Introduction

On October 26, 2001, President Bush signed the USA PATRIOT Act (PATRIOT) into law. PATRIOT gave sweeping new powers to both domestic law enforcement and international intelligence agencies and eliminated the checks and balances that previously gave courts the opportunity to ensure that such powers were not abused. Most of these checks and balances were put into place after previous misuse of surveillance powers by these agencies were uncovered including the revelation in 1974 that the FBI and foreign intelligence agencies had spied on over 10,000 U.S. citizens, including Martin Luther King.

A Rush Job

The bill is 342 pages long and makes changes, some large and some small, to over 15 different statutes. This document provides explanation and some analysis to the sections of the bill relating to online activities and surveillance. Other sections, including those devoted to money laundering, immigration and providing for the victims of terrorism, are not discussed here.

Yet even just considering the surveillance and online provisions of PATRIOT, it is a large and complex law that had over four different names and several versions in the five weeks between the introduction of its first predecessor and its final passage into law. While containing some sections that seem appropriate -- providing for victims of the September 11 attacks, increasing translation facilities and increasing forensic cybercrime capabilities -- it seems clear that the vast majority of the sections included were not carefully studied by Congress, nor was sufficient time taken to debate it or to hear testimony from experts outside of law enforcement in the fields where it makes major changes. This concern is amplified because several of the key procedural processes applicable to any other proposed laws, including inter-agency review, the normal committee and hearing processes and thorough voting, were suspended for this bill.

Were our Freedoms the Problem?

The civil liberties of ordinary Americans have taken a tremendous blow with this law, especially the right to privacy in our online communications and activities. Yet there is no evidence that our previous civil liberties posed a barrier to the effective tracking or prosecution of terrorists. In fact, in asking for these broad new powers, the government made no showing that the previous powers of law enforcement and intelligence agencies to spy on U.S. citizens were insufficient to allow them to investigate and prosecute acts of terrorism. The process leading to the passage of the bill did little to ease these concerns. To the contrary, they are amplified by the inclusion of so many provisions that, instead of being aimed at terrorism, are aimed at nonviolent, domestic crime. In addition, although many of the provisions facially appear aimed at terrorism, the Government made no showing that the reasons they failed to detect the planning of the recent attacks or any other terrorist attacks were the civil liberties compromised with the passage of PATRIOT.

Executive Summary

Chief Concerns

The EFF's chief concerns with PATRIOT include:

Expanded Surveillance With Reduced Checks and Balances. PATRIOT expands all four traditional tools of surveillance used by law enforcement -- wiretaps, search warrants, pen/trap orders and subpoenas. Their counterparts under the Foreign Intelligence Surveillance Act (FISA) that allow spying in the U.S. by foreign intelligence agencies have similarly been expanded. This means:

  1. Be careful what you read on the Internet. The government may now monitor the online activities of innocent Americans, and perhaps even track what Web sites you read, by merely telling a judge anywhere in the U.S. that the spying could lead to information that is "relevant" to an ongoing criminal investigation. The person spied on does not have to be the target of the investigation. This application must be granted and the government is not obligated to report to the court or tell the person spied upon what it has done.
  2. Nationwide roving wiretaps. FBI and CIA can now go from phone to phone, computer to computer without demonstrating that each is being used by a suspect or target of an order, or even specifically identifying the person targeted. The government may now serve a single Title III wiretap, FISA wiretap or pen/trap order on any person or entity nationwide, regardless of whether that person or entity is named in the order. The government need not make any showing to a court that the particular information or communication to be acquired is relevant to a criminal investigation. In the pen/trap or FISA situations, they do not even have to report where they served the order or what information they received. The EFF believes that the opportunities for abuse of these broad new powers are immense. For pen/trap orders, while ISPs or others who are not specifically named in the order do have the legal right to request certification from the Attorney General's office that the order applies to them, they have no right to request such confirmation from a court.
  3. ISPs hand over more user information. The law makes two changes to increase how much information the government may obtain about users from their ISPs or others who handle or store their online communications. First it allows ISPs to voluntarily hand over all "non-content" information to law enforcement with no need for any court order or subpoena. §212. Second, it expands the records that the government may seek with a simple subpoena (no court review required) to include records of session times and durations, temporarily assigned network (I.P.) addresses, and means and source of payments, including credit card or bank account numbers. §§210, 211.
  4. New definitions of terrorism expand scope of surveillance. One new definition of terrorism and three expansions of previous definitions also expand the scope of surveillance.  PATRIOT §802's definition of "domestic terrorism" (amending 18 USC §2331) raises concerns about legitimate protest activity being prosecuted as terrorism, especially if violence erupts, while additions to three existing definitions of terrorism (int'l terrorism per 18 USC §2331, terrorism transcending national borders per 18 USC §2332b, and federal terrorism per amended 18 USC §2332b(g)(5)(B)) expose more people to surveillance (and potential "harboring" and "material support" liability, §§803, 805).

