passage of the USA Patriot Act, the controversial new surveillance law
changes little for Internet service providers and telecommunications
companies, an attorney and former NSA official said Tuesday.
"It seems to me that despite a remarkable amount of discussion about how
important this bill is, it's been over-hyped in people's minds as to what
it actually does," said Stewart Baker, a partner at the D.C.-based law
firm Steptoe and Johnson, speaking on a panel at Microsoft's Trusted
One of the new law's most controversial provisions allows law enforcement
agents to secretly monitor Internet user's email 'From' and 'To' lines
without a wiretap warrant, simply by certifying that the information would
be useful to a criminal investigation.
But don't look for a dramatic increase in deployment of the FBI's
"Carnivore" Internet surveillance tool, Baker said, because the Bureau was
performing such surveillance years before the bill passed, without
Congress' explicit approval.
"For the most part, law enforcement was already doing that, and businesses
weren't challenging it, or had lost those challenges," said Baker.
Other provisions in USA Patriot, which passed late last month over
objections from privacy and civil liberties groups, might help businesses
combat computer crime, by clarifying what they're able to share with law
enforcement, said Baker.
"If you have a computer hacker in your system, it used to be problematic
as to whether you could bring in the government to watch over your
shoulder while they hack your system," said Baker. USA Patriot explicitly
allows ISPs, universities and network administrators to consent to
government monitoring of computer trespassers.
But that silver lining for business was little consolation to the privacy
advocates on the panel.
Alan Davidson from the Center for Democracy and Technology accused
Congress of "gutting privacy protections" for Internet users, and tearing
down the wall between law enforcement investigations and intelligence
gathering. "Taken together, they are going to provide for far more
surveillance on many more Americans than we've seen in the past," said
LIABILITY RISK. Baker said one provision of the new law may open up Internet service providers and telecommunications companies to lawsuits, if they provide information to law enforcement too freely.
At issue is the "roving wiretap" provision of USA Patriot, which lets the
FBI obtain court orders that apply to any telephone or Internet connection
used by a suspect, regardless of who owns it.
The risk to a telecommunications provider, says Baker, is that law
enforcement agents could show up with a warrant that names one person,
while seeking surveillance assistance against another. Law enforcement
could claim that they're entitled to monitor the innocent customer's
account because the suspect named in the warrant is borrowing it. But if
the provider doesn't document that assertion, the customer might sue them
"From a business point of view it's going to be essential that businesses
insist on a paper trail from government," said Baker.
No stranger to electronic surveillance issues, Baker served as general
counsel of the super-secret National Security Agency (NSA) in the early
nineties, acting as the agency's public face in its efforts to block
widespread adoption of unbreakable cryptography.
Today, Baker represents phone companies working to comply with a federal
law that mandates their networks be wiretap friendly. Sounding much like a
privacy advocate himself, Baker complained about the legal structure
surrounding law enforcement surveillance in the U.S., which includes no
requirement that innocent targets of government surveillance be notified
that they were ever watched.
"The only people who find out they've been a victim of questionable search
are people we indict, and that's nutty," said Baker. With the war on
terrorism underway, "there are a lot of innocent people who are going to
have their information gathered. They should be given notice," Baker said.
Microsoft's Trusted Computing Forum 2001 gathered 150 representatives from
government, business, academic and advocacy groups to discuss security and
privacy matters. The forum continues through Thursday. By Kevin Poulsen