THE CYBER SECURITY ENHANCEMENT ACT'S "GOOD FAITH DISCLOSURE" EXCEPTION: |
|
By ANITA RAMASASTRY |
|
Thursday, Mar. 28, 2002 |
In mid-February, the House Judiciary Subcommittee on Crime held hearings on the Cyber Security Enhancement Act of 2001 (CSEA) - which includes many provisions designed to improve the federal government's ability to protect national infrastructure and computer systems. The Act was referred to the full Judiciary Committee on February 26.
The House should not allow the bill to become law without an important amendment. Although the Act's protections are valuable, it gives government agencies much broader authority than currently exists to obtain a citizen's email or electronic communications, and does so in a way that is far too destructive to individual privacy.
If the Act is passed in its current form, agencies will have the authority to obtain email or electronic communications without even having to establish "probable cause" that a crime has occurred or is about to occur.
Moreover, this authority will not be restricted to law enforcement agencies, but will belong to all government agencies - federal, state and local, and perhaps even foreign. A high school principal, tax assessor, or a local public utility might be able to request sensitive customer data from an Internet Service Provider.
This is a huge, and potentially destructive change. Previously, ISPs could turn over sensitive customer data to law enforcement only.
Amidst Fears, Insufficient Concern for Individual Privacy
Since September 11, the federal government has rightly grown increasingly concerned about possible threats to public safety and national security that could be caused by hacking and other types of computer crime. In order to thwart possible threats to our safety, the government has increased its ability to gather evidence through the use of powerful computer and communications technology - through the USA Patriot Act, and now through the CSEA.
Just as we have tended to cast a broad net with our surveillance and law enforcement techniques in the physical world after September 11, we seem to be trying the same dragnet approach in cyberspace. Yet as useful as the investigative tools the CSEA creates are, the government must balance the need to gather intelligence with concerns about an individual's right to privacy - online and offline.
The Cyber Security Enhancement Act At A Glance
The CSEA has various components aimed at bolstering "cyber security." The Act directs the United States Sentencing Commission to amend Federal sentencing guidelines for crimes that are related to fraud or unauthorized access to federal government computers and restricted data. Hackers will face harsher penalties if they knowingly cause, or attempt to cause, death or serious bodily injury using the computer as an "instrumentality" for committing their crime. Although there is room for debate about how this provision will be implemented, it seems reasonably limited to distinguish garden-variety hackers from hacker-terrorists.
The CSEA also establishes and maintains a National Infrastructure Protection Center to serve as a cornerstone for governmental threat assessment, warning, investigation, and response to attacks on the U.S.'s critical infrastructure. Within the Department of Justice a new Office of Science and Technology will be created to work on law enforcement technology matters. Again, this makes sense.
These provisions sound non-controversial, and they probably should be. As a result, the House bill has garnered broad support from Republicans and Democrats alike. Yet there is one provision in the CSEA that should give us all pause for thought - Section 102.
This Section would allow ISPs that store records of our electronic communications, including email and online transactions, to make emergency disclosures of those records to a government entity as long as those disclosures are made in good faith.
How the CSEA Would Allow Wide Disclosure of Personal Communications
Pre-September 11 federal law protected the privacy of electronic communications by prohibiting ISPs from revealing the content of stored email or customer information to the government without proper lawful orders. To meet this standard, normally the government should obtain a warrant based on "probable cause" before obtaining the contents of individuals' email or other electronic communications from an ISP.
The post-September 11 USA Patriot Act, which is now law, created a narrow "emergency exception" to this rule. Pursuant to this exception, ISPs are allowed to share the contents of an e-mail or electronic communication with law enforcement agencies if the "provider reasonably believes that an emergency involving immediate danger of death or serious physical injury to any person requires disclosure of the information without delay."
The idea was that information should only be disclosed when public safety, objectively viewed, urgently required it. Again, this was a provision that made some sense after September 11. But the CSEA goes even further - and much further than necessary.
As drafted, Section 102 of the CSEA would broaden the USA Patriot Act's exception - in a way that would allow for more frequent disclosures of sensitive communications, without any court oversight or notice to subscribers. More specifically, Section 102 would allow an ISP to disclose customer data "to a governmental entity, if the provider, in good faith, believes that an emergency involving danger of death or serious physical injury to any person requires disclosure of the information without delay."
Section 102 of the CSEA Broadens the USA Patriot Act's Emergency Exception
As this language and other provisions indicate, Section 102 would expand the narrow emergency exception contained in the USA Patriot Act in several ways. First, as mentioned above, it would allow for these disclosures to any government entity, not just law enforcement.
Does this mean that my local tax assessor, public library, and department of education could request to see my email? Do we want any government entity to have access to our personal email? Does the phrase "government entity" include agencies of a foreign government?
Second, Section 102 no longer requires imminent danger as a reason to trigger ISP disclosure of customer information without a court order. Rather, Section 102 would allow for disclosures when there is some danger, without providing any limiting factors as to how soon the harm will occur.