Overbreadth with a lack of focus on terrorism. Several provisions of PATRIOT have no apparent connection to preventing terrorism. These include:

  1. Government spying on suspected computer trespassers with no need for court order. §217.
  2. Adding samples to DNA database for those convicted of "any crime of violence."  §503. This provision allows collection of DNA for terrorists, but then inexplicably also allows collection for the broad, non-terrorist category of "any crime of violence."
  3. Wiretaps now allowed for suspected violations of the Computer Fraud and Abuse Act. This includes anyone suspected of exceeding authorized access to a computer used in interstate commerce and thereby causing over $5000 worth of combined damage.
  4. Dramatic increases to the scope and penalties of the Computer Fraud and Abuse Act. These include: 1) raising the maximum penalty for violations to 10 years (from 5) for a first offense and 20 years (from 10) for a second offense; 2) ensuring that violators only need to intend to cause damage generally, not intend to cause damage or other specified harm over the $5,000 statutory damage threshold; 3) allowing aggregation of damages to different computers over a year to reach the $5,000 threshold; 4) enhancing punishment for violations involving any (not just $5,000) damage to a government computer involved in criminal justice or the military; 5) including damage to foreign computers involved in U.S. interstate commerce; 6) including state law offenses as priors for sentencing; 7) expanding the definition of loss to expressly include time spent on investigation, response, damage assessment and restoration.

Allows Americans to be More Easily Spied Upon by U.S. Foreign Intelligence Agencies. Just as the domestic law enforcement surveillance powers have expanded, the corollary powers under the Foreign Intelligence Surveillance Act have also been greatly expanded, including:

  1. General Expansion of FISA Authority. FISA authority to spy on Americans or foreign persons in the U.S. (and those who communicate with them) increased from situations where obtaining foreign intelligence information is "the" purpose of the surveillance to anytime that it is "a significant purpose" of the surveillance.
  2. Increased information sharing between domestic law enforcement and intelligence. This is a partial repeal of the wall put up in the 1970s after the discovery that the FBI and CIA had been conducting investigations on over half a million Americans during the McCarthy era and afterwards, including the pervasive surveillance of Martin Luther King in the 1960s. It allows wiretap results, grand jury information and other evidence collected in a criminal case to be disclosed to the intelligence agencies when the information constitutes foreign intelligence information.
  3. FISA detour around federal domestic surveillance limitations; domestic detour around FISA limitations. Domestic surveillance limits can be skirted by the Attorney General, for instance, by obtaining a FISA wiretap against a U.S. person where "probable cause" does not exist, but when the person is suspected to be an agent of a foreign government. The information can then be shared with the FBI. The reverse is also true.

Future Actions

The EFF urges the following:

  1. That law enforcement and the intelligence agencies use these new powers carefully and limit their use to bona fide investigations into acts of terrorism.
  2. That the courts appropriately punish those who misuse these new laws and that Congress reexamine its decision to grant such broad, unchecked powers.
  3. That if these laws are misused to harm the rights of ordinary Americans involved in low-level crimes unrelated to terrorism, the courts refuse to allow evidence collected through use of these broad powers to be used in prosecuting them.
    • That the many vague, undefined terms in PATRIOT be defined in a manner that protects the civil liberties and privacy of Americans.
  4. That ISPs and others served with "roving" wiretaps and other Orders that do not specify them as recipients require the Attorney General to certify that the order properly applies to them.
  5. That Congress require the law enforcement and intelligence agencies who operate under provisions of PATRIOT that are set to expire in December, 2005, to provide it with comprehensive reports about the use of these new powers, so as enable Congress to reasonably determine whether these provisions should be renewed.

