USA PATRIOT Act and you, Part 2

In this short series of articles, I am looking at some of the implications of the “Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001” (USA PATRIOT Act, or USAPA) for network administrators.

Following along the analysis I began summarizing in the previous article, the Electronic Privacy Information Center (EPIC) notes several other changes in existing laws that I believe will affect how network administrators have to comply with demands for wiretaps.

One change that may please many network administrators is that suspected violations of the Computer Fraud and Abuse law can now be used as a basis for obtaining a wiretap under Title III. It may be easier now to get rapid response to a report of intentional unauthorized access to any federal-interest computer in the U.S. (i.e., to any system owned or used by government departments or agencies, financial institutions, credit-reporting agencies or by some contractors working under contract for such entities).

USAPA amends existing laws to permit access to stored voice-mail “through a search warrant rather than through more stringent wiretap orders,” EPIC says. Sections 216 and 220 allow surveillance to be extended throughout the United States instead of being limited to a narrow geographic court jurisdiction. This provision will certainly aid law enforcement agencies (LEA) in carrying out their investigations on the highly mobile and interconnected population of suspects, but it has implications for network administrators too. Heretofore, an organization that objected to the terms of a wiretap or other surveillance order would have to appear in a relatively local court to present its case; now, the court may be on the other side of the country.

In cases of problematic justification for court orders, organizations will have to weigh the value of protecting employee and customer privacy against the time and money costs of travel and legal representation in other jurisdictions. Remember too that corporate attorneys may not be licensed to practice in distant jurisdictions, leading to additional costs for local attorneys.

One of the most controversial changes authorized by the USAPA is in section 213, where LEAs are authorized to delay notification of their search and seizure procedures. In addition, when the FBI demands records (or any other “tangible things”) under court order, section 215 includes language that specifically forbids anyone involved in producing those things from revealing the fact that they were demanded and supplied. This rule must be incorporated into the procedures to be followed by network administration personnel to avoid inadvertently breaking the law when complying with FBI requests under these statutes.

Some librarians and bookstore owners have been infuriated by this gag order and have taken to posting signs in their facilities that read, “The FBI has not yet demanded records about any of our members’ / customers’ reading habits. Watch for disappearance of this sign.” It remains to be seen whether such measures will be tolerated by the courts.

In summary, the USAPA has wrought significant changes in the laws of surveillance, search and seizure in the U.S., and network administrators should be working with their corporate counsel right now to adapt corporate policies to ensure full compliance with these changes. It would be irresponsible to break the law by inadvertence through ignorance of our responsibilities.

The question of whether the USAPA should be renewed after its sunset date of Dec. 31, 2005, is left to the individual reader.