Presentation on theme: "Privacy and National Security After September 11 Professor Peter P. Swire Ohio State University FLICC 2002 Forum Library of Congress March 19, 2002."— Presentation transcript:
Privacy and National Security After September 11 Professor Peter P. Swire Ohio State University FLICC 2002 Forum Library of Congress March 19, 2002
Overview of the Talk n My background and Clinton Administration on privacy and security n Wiretaps and surveillance, before and after September 11 n Lessons going forward for privacy and security
I. My Background n Law professor since 1990 -- law of cyberspace, etc. n 1999 & 2000 -- Clinton Administration – Chief Counselor for Privacy n This year, visit at GW n The future -- OSU and summer DC program
Why the interest in privacy? n First wave of privacy activity – 1970, Fair Credit Reporting Act – 1974, Privacy Act (federal agencies) – Rise of the mainframes – Possibility of giant databases – Develop fair information practices of notice, choice, access, security, and accountability
Second wave of privacy activity n Modern laptop or desktop -- everyone can have a mainframe n Rise of the Internet n Transfers are free, instant, and global n How do we respond to more databases and more transfers?
Clinton Administration -- Privacy n Legal protections for sensitive data – Medical privacy proposed and final rule – Financial privacy law and rules – Childrens Online Privacy Protection Act n Self-regulation as path to progress – Internet privacy policies, rise from 14% to 88% n Government as a model – Website privacy policies – Cookies on website policy
II. Wiretaps and Surveillance n History of wiretaps n 2000 Administration proposal n 2001 Bush/Ashcroft proposal and the USA Patriot Act
Wiretap History n 1920s Olmstead – Wiretaps permitted by police without warrant where tap applied outside your home n 1960s Katz – Reasonable expectation of privacy, even in a phone booth n 1968 Title III – Strict rules for content, more than probable cause, as a last resort, reporting requirements
History (cont.) n 1970s Church Committee and FISA – Keep CIA out of domestic spying – Secret wiretaps in U.S., but only where primarily for foreign intelligence n 1984 ECPA – Some protections for e-mail – Some protections for to/from information; pen registers (who you call); trap and trace (who calls you)
2000 Administration Proposal n How to update wiretap and surveillance for the Internet age n Headed 15-agency White House working group n Legislation proposed June, 2000
2000 Administration Proposal n Update telephone era language n Upgrade email and web protections to same as telephone calls n Identify new obstacles to law enforcement from the new technology n Sense of responsibility -- assure privacy, give law enforcement tools it needs
2001 USA Patriot Act n Uniting and Strengthening America Act by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism n USA PATRIOT Act n Introduced less than a week after September 11
Nationwide trap and trace – Old days, serve order on ATT and it was effective nationwide – Today, e-mail may travel through a half-dozen providers, have needed that many court orders – New law -- one order effective nationwide – Query -- order from a judge in Idaho, served late at night, how do you challenge that?
Roving taps – Old days, order for each phone – What if suspect buys a dozen disposable cell phones? – But, how far can the order rove? Anyone in the public library? – Problem -- less of a suppression remedy for email and web use
Updating scope of data n Previously, pen/trap orders (to/from information) authorized to get telephone numbers n New law, any dialing, routing, addressing, or signaling information n Amendment -- not including content, but that was left undefined n Legally allows urls? Technically, can content be excluded?
Computer trespasser exception n Previous law: – ISP can monitor its own system – ISP can give evidence of yesterdays attack – ISP cannot invite law enforcement in to catch the burglars n Problem for: – DOD, other agencies, and many hack attacks – Small system owners who need help
Computer trespasser exception n Law enforcement can surf behind if: – Targets person who accesses a computer without authorization – System owner consents – Lawful investigation – Law enforcement reasonably believes that the information will be relevant – Interception does not acquire communications other than those transmitted to or from the trespasser
Computer trespasser n Issues of concern: – Never a hearing in Congress on it – No time limit – No reporting requirement – FBI can ask the ISP to invite it in, and then camp at ISP permanently – Limited suppression remedy if go outside permitted scope
Law Enforcement vs. Foreign Intelligence n From the 1970s -- separate law enforcement (domestic, rule of law) from foreign intelligence (foreign, laws of war) n Lawyers in DOJ policed transfers, pretty strict n FBI official this fall: all the walls are down now
Supporting this change n Terrorism is both domestic and foreign – World Trade Center shows a risk from keeping investigatory databases separate – As a legislator, would you want to insist on the separation and risk another catastrophe? n The Internet – E-mail and other communications are routinely across borders – Intelligence gathering should be shared
All the walls are down now n To law enforcement, get information from secret FISA wiretaps: – Rule was if purpose was foreign intelligence – Rule now if a significant purpose n To foreign intelligence, secret grand jury testimony can now go to CIA, etc., with no re-use limits in the law
Concerns with FBI/CIA changes n History from 1960s and 1970s of abuses n Risks insertion of foreign intelligence in domestic political groups n Already new proposals to have FBI surveil domestic groups n Possibility of large increase in secret wiretaps n Possibility of prosecutors using broad grand jury powers for non-criminal matters
Security and Privacy n After 9/11, greater focus on (cyber) security n Security vs. privacy n Security and privacy n Our homework
Greater Focus on Security n Less tolerance for hackers and other unauthorized use n Cyber-security and the need to protect critical infrastructures such as payments system, electricity grid, & telephone system n Greater tolerance for surveillance, which many people believe is justified by greater risks
Security vs. Privacy n Security sometimes means greater surveillance, information gathering, & information sharing n USA Patriot increases in surveillance powers n Computer trespasser exception
Security and Privacy n Good data handling practices become more important -- good security protects information against unauthorized use n Audit trails, accounting become more obviously desirable n Part of system upgrade for security will be system upgrade for other requirements, such as privacy (medical privacy)
Our Homework n USA Patriot has 4 year sunset on many of the surveillance provisions n An invitation to get engaged, to study the pros and cons of the new provisions n Hearings are needed on computer trespasser, foreign/domestic, etc. n What can be the new forms of accountability? How stop potential abuses?
In Conclusion n USA Patriot Act is a work in progress n Imagine an architecture that meets legitimate security needs and also respects privacy n Better data handling often results in both n But need accountability to ensure that the new powers are used wisely n Lets get to work on that.
Contact Information n Professor Peter P. Swire n phone: (301) 213-9587 n email: firstname.lastname@example.org n web: www.osu.edu/units/law/swire.htm