I. Expanded Surveillance with Reduced Checks and Balances

A. A Brief, Incomplete Introduction to Electronic Surveillance under U.S. Law.

U.S. law has provided four basic mechanisms for surveillance on people living in the United States: interception orders authorizing the interception of communications; search warrants authorizing the search of physical premises and seizure of tangible things like books or other evidence; "pen register" and "trap-and-trace device" orders (pen/trap orders), which authorize the collection of telephone numbers dialed to and from a particular communications device; and subpoenas compelling the production of tangible things, including records. Each mechanism has its own proof standards and procedures based on the Constitution, statutes, or both.

U.S. law also provides two separate "tracks" with differing proof standards and procedures for each of these mechanisms depending upon whether surveillance is done by domestic law enforcement or foreign intelligence. All of these have been expanded by PATRIOT.

For instance, when surveillance is conducted for domestic law enforcement purposes, the probable cause standard of the Fourth Amendment applies to interception orders and search warrants. But a court order compelling an ISP to produce e-mail logs and addresses of past e-mail correspondents uses a lower standard: the government must show specific and articulable facts showing reasonable grounds to believe that the records are relevant and material to an ongoing criminal investigation. A pen/trap order uses an even lower standard: the government need only tell the court that the surveillance is relevant to a criminal investigation. The standard for subpoenas is also very low.

Where foreign intelligence surveillance is concerned, however, the standard of proof and procedures for each mechanism has been different. One key difference is that foreign intelligence surveillance is not based on the concept of criminality. Under the Foreign Intelligence Surveillance Act (FISA), the key issue is whether the intended surveillance target is an "agent of a foreign power" or a "foreign power." Only if the target is a U.S. citizen or permanent resident alien must the government show probable cause of criminality.

Second, FISA allows a secret court to authorize U.S. intelligence agencies to conduct surveillance using each of the four basic mechanisms listed above. For instance, FISA interception orders involving U.S. persons are issued by the secret court based on an application from the Attorney General stating reasons to believe that the surveillance target is an agent of a foreign power or a foreign power, certifying that "the purpose" of the surveillance is to gather foreign intelligence information, and several other facts and representations. The secret court's role here, however, is quite limited: it is not supposed to "second-guess" the government's certifications or representations. (Unsurprisingly, the secret FISA court has only denied one application in its over twenty-year existence.) Moreover, unlike ordinary interception orders, FISA does not require reports to the court about what the surveillance found; no reports of what is being sought or what information is retrieved are ever available to the public. Thus, the secret court's only practical accountability is in a district court when a surveillance target is prosecuted and seeks to suppress the fruits of FISA surveillance.

FISA's requirements are even weaker if the electronic surveillance is directed solely at means of communications used exclusively between or among foreign powers and when it is unlikely that communications to which a U.S. person is a party will be intercepted; in such cases, surveillance may proceed for up to a year without a court order.

Immediately after the September 11 attacks, electronic surveillance was conducted pursuant to FISA orders. There have been no reports that the limitations of FISA power posed any problems for the government.

Domestic Law Enforcement Foreign Intelligence Surveillance
1. Intercept Orders.

Title III (named after the relevant section of the original legislation, the Omnibus Crime Control and Safe Streets Act of 1968) surveillance is a traditional wiretap that allows the police to bug rooms, listen to telephone conversations, or get content of electronic communications in real time.

  • Obtained after law enforcement makes a showing to a court that there is "probable cause" to believe that the target of the surveillance committed one of a special list of severe crimes.
  • Law enforcement must report back to the court what it discovers.
  • Up to 30 days; must go back to court for 30-day extensions

(Courts do not treat unopened e-mail at ISPs as real-time communications.)

