Upload
abigail-mckinnon
View
216
Download
2
Embed Size (px)
Citation preview
“Privacy & Security After September 11”
Professor Peter P. Swire
Ohio State University
University of Michigan Lecture
December 4, 2001
Overview of the Talk
My background and Clinton Administration on privacy and security
Wiretaps and surveillance, before and after September 11
Lessons going forward Tonight’s talk -- bring out privacy and the
logic of why greater security tools may be needed
I. My Background
1980 thesis on IT and effects on legal and economic thought
First Internet law article in 1992 Wrote on encryption, privacy, and other cyber
issues 1999 & 2000 -- Clinton Administration
– Chief Counselor for Privacy 2001 Return to law teaching
Why the interest in privacy?
First wave of privacy activity– 1970, Fair Credit Reporting Act– 1974, Privacy Act (federal agencies)– Rise of the mainframes– Possibility of giant databases– Develop fair information practices of notice,
choice, access, security, and accountability
Second wave of privacy activity
Modern laptop or desktop -- everyone can have a mainframe
Rise of the Internet Transfers are free, instant, and global How do we respond to more databases and
more transfers? High interest in privacy, and the WSJ poll
9/99
Clinton Administration -- Privacy Legal protections for sensitive data
– Medical privacy proposed and final rule– Financial privacy law and rules– Children’s Online Privacy Protection Act
Self-regulation as path to progress– Internet privacy policies, rise from 14% to 88%
Government as a model– Website privacy policies– Cookies on website policy
ClintonAdministration -- Security
Better computer security helps privacy, by keeping out unauthorized users
But, better computer security can threaten privacy, where have increased surveillance– Federal Intrusion Detection Network (FIDNET)– Carnivore e-mail surveillance program
Clinton Administration - Encryption Security concern: FBI and NSA say strong
encryption hurts security and lets criminals communicate freely
9/99 policy change: strong encryption necessary for strong military, e-commerce, and civil society
Helps privacy and security, because otherwise everyone’s communications are easily compromised
II. Wiretaps and Surveillance
History of wiretaps 2000 Administration proposal 2001 Bush/Ashcroft proposal and the USA
Patriot Act
Wiretap History
1920s Olmstead– Wiretaps permitted by police without warrant where
tap applied outside your home 1960s Katz
– Reasonable expectation of privacy, even in a phone booth
1968 Title III– Strict rules for content, more than probable cause, as
a last resort, reporting requirements
History (cont.)
1970s Church Committee and FISA– Keep CIA out of domestic spying– Secret wiretaps in U.S., but only where primarily
for foreign intelligence 1984 ECPA
– Some protections for e-mail– Some protections for to/from information; pen
registers (who you call); trap and trace (who calls you)
2000 Administration Proposal
How to update wiretap and surveillance for the Internet age
Headed 15-agency White House working group
Legislation proposed June, 2000– S. 3083– Hearings and mark-up in House Judiciary,
further toward privacy than our proposal
2000 Administration Proposal
Update telephone era language Upgrade email and web protections to same
as telephone calls Identify new obstacles to law enforcement
from the new technology Sense of responsibility -- assure privacy,
give law enforcement tools it needs
2001 USA Patriot Act
Introduced less than a week after September 11
Describe new provisions Computer trespasser exception Walls down between CIA/FBI 4 year “sunset” for many surveillance
provisions and what to do next
Updating telephone-era language
– Was “device” authorized by court order– That worked well for a physical tap on a copper
wire, but does it allow a sniffer program on web usage?
– Now “device or process”, so software access is clearly authorized
Roving taps
– Old days, order for each phone– What if suspect buys a dozen disposable cell
phones?– But, how far can the order rove? Anyone in the
public library?– Problem -- less of a suppression remedy for
email and web use
Emergency orders
– Any ongoing computer attack, or else ability to trace back may be lost
– Anything affecting “a national security interest”– Are these too broad?
Nationwide trap and trace
– Old days, serve order on ATT and it was effective nationwide
– Today, e-mail may travel through a half-dozen providers, have needed that many court orders
– New law -- one order effective nationwide– Query -- order from a judge in Idaho, served
late at night, how do you challenge that?
Updating scope of data Previously, pen/trap orders (to/from information)
authorized to get “telephone numbers” New law, any “dialing, routing, addressing, or
signaling” information Amendment -- “not including content”, but that
was left undefined Legally allows urls? Technically, can content be
excluded?
Computer trespasser exception
Previous law:– ISP can monitor its own system– ISP can give evidence of yesterday’s attack– ISP cannot invite law enforcement in to catch
the burglars Problem for:
– DOD and many hack attacks– Small system owners who need help
Computer trespasser proposal
Law enforcement can “surf behind” if:– Targets person who accesses a computer “without
authorization”– System owner consents– Lawful investigation– Law enforcement reasonably believes that the
information will be relevant– Interception does not acquire communications other
than those transmitted to or from the trespasser
Computer trespasser
Issues of concern:– Never a hearing in Congress on it– No time limit– No reporting requirement– FBI can ask the ISP to invite it in, and then
camp at ISP permanently– Limited suppression remedy if go outside
permitted scope
Law Enforcement vs. Foreign Intelligence From the 1970s -- separate law enforcement
(domestic, rule of law) from foreign intelligence (foreign, laws of war)
Lawyers in DOJ policed transfers, pretty strict
FBI official this fall: “all the walls are down now”
Supporting this change
Terrorism is both domestic and foreign– World Trade Center shows a risk from keeping
investigatory databases separate– As a legislator, would you want to insist on the
separation and risk another catastrophe? The Internet
– E-mail and other communications are routinely across borders
– Intelligence gathering should be shared
“All the walls are down now”
To law enforcement, get information from secret FISA wiretaps:– Rule was if “primary purpose” was foreign
intelligence– Rule now if “significant purpose”
To foreign intelligence, secret grand jury testimony can now go to CIA, etc., with no re-use limits in the law
Concerns with FBI/CIA changes History from 1960s and 1970s of abuses Risks insertion of foreign intelligence in
domestic political groups Already new proposals to have FBI surveil
domestic groups Possibility of large increase in secret wiretaps Possibility of prosecutors using broad grand
jury powers for non-criminal matters
Concluding Thoughts
After 9/11, greater focus on (cyber) security Security vs. privacy Security and privacy Our homework
Greater Focus on Security
Less tolerance for hackers and other unauthorized use
Cyber-security and the need to protect critical infrastructures such as payments system, electricity grid, & telephone system
Greater tolerance for surveillance, which many people believe is justified by greater risks
Security vs. Privacy
Security sometimes means greater surveillance, information gathering, & information sharing
USA Patriot increases in surveillance powers
Computer trespasser exception Moral suasion to report possible terrorists
Security and Privacy
Good data handling practices become more important -- good security protects information against unauthorized use
Audit trails, accounting become more obviously desirable -- helps fight sloppy privacy practices
Part of system upgrade for security will be system upgrade for other requirements, such as privacy
Our Homework
USA Patriot has 4 year sunset on many of the surveillance provisions
An invitation to get engaged, to study the pros and cons of the new provisions
Hearings are needed on computer trespasser, foreign/domestic, etc.
What can be the new forms of accountability? How stop potential abuses?
In Conclusion
USA Patriot Act is a work in progress Imagine an architecture that meets legitimate
security needs and also respects privacy Better data handling often results in both But need accountability to ensure that the
new powers are used wisely Let’s get to work on that.
Contact Information
Professor Peter P. Swire phone: (301) 213-9587 email: [email protected] web: www.osu.edu/units/law/swire.htm