Feeds

Judge defangs Patriot Act

No ISP snooping for chastised Feds

  • alert
  • submit to reddit

SANS - Survey on application security programs

A New York judge did the right thing last week when he threw out a USA-PATRIOT Act provision that forced ISPs to secretly co-operate with the FBI, and gave them no obvious avenue for appeal. It is "under the pressing exigencies of crisis that there is the greatest temptation to dispense with fundamental constitutional guarantees which, it is feared, will inhibit government action."

So stated United States District Judge Victor Marrero last week when he quoted a 1962 Supreme Court case in striking down the U.S. government's use of "National Security Letters" (NSLs) to force ISPs to give the FBI information about their subscribers. In essence, the court objected to the USA-PATRIOT Act's thesis that the enemy of the US government was a bunch of old men in robes. No, not the Taliban; the federal judiciary.

There are many ways for the government to get your ISP information. They can simply ask for it, and in many cases, ISPs have been more than willing to pony it up. If there is a criminal investigation, they can get a search warrant from a magistrate. They can issue a subpoena in the name of a federal or state grand jury. For foreign espionage and related cases, they can get a warrant from a special "FISA" court without having to show that there was a crime committed. In civil cases (say, your average defamation case, or copyright infringement) they can just issue a subpoena duces tecum to the ISP. Finally, many government agencies have the authority to - on their own, and without the courts - issue what are called "administrative subpoenas", which don't require a judge's approval in advance, but still can't be enforced without going to court.

So the old guys in the black robes can eventually get involved in all of these methods of getting your ISP information.

In the wake of the horrific acts of 11 September 2001, Congress passed the USA-PATRIOT Act, one provision of which allowed the FBI, upon a certification that the information was "relevant" to a terrorism investigation, to issue NSLs to ISPs. The statute said that the ISP "shall comply with a request for subscriber information and toll billing records information, or electronic communication transactional records", and that no ISP or its officers, employees or agents may "disclose to any person that the FBI has sought or obtained access to [the] information or records". In other words, if the FBI certifies that the records are relevant, the ISP must produce them, and may not ever tell anyone about the request.

Let's face it, terrorism investigations are a special breed, and disclosure of their existence and direction can imperil not only the investigation itself but also the lives of government agents, sources, cooperating witnesses, and potentially thousands of innocent potential victims of future terrorist attacks. Courts may not always appreciate the sensitivity of individual pieces of information, and certainly ISPs are unlikely to be able to discern what information should be secret, and what information may safely be revealed. Thus, there is an understandable justification for the government's desire to protect these sensitive investigations.

Judges? We don't need no stinking judges

But the statute Congress passed completely bypassed the federal judiciary. The courts had essentially no role in the process. They were precluded from determining if the government's claim that there was a terrorism investigation was supported by any evidence at all. The government also had to certify that the investigation was not solely of activities protected under the First Amendment. Without being able to review the NSL's and their basis (even in the utmost secrecy, as the FISA court does) there is no way to know if the government's interpretation of activities protected under the First Amendment is a fair and reasonable one - and there are no sanctions if the government is wrong or deceptive.

Worse than that, the ISP is between a rock and a hard place. The anonymous ISP plaintiff in the New York case technically violated the language of the law to bring it to the ACLU in the first place. Technically, it could not even consult with its own lawyers. If the ISP ignored the NSL, it would be in direct violation of the law, which mandates production. If it went to court to quash the NSL, it would be in direct violation of the non-disclosure provision. The only thing the ISP could do is to produce the demanded records. Even then, as the federal judge points out, they would not even know what records to produce.

The statute permits the government to issue an NSL for subscriber information - name, address, telephone number, credit card number, etc - of your Internet account. The ISP could also be forced to produce records of, for example, when you logged on and off, how long your were logged on for, presumably the location from which you logged on (or the modem you dialed to), and - the statute does not define this term - "electronic communication transactional records".

In the New York case, the FBI had issued an NSL demanding any data the ISP considered to be transactional records - forcing the ISP to determine not only the scope of the demand, but the definition of the statute. As the court noted, this could include source and destination email addresses, header information, routing information, IP address information, number, size and type of packets and a whole host of other information, including - the court noted - records of the websites and message boards visited and posted to.

It's not that the government can't get this information without USA-PATRIOT, but the courts have some kind of oversight in the process. By taking the courts completely out of the loop, Congress went too far.

Secret history

Courts are routinely entrusted with protecting secrets - even national security secrets. In arguing for USA PATRIOT's constitutionality, the FBI even suggested that ISPs can ignore the NSLs and force the FBI to go to court to have them enforced. This procedure is nowhere stated or implied in the statute, and it is absurd to think that this is what Congress intended in its battle against terrorism. No, what Congress intended was for ISPs, like everyone else, to routinely co-operate and trust that the government was acting in everyone's interest.

Congress can and likely will correct these problems. Several bills pending in Congress, including HR 3179, HR 3037 and S. 2555 would provide for judicial review and enforcement of terrorism related demands for ISP information. The Court suggested that these bills might correct the problem and allow the FBI to continue to issue NSLs to ISPs. Congress should go further and finally settle the debate over what information is and should be available under NSLs, and what information, like the content of Internet communications, demands stricter scrutiny.

I for one think and hope that every single NSL ever issued was for crucial anti-terrorism information essential to prevent another attack. I also believe that federal courts, faced with this evidence, will almost universally accede to the FBI's demand for records, and for secrecy.

It is because of my faith in the FBI's ability to convince the courts of the propriety and efficacy of its actions that I applaud Judge Marrero for striking down these unprecedented powers. The same day the court acted, I was attending a briefing about the methods used to crack secret German codes during World War II, efforts that were themselves initially classified. As the New York court pointed out, the obligations of secrecy imposed under the NSLs are perpetual. Future generations will be unable to evaluate this period of American history and make their own decisions about whether we acted properly. Any democracy will wither when it is not exposed to light.

Copyright © 2004, SecurityFocus logo

SecurityFocus columnist Mark D. Rasch, J.D., is a former head of the Justice Department's computer crime unit, and now serves as Senior Vice President and Chief Security Counsel at Solutionary Inc.

Related stories

Senator calls for Patriot Act scale-back
Senators propose Patriot Act limitations
FBI bypasses First Amendment to nail a hacker

Combat fraud and increase customer satisfaction

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.