1. FISA Intercept Orders.
  • Secret Court. No public information about what surveillance requested or what surveillance actually occurs, except for a raw annual report of number of requests made and number granted (the secret court has only refused one request).
  • Previous standard was certification by Attorney General that "the purpose" of an order is a suspicion that the target is a foreign power or an agent of a foreign power.
  • Attorney General is not required to report to the court what it does.
  • Up to 90 days, or 1 year (if foreign power)
2. Pen/Trap.

Pen/Trap surveillance was based upon the physical wiring of the telephone system. It allowed law enforcement to obtain the telephone numbers of all calls made to or from a specific phone.

  • Allowed upon a "certification" to the court that the information is relevant to an ongoing criminal investigation.
  • Court must grant if proper application made.
  • Does not require that the target be a suspect in that investigation and law enforcement is not required to report back to the court.

Prior to PATRIOT there had been debate about how this authority is to be applied in the Internet context.

2. FISA Pen/Trap.

Previous FISA pen/trap law required not only showing of relevance but also showing that the communications device had been used to contact an "agent of a foreign power."

While this exceeds the showing under the ordinary pen/trap statute, such a showing had the function of protecting U.S. persons against FISA pen/trap surveillance.

3. Physical search warrants

Judicial finding of probable cause of criminality; return on warrant.

Previously, agents were required at the time of the search or soon thereafter to notify person whose premises were searched that search occurred, usually by leaving copy of warrant.

PATRIOT makes it easier to obtain surreptitious or "sneak-and-peek" warrants under which notice can be delayed.

3. FISA Physical search warrants

See FISA 50 USC §1822. PATRIOT extends duration of physical searches.

Under previous FISA, Attorney General (without court order) could authorize physical searches for up to one year of premises used exclusively by a foreign power if unlikely that U.S. person will be searched; minimization required. A.G. could authorize such searches up to 45 days after judicial finding of probable cause that U.S. target is or is an agent of a foreign power; minimization required, and investigation may not be based solely on First Amendment-protected activities.

4. Subpoenas for stored information.

Many statutes authorize subpoenas; grand juries may issue subpoenas as well. EFF's main concern here has been for stored electronic information, including e-mail communications and subscriber or transactional records held by ISPs. Subpoenas in this area are governed by the Electronic Communications Privacy Act (ECPA).

4. FISA subpoenas

Previously, FISA authorized collection of business records in very limited situations, mainly records relating to common carriers, vehicles or travel, and only via court order.

PATRIOT permits any "tangible things," including business records, to be obtained via a subpoena.

II. Increased Surveillance Authority

PATRIOT removes many of the checks and balances that prevented both police and the foreign intelligence agencies from improperly conducting surveillance on U.S. citizens who are not involved in criminal or terrorist activity. For Internet users, it opens the door for widespread surveillance of web surfing, e-mails and peer-to-peer systems. In addition, the protections against the misuse of these authorities -- by the foreign intelligence agencies to spy on U.S. citizens and by law enforcement to use foreign intelligence authority to exceed their domestic surveillance authority -- have been greatly reduced.

A. Law enforcement intercept orders (Wiretaps)

Wiretaps (for telephone conversations) can only be issued for certain crimes listed in 18 USC §2516. PATRIOT adds to this list. This restriction has never applied to interception of electronic communications.

1. Adds Terrorism.

PATRIOT §201 adds terrorism offenses, which is probably redundant since the list already included most if not all terrorist acts -- e.g., murder, hijacking, kidnapping, etc.

2. Adds Computer Fraud and Abuse Act (CFAA), 18 USC §1030.

PATRIOT §202 adds felony violations of the CFAA (see below for discussion of changes to CFAA).

3. Removes voicemail from Title III purview.

PATRIOT §209 allows police to get voicemail and other stored wire communications without an intercept order; now, only a search warrant needed.

4. Exempts certain interceptions from requirement of judicial authorization.

Computer trespassers, see below.

B. Law enforcement search warrants.

1. Single-jurisdiction search warrants for terrorism and for electronic evidence.

In general, search warrants must be obtained within a judicial district for searches in that district. Fed.R.Crim.Pro. 41. PATRIOT relaxes this rule. PATRIOT §219 adds terrorist investigations to the list of situations where single-jurisdiction search warrants may be issued. PATRIOT also allows issuance in any district in which activities related to terrorism may have occurred for search of property or person within or outside the district. §220. Once a judge somewhere approves a warrant for seizing unopened e-mail less than 180 days old, that order can be served on any ISP or telecommunications company nationwide, without any need that the particular service provider be identified in the warrant.