Third, Section 102 no longer requires that an ISP have a reasonable belief that there is a danger. The ISP now must merely have a subjective "good faith" belief, which may be unreasonable. This allows for too much subjectivity.
If the CSEA is passed, ISPs disclosure decisions will need no longer be reasonable - and we can pretty much count on the fact that, in practice, they often will not be. Many ISPs are not large companies, but small businesses run by small groups of employees or even volunteers. They will inevitably be asked to make split-second decisions as to whether to turn over private customer email to government agencies.
Under the CSEA, ISPs will have wide discretion to determine when it is appropriate to turn over our email and other customer information to the government. Terrified of government reprisals and confident of their ability to invoke the "good faith" exception, a very low standard that is hard to enforce, they will likely turn over information at the drop of a hat.
Of course, ISPs may have legitimate concerns about their legal liability for disclosures. But the standard for when an ISP must disclose information should not be the same as the standard for relieving them of legal liability.
It might be appropriate to relieve an ISP of liability if it acted in good faith. Nevertheless, ISPs should still have to act reasonably - not merely in subjective "good faith" - when deciding whether to provide information to the government in the first place.
Narrowing the Opportunity for Judicial Review of Disclosures
Unfortunately, the huge broadening of the set of agencies that can request information, and the new "good faith" standard, do not exhaust the flaws of Section 102. Another major flaw of the provision is that it allows the government to request and obtain private communications without any judicial review or oversight.
Under Section 102, once a request for email or other electronic communications is made to an ISP, there is no requirement of notice to a court, an independent federal agency - or to the individuals who communicated, and whose privacy may be being violated - that email or other data has been disclosed to the government. Moreover, there is no provision for judicial review (before or after the disclosure) to determine whether the disclosure was permissible in the first place.
The possibility of routine, warrantless searches of email communications by the government is clear. Yet warrants, not warrantless searches, should be the norm. The purpose of obtaining a warrant or court order is to ensure that law enforcement is not abusing its authority or engaging in unreasonable searches and seizures.
Even the USA Patriot Act requires, at least, that the courts receive a report of when law enforcement utilizes the poorly named Carnivore to track someone's email traffic. Section 102 requires no such report, and thereby allows the executive branch to keep its requests secret even from the judicial branch. And the courts, of course, cannot invalidate or scrutinize requests of which they are kept wholly ignorant.
Indeed, Section 102 not only does not require reports to the courts, but also does not include any recordkeeping requirement at all for data requests that are made. It will be difficult or impossible, therefore, for commentators, or even Congress ever to assess the impact that the CSEA will have on ISPs or on the public at large.
How To Amend and Narrow Section 102 of the CSEA
The three basic ways in which Section 102 should be amended are simple and clear. First, law enforcement, which has experience in making requests for information, should still be the primary government entity tasked with initiating requests for private data.
Granted, in certain limited circumstances, other government agencies, beyond law enforcement may also have the need to access information. As the Center for Democracy and Technology has noted, some circumstances may warrant disclosure to specific types of government entities such as the Center for Disease Control. But such a need should be demonstrated, not presumed. At a minimum, the CSEA should not give a blank check to all government agencies to make whatever requests they want, for whatever reason.
Other commentators have also suggested, and I agree, that information should be disclosed to one centralized government entity. This would allow for more efficient gathering of evidence and allow the government to properly manage information flows. It would also allow for less intrusion on an individual's privacy.
A centralized agency might serve as a clearinghouse. At present, many government agencies are suffering from information overload and cannot properly review, assess and act on the large amounts of data they do receive. They lack the capacity to properly sort through a large volume of information in an effective and useful manner. The coordination among agencies that Homeland Security czar Tom Ridge is trying to accomplish could be undermined if a clearinghouse system is not used.
Moreover, disclosure under the CSEA should be limited, as it is under the USA Patriot Act, to situations where there is a reasonable belief there is imminent threat of danger or serious injury. Without an objective reasonableness standard, and a statement that the danger must be imminent, there will be no deterrent to convince ISPs to be cautious and careful when dealing with private customer information.
Finally, the CSEA should also be amended to include a reporting requirement. Certainly reporting to the courts, at a minimum, should be required. What about reporting to individuals when a request has been sent or answered? That is a more difficult question, but some reporting should still be made.
It may not be feasible to notify a person before their data has been turned over to the government, there should at least be post-disclosure notification except in the case of security risks. (Obviously, if a suspected terrorist's email were being repeatedly monitored as he planned a crime, even post-disclosure notification would not be possible).
When there is no risk, however, the requests should be disclosed. We have the right to know if our email has been obtained and read by a government agency acting without a warrant.
Trust is the Foundation of Security in Cyberspace
An essential element of security in cyberspace is trust. If Internet users cannot trust that their most sensitive personal communications will be private, then this may have a chilling effect on the use of the Internet as a powerful tool for communication.
Congress should narrow the new emergency disclosure provisions of Section 102 in the three simple ways I have outlined. If we do not, Congress risks eroding our trust in the Internet as a medium of communication, and in our government as an institution that respects the privacy of its citizens.