be fined or subject to imprisonment for up to one year, while repeat offenders may be imprisoned for up to two years. 18 U.S.C. §2701(b)(1). If the unlawful access is not for any of these disfavored purposes, then the offender may be fined or subject to imprisonment for up to six months. 18 U.S.C. §2701(b)(2).
What CSEA would do: §108(b) would change the law in two ways. First, it would increase each of these penalties. The (b)(1) prison terms would be increased five-fold, from one and two years to five and 10 years. The (b)(2) prison term would be one year for a first offense and five years for subsequent offenses. Second, the list of disfavored purposes would be expanded to include unlawful access in furtherance of any criminal or tortious act that violated any law.
Background, §108(c): Existing law (18 U.S.C. §3105) provides that an authorized officer must be present and acting in executing a search warrant when a third party assists in a search. This statute is intended to ensure that a law enforcement officer supervises the execution of a search warrant. See United States v. Bach, No. CRIM.01-221 PAM/ESS (D. Minn. Dec. 14, 2001) (suppressing evidence because a law enforcement officer was not present when a warrant for ISP information was executed).
What CSEA would do: §108(c) would statutorily overrule the holding in Bach by amending 18 U.S.C. §3105 so as not to require an officer’s presence in the execution of a search warrant for customer or subscriber records or stored communication contents held by an ISP.