2. "Sneak-and-peek" warrants greatly expanded.

PATRIOT §213 allows delayed notification of a search for "a reasonable period" that can be "extended for good cause shown" to a court for any wire or electronic communication or tangible property. This is problematic because notice to a searched person is a key component of Fourth Amendment reasonableness.

C. Law enforcement Pen/Trap orders

Pen/trap orders are issued by a court under a very low standard; PATRIOT does not change this standard. PATRIOT instead expands the reach of pen/trap orders to the Internet.

PATRIOT §216 modifies 18 USC §3121(c) to expressly include routing and addressing information, thus expressly including e-mail and electronic communications. "Contents" of communications are excluded, but there remain serious questions about the treatment of Web "addresses" and other URLs that identify particular content.

Pen/trap orders can now apply even to those not named in an order (nationwide). Previously, pen/trap orders were limited by a court's jurisdiction, so they had to be installed within the judicial district. Now, a court shall enter an ex parte order authorizing use anywhere within the U.S. if that court has jurisdiction over crime being investigated and the attorney for the U.S. Government has certified that information "likely to be obtained" is "relevant to an ongoing criminal investigation." The order applies to any provider "whose assistance may facilitate the execution of the order, " whether or not within the jurisdiction of the issuing court. But if the entity is not named, it may require that the U.S. attorney provide written or electronic certification that the order applies to the person or entity being served.

If a government agency uses its own technology (e.g., Carnivore) to conduct pen/trap surveillance, then an "audit trail" is required, e.g., 30 day report back to court. There is no mandate that the served entity's equipment facilitate the surveillance. §222 (prevents CALEA application here).

D. Law enforcement subpoenas (and some court orders) for stored information

1. PATRIOT §§210 and 212 amend the Electronic Communications Privacy Act (ECPA).

PATRIOT §210 expands the records that can be sought without a court order to include: records of session times and durations, temporarily assigned network addresses, and means and source of payments, including any credit card or bank account number.

PATRIOT §212 expands "emergency" voluntary disclosure to government of both content and customer records if there is reason to believe that there exists immediate danger of death or serious physical injury (The Homeland Security Act further expanded this exception for cases where there is a good faith basis to believe the same).

2. PATRIOT §211. Reduction of Privacy for Cable Records.

Previously, the Cable Act had mandated strong privacy protection for customer records of cable providers; PATRIOT overrides these protections for customer records related to telecommunications services. This is not a major change because several courts have already held that these privacy protections don't apply for telecommunications services.

E. Information sharing between law enforcement and intelligence community

Because foreign intelligence surveillance does not require probable cause of criminality and because of the fear that foreign intelligence surveillance aimed at foreign agents would violate the rights of U.S. persons, the law has tried to keep foreign intelligence surveillance (including evidence gained therefrom) separate from law enforcement investigations. PATRIOT greatly blurs the line of separation between the two.

1. Easier to Use FISA authority for Criminal Investigations.

Under PATRIOT §218, foreign intelligence gathering now only needs to be "a significant purpose" rather than "the purpose" of FISA surveillance (edits to 50 USC §1804(a)(7)(b), and 1823 (a)(7)(B)). The FISA court only looks to see that the required certifications are present in the application and are not "clearly erroneous".   Courts have said that it is not their function to "second guess" the certifications.

2. Now Can Disclose Formerly Secret Grand Jury Information to Intelligence Services.

PATRIOT §203(a) amends Federal Rule of Criminal Procedure 6 so that grand jury information can now be disclosed to intelligence services when "matters involve foreign intelligence or counterintelligence per 50 USC §401a or foreign intelligence information" (defined below).

3. Foreign Intelligence Information.

This is a new category of information that can be disclosed to foreign intelligence agents. It includes any information, whether or not concerning a U.S. person, that "relates" to the ability of the U.S. to protect against an actual or potential attack, sabotage or international terrorism or clandestine intelligence activities, as well as any information, whether or not concerning a U.S. Person, that "relates" to the national defense or security or the conduct of foreign affairs.

