Presentation on theme: "Privacy & Security After September 11 Professor Peter P. Swire Ohio State University University of Michigan Lecture December 4, 2001."— Presentation transcript:
Privacy & Security After September 11 Professor Peter P. Swire Ohio State University University of Michigan Lecture December 4, 2001
Overview of the Talk n My background and Clinton Administration on privacy and security n Wiretaps and surveillance, before and after September 11 n Lessons going forward n Tonights talk -- bring out privacy and the logic of why greater security tools may be needed
I. My Background n 1980 thesis on IT and effects on legal and economic thought n First Internet law article in 1992 n Wrote on encryption, privacy, and other cyber issues n 1999 & 2000 -- Clinton Administration – Chief Counselor for Privacy n 2001 Return to law teaching
Why the interest in privacy? n First wave of privacy activity – 1970, Fair Credit Reporting Act – 1974, Privacy Act (federal agencies) – Rise of the mainframes – Possibility of giant databases – Develop fair information practices of notice, choice, access, security, and accountability
Second wave of privacy activity n Modern laptop or desktop -- everyone can have a mainframe n Rise of the Internet n Transfers are free, instant, and global n How do we respond to more databases and more transfers? n High interest in privacy, and the WSJ poll 9/99
Clinton Administration -- Privacy n Legal protections for sensitive data – Medical privacy proposed and final rule – Financial privacy law and rules – Childrens Online Privacy Protection Act n Self-regulation as path to progress – Internet privacy policies, rise from 14% to 88% n Government as a model – Website privacy policies – Cookies on website policy
ClintonAdministration -- Security n Better computer security helps privacy, by keeping out unauthorized users n But, better computer security can threaten privacy, where have increased surveillance – Federal Intrusion Detection Network (FIDNET) – Carnivore e-mail surveillance program
Clinton Administration - Encryption n Security concern: FBI and NSA say strong encryption hurts security and lets criminals communicate freely n 9/99 policy change: strong encryption necessary for strong military, e-commerce, and civil society n Helps privacy and security, because otherwise everyones communications are easily compromised
II. Wiretaps and Surveillance n History of wiretaps n 2000 Administration proposal n 2001 Bush/Ashcroft proposal and the USA Patriot Act
Wiretap History n 1920s Olmstead – Wiretaps permitted by police without warrant where tap applied outside your home n 1960s Katz – Reasonable expectation of privacy, even in a phone booth n 1968 Title III – Strict rules for content, more than probable cause, as a last resort, reporting requirements
History (cont.) n 1970s Church Committee and FISA – Keep CIA out of domestic spying – Secret wiretaps in U.S., but only where primarily for foreign intelligence n 1984 ECPA – Some protections for e-mail – Some protections for to/from information; pen registers (who you call); trap and trace (who calls you)
2000 Administration Proposal n How to update wiretap and surveillance for the Internet age n Headed 15-agency White House working group n Legislation proposed June, 2000 – S. 3083 – Hearings and mark-up in House Judiciary, further toward privacy than our proposal
2000 Administration Proposal n Update telephone era language n Upgrade email and web protections to same as telephone calls n Identify new obstacles to law enforcement from the new technology n Sense of responsibility -- assure privacy, give law enforcement tools it needs
2001 USA Patriot Act n Introduced less than a week after September 11 n Describe new provisions n Computer trespasser exception n Walls down between CIA/FBI n 4 year sunset for many surveillance provisions and what to do next
Updating telephone-era language – Was device authorized by court order – That worked well for a physical tap on a copper wire, but does it allow a sniffer program on web usage? – Now device or process, so software access is clearly authorized
Roving taps – Old days, order for each phone – What if suspect buys a dozen disposable cell phones? – But, how far can the order rove? Anyone in the public library? – Problem -- less of a suppression remedy for email and web use
Emergency orders – Any ongoing computer attack, or else ability to trace back may be lost – Anything affecting a national security interest – Are these too broad?
Nationwide trap and trace – Old days, serve order on ATT and it was effective nationwide – Today, e-mail may travel through a half-dozen providers, have needed that many court orders – New law -- one order effective nationwide – Query -- order from a judge in Idaho, served late at night, how do you challenge that?
Updating scope of data n Previously, pen/trap orders (to/from information) authorized to get telephone numbers n New law, any dialing, routing, addressing, or signaling information n Amendment -- not including content, but that was left undefined n Legally allows urls? Technically, can content be excluded?
Computer trespasser exception n Previous law: – ISP can monitor its own system – ISP can give evidence of yesterdays attack – ISP cannot invite law enforcement in to catch the burglars n Problem for: – DOD and many hack attacks – Small system owners who need help
Computer trespasser proposal n Law enforcement can surf behind if: – Targets person who accesses a computer without authorization – System owner consents – Lawful investigation – Law enforcement reasonably believes that the information will be relevant – Interception does not acquire communications other than those transmitted to or from the trespasser
Computer trespasser n Issues of concern: – Never a hearing in Congress on it – No time limit – No reporting requirement – FBI can ask the ISP to invite it in, and then camp at ISP permanently – Limited suppression remedy if go outside permitted scope
Law Enforcement vs. Foreign Intelligence n From the 1970s -- separate law enforcement (domestic, rule of law) from foreign intelligence (foreign, laws of war) n Lawyers in DOJ policed transfers, pretty strict n FBI official this fall: all the walls are down now
Supporting this change n Terrorism is both domestic and foreign – World Trade Center shows a risk from keeping investigatory databases separate – As a legislator, would you want to insist on the separation and risk another catastrophe? n The Internet – E-mail and other communications are routinely across borders – Intelligence gathering should be shared
All the walls are down now n To law enforcement, get information from secret FISA wiretaps: – Rule was if primary purpose was foreign intelligence – Rule now if significant purpose n To foreign intelligence, secret grand jury testimony can now go to CIA, etc., with no re-use limits in the law
Concerns with FBI/CIA changes n History from 1960s and 1970s of abuses n Risks insertion of foreign intelligence in domestic political groups n Already new proposals to have FBI surveil domestic groups n Possibility of large increase in secret wiretaps n Possibility of prosecutors using broad grand jury powers for non-criminal matters
Concluding Thoughts n After 9/11, greater focus on (cyber) security n Security vs. privacy n Security and privacy n Our homework
Greater Focus on Security n Less tolerance for hackers and other unauthorized use n Cyber-security and the need to protect critical infrastructures such as payments system, electricity grid, & telephone system n Greater tolerance for surveillance, which many people believe is justified by greater risks
Security vs. Privacy n Security sometimes means greater surveillance, information gathering, & information sharing n USA Patriot increases in surveillance powers n Computer trespasser exception n Moral suasion to report possible terrorists
Security and Privacy n Good data handling practices become more important -- good security protects information against unauthorized use n Audit trails, accounting become more obviously desirable -- helps fight sloppy privacy practices n Part of system upgrade for security will be system upgrade for other requirements, such as privacy
Our Homework n USA Patriot has 4 year sunset on many of the surveillance provisions n An invitation to get engaged, to study the pros and cons of the new provisions n Hearings are needed on computer trespasser, foreign/domestic, etc. n What can be the new forms of accountability? How stop potential abuses?
In Conclusion n USA Patriot Act is a work in progress n Imagine an architecture that meets legitimate security needs and also respects privacy n Better data handling often results in both n But need accountability to ensure that the new powers are used wisely n Lets get to work on that.
Contact Information n Professor Peter P. Swire n phone: (301) 213-9587 n email: firstname.lastname@example.org n web: www.osu.edu/units/law/swire.htm