4. Disclose Criminal Wiretap Information to Any Government Official, Including Foreign Intelligence Services

PATRIOT §203(b) amends 18 USC §2517, allowing disclosure of the contents of wiretaps or evidence derived therefrom to any other government official, including intelligence, national defense and national security, "to the extent such contents include foreign intelligence or counterintelligence or foreign intelligence information" (defined above).

5. General Authority to Disclose

Notwithstanding other law, PATRIOT §203(d) makes it lawful for foreign intelligence or counterintelligence or foreign intelligence information (see definition above) to be disclosed to anyone to assist in performance of official duties. PATRIOT §504 also authorizes general coordination between law enforcement and FISA surveillance.

F. FISA

1. Intercept orders: adds "roving wiretap" authority to FISA.

PATRIOT §206 amends 50 USC §1805. FISA court now may authorize intercepts on any phones or computers that the target may use. The foreign intelligence authorities can require anyone to help them wiretap. Previously they could only serve such orders on common carriers, landlords, or other specified persons. Now they can serve them on anyone and the Order does not have to specify the name of the person required to assist. Such roving wiretap authority raises serious Fourth Amendment problems because it relaxes the "particularity" requirements of the Warrant Clause. Such authority already exists under Title III.

PATRIOT §207 increases the duration of FISA intercept orders, amending 50 USC §1805(e)(1) to increase the duration of surveillance on agents of a foreign power (not U.S. persons) from 90 to 120 days.

2. FISA search warrants

PATRIOT §207 extends the time period during which a FISA search warrant may be used, amending 50 USC §1824(d) to increase the period for judicially authorized physical searches a) to 90 days (up from 45), or b) if agent of a foreign power (employee or member of a foreign power but not U.S. persons), to 120 days.

3. FISA pen/trap orders

PATRIOT §214 amends 50 USC 1842 and 1843 (emergency) to allow pen/trap orders when they are concerning foreign intelligence information and:

  1. are not concerning a U.S. person or;
  2. ARE concerning a U.S. person, and are to protect against international terrorism or clandestine intelligence activities, provided that such investigation is not conducted solely upon the basis of 1st Amendment activities.
4. FISA subpoenas and similar authorities

PATRIOT grants broad authority for compelling business records. Under previous law, only records of common carriers, public accommodation facilities, physical storage facilities and vehicle rental facilities could be obtained with a court order.

PATRIOT §215 amends 50 USC §1862 to allow application to the FISA court for an order to compel the production of any business record or tangible thing from anyone for any investigation to protect against international terrorism or clandestine intelligence activities (but cannot investigate a U.S. person solely for First Amendment activities).

  1. No showing needed that the person is an agent of a foreign power.
  2. Order MUST be granted by the court if application meets requirements.
  3. Order will not state that it is authorized under this section.
  4. Persons served with such an order are gagged.
  5. DOJ must provide to Congress a semiannual report on the number of applications and the number of those that were granted or denied, but there is no required reporting to the court or Congress regarding actual documents seized or their usefulness.

G. Other changes related to surveillance

1. New surveillance of communications "relevant" to computer trespasser investigation

PATRIOT §217 changes 18 USC §2510, adding another area where any government employee, not just law enforcement, may conduct content surveillance of U.S. persons. This is when a computer owner and operator "authorizes" surveillance and a law enforcement agent "has reasonable grounds to believe contents of communication will be relevant" to investigating computer trespass and does not acquire anyone else's communications. This section authorizes interception of messages suspected of being sent through a computer without "authorization."

  1. The term "authorization" is not defined, giving the owner/operator of protected computer and the government agent great discretion.
  2. BUT this does not include someone who is known to have an existing contractual relationship to access all or part of the computer. According to DOJ, ISP customers who send spam in violation of ISP's terms of service would not be trespassers.
2.Civil liability for certain unauthorized disclosures.

PATRIOT §223. This provision provides a small bit of relief for those who discover that law enforcement or the foreign intelligence authorities have disclosed information about them improperly.

  1. Allows Administrative discipline. Amends 18 USC §§2520, 2707.
  2. Allows §2712 civil actions with a $10,000 recovery limit, but only for willful disclosures. [It's a $10K statutory damages minimum ("actual damages, but not less than $10,000, whichever amount is greater.")]
3. Disclosure of Educational Records.

PATRIOT §§507-8 amends 20 USC §1232g:

  1. Upon written application to a court the Attorney General may require an educational agency to collect educational records "relevant" to an authorized investigation of a listed terrorist offense or "domestic or international terrorist offense." If the application is correct and satisfies the low pen/trap �relevance" standard, the court shall grant the order.
  2. Same for National Education Statistics Act surveys.
4. Similarly expands quasi-subpoena power for many other records.

PATRIOT §505 authorizes issuance of �National Security Letters," administrative subpoenas for certain phone billing records, bank records, credit records on the same showing as for FISA pen/trap (but no court order).

III. Changes With Little Relationship to Fighting Terrorism.

The EFF is deeply dismayed to see that the Attorney General seized upon the legitimate Congressional concern following the September 11, 2001 attacks to pad PATRIOT with provisions that have at most a tangential relationship to preventing terrorism. Instead, these provisions appear targeted at low and mid-level computer defacement and damage cases which, although clearly criminal, are by no means terrorist offenses and have no business being included in the Act.

A. Computer Fraud and Abuse Act (CFAA 18 USC §1030).

The CFAA provides for civil and criminal liability for acts exceeding the "authority" to access or use a computer connected to the Internet. It is used to prosecute those engaging in computer graffiti, website defacement and more serious computer intrusion and damage. It has also been applied in civil cases to spammers and those sending unwanted bots to gather information from the websites of others. PATRIOT makes several changes to this law, none of which seems aimed at preventing or prosecuting terrorist offenses -- which are separately defined and already include the use of computers to commit terrorism. An earlier version of the bill would have made many violations of the statute "terrorist" offenses. After outcry from EFF members and many others, most (but not all, see below) of the offenses under §1030 were removed from the "terrorist" definition. However, the penalties and scope of §1030 were instead greatly expanded. The changes include:

  1. Adds an "attempt to commit an offense" under §1030 to the list of illegal activities with the same penalties as an offense. §814.
  2. The law now applies if the damage is done to computers outside the U.S. that affect U.S. Interstate commerce. §814.
  3. Includes state court convictions under similar statutes as priors for purposes of a second conviction with increased penalties. §814.
  4. Increases penalties for violations of the statute. §814(1).

"Loss" under the statute now expressly includes time spent responding and assessing damage, restoring data, program, system or information, any revenue lost, cost incurred or other consequential damages. §814.

B. Computer Crimes under CFAA Defined as "Terrorist Offenses"

As far as the investigation has revealed so far, computer crime played no role in the September 11, 2001 attacks or in any previous terrorist attacks suffered by the United States. Computer crime, especially when it results in danger to lives, is a serious offense, but PATRIOT adds it to the list of "terrorist offenses." Although it is obviously possible that a computer crime in the future could be part of a terrorist offense, the definition of "terrorism" already includes murder, hijacking, kidnapping and similar crimes that would be the result of a "cyber-terrorist" attack. Yet without explanation, early versions of PATRIOT included even low-level computer intrusion and web defacement as "terrorist offenses." The final bill was not so draconian, but still includes the following (among others unrelated to computer crime) as "terrorist offenses" under 18 USC §2332b(g)(5)(B):

  1. An act calculated to influence or affect the conduct of government by intimidation or coercion or to retaliate against government conduct (this language was in existing law) AND EITHER
  2. violates 18 USC §1030(a)(1), accessing restricted or classified information on computers that require protection for reasons of national security, national defense or §11(y) of Atomic Energy Act of 1954 with reason to believe that the information could injure the U.S. or advantage a foreign nation, and willfully communicating the information to one not entitled to it, OR
  3. violates 18 USC §1030(a)(5)(A)(i) resulting in damage that:
    1. causes a medical care problem, physical injury, or threat to public health or safety, OR
    2. affects a computer system used by or for a government entity in furtherance of the administration of justice, national defense, or national security.
  4. If an offense is a federal terrorism offense per 18 USC 2332b(g)(5)(B):
    1. RICO procedures apply. §813. This includes seizure of assets pre-conviction, forfeiture post-conviction and many other procedural provisions previously applicable just to organized crime and the drug war.
    2. 8 year statute of limitation §3286 (§809).
    3. Alternate maximum penalties (§810) 15 year max penalty 810(c)(1) and if death of a person results, for any term or for life.
    4. Included in §803: harboring or concealing terrorists
    5. Included in §805: Material support under 18 USC 2339A.
    6. Section 806 regarding assets "of any individual, entity or organization engaged in planning or perpetrating any act of domestic or international terrorism," and all assets "affording any person a source of influence over any such entity or organization."
    7. PATRIOT §805 amends 18 USC 2339A. Material support for terrorists now includes "expert advice or assistance"; e.g., biochemist's advice on how to increase lethality of biological agents.

Previously, 2339A included "training"; statute requires "knowing or intending that they [material support or resources] are to be used in preparation for, or in carrying out, a violation . . .. [of, inter alia, 2332b]" -- so this requires knowing or intentional facilitation.

Under 2339A a facilitator may be culpable whether or not the underlying offense is committed; also, scienter does not require "specific intent to commit the underlying action," but only knowledge that material support or resources "are to be used" for a specified offense -- however, normally this is interpreted to mean that the facilitator be "aware that that result is practically certain to follow from his conduct.'" If a facilitator was virtually certain that particular recipients would in fact use the provided resources to commit a terrorist crime, it would be immaterial whether the facilitator knew precisely when or where the criminal conduct would occur.

IV. Sunset Provisions

Under PATRIOT §224, several of the surveillance portions of PATRIOT will expire on December 31, 2005.

The EFF is pleased that at least some of the more severe changes in the surveillance of U.S. persons contained in PATRIOT will expire on December 31, 2005 unless renewed by Congress. We are concerned, however, that there is no way for Congress to review how several of these key provisions have been implemented, since there is no reporting requirement to Congress about them and no requirements of reporting even to a judge about several others. Without the necessary information about how these broad new powers have been used, Congress will be unable to evaluate whether they have been needed and how they have been used in order to make an informed decision about whether and how they should continue or whether they should be allowed to expire without renewal.

A. The provisions that expire include:

  • §201. Authority To Intercept Wire, Oral, And Electronic Communications Relating To Terrorism.
  • §202. Authority To Intercept Wire, Oral, And Electronic Communications Relating To Computer Fraud And Abuse Offenses.
  • §203(b), (d). Authority To Share Criminal Investigative Information.
  • §206. Roving Surveillance Authority Under The Foreign Intelligence Surveillance Act Of 1978.
  • §207. Duration Of FISA Surveillance Of Non-United States Persons Who Are Agents Of A Foreign Power.
  • §209. Seizure Of Voice-Mail Messages Pursuant To Warrants.
  • §212. Emergency Disclosure Of Electronic Communications To Protect Life And Limb.
  • §214. Pen Register And Trap And Trace Authority Under FISA.
  • §215. Access To Records And Other Items Under FISA.
  • §217. Interception Of Computer Trespasser Communications.
  • §218. Foreign Intelligence Information.
  • §220. Nationwide Service Of Search Warrants For Electronic Evidence.
  • §223. Civil Liability For Certain Unauthorized Disclosures.

B. The following provision do not expire:

  • §203(a),(c). Authority To Share Criminal Investigative Information.
  • §208. Designation Of Judges.
  • §210. Scope Of Subpoenas For Records Of Electronic Communications.
  • §211. Clarification Of Scope [privacy provisions of Cable Act overridden for communication services offered by cable providers (but not for records relating to cable viewing.)]
  • §213. Authority For Delaying Notice Of The Execution Of A Warrant.
  • §216. Modification Of Authorities Relating To Use Of Pen Registers And Trap And Trace Devices.
  • §219. Single-Jurisdiction Search Warrants For Terrorism.
  • §222. Assistance To Law Enforcement Agencies.
  • §225. Immunity For Compliance With Fisa Wiretap. Can continue all investigations active at the time of expiration.