Politics: Weighing Security Against Liberties
id="article-body" class="row" section="article-body">
Politics: Weighing security against liberties By John Borland and Lisa Bowman
Staff Writer, CNET News.com
August 27, 2002, 4:00 a.m. PT
SAN FRANCISCO--Earlier this year, a few California scuba divers found out just how far the long arm of the law can reach since Sept. 11.
Federal agents concerned about scuba-related terrorist plans requested the entire database of the Professional Association of Diving Instructors. Unbeknownst to most of its members, the organization voluntarily handed over a list of more than 100,000 certified divers worldwide, explaining later that it wanted to avoid an FBI subpoena that would have required far more information to be disclosed.
Cindy Cohn, an attorney with the Electronic Frontier Foundation and a diver listed in the database, was livid after learning of the incident. Such concerns resonate with particular volume in this liberal city where the EFF is based, which has a long history of protesting government intrusion.
"You participated in creating an FBI file on me and all the rest of your customers, loyal Americans who have done nothing wrong and who now face the process of increased surveillance by virtue of the fact that we did business with you," Cohn wrote in a letter to the Southern California-based divers association.
Since Sept. 11, databases containing information on tens of thousands of ordinary people have found their way into the hands of federal investigators hungry for any scraps of data that might serve as leads in terrorism investigations. Grocery shopping lists, travel records and information from other, more public databases have all been caught in the government's antiterrorism net.
In this security-conscious climate, it seems that no activity is off limits to government inspection--and with good cause, many would say. After all, no one predicted that flight school students would bring down the World Trade Center towers, and few would advocate withholding information that could prevent another terrorist attack. Polls show that many people are willing to tolerate increased surveillance, higher encryption standards and other measures for the sake of security.
But civil libertarians worry that the increased investigative powers granted since the attacks, and people's eagerness to comply with them, have needlessly entangled innocent citizens and threaten to undermine constitutional rights to privacy and free speech. Even without explicit limitations, some say that fear of reprisal may have a chilling effect on public behavior.
Either way, those on all sides of the issue agree that the country has undergone changes both psychological and practical, perhaps as subtle as a reluctance to visit an Islamic Web site or as obvious as federal legislation seeking broader online surveillance by law enforcement authorities. While civil libertarians decry the changes, however, their warnings aren't being widely embraced.
"People pretty readily let go of privacy concerns as soon as security is involved," said Jonathan Zittrain, co-director of Harvard University Law School's Berkman Center for Internet and Society. "To the extent that the concern about privacy is a concern about abuse of information by the government...what is the greater threat, terrorism or a government run amok? People are generally going to say terrorism."
Ironically, despite its libertarian roots, the Internet has arguably hastened that shift. Given the proliferation of log files and massive customer databases, combined with easy access to controversial sites and other information, the Net has accelerated the debate over electronic information and terrorism.
Perhaps most worrisome to Arab Americans and privacy advocates, the FBI has proposed easing 1970s-era restrictions that prevent them from spying on people based solely on political activities. Under the new guidelines, agents would be able to mine publicly available databases even if they aren't conducting a specific investigation, carrying out what civil liberties activists worry would be a digital fishing expedition producing nothing but massive amounts of irrelevant data.
Information on exactly what databases have been tapped is scarce, but some instances have come to light:
An informal poll conducted by the Boston Globe and the Privacy Council consultancy found that 64 percent of travel-related and transportation companies had given federal investigators access to customer or employee data after Sept. 11. Only 14 percent of those companies informed customers of their actions.
Privacy Council CEO Larry Poneman said in a recent interview that an unnamed supermarket chain had given shopping club card records to federal investigators.
Lexis/Nexis, the massive database containing news articles, legal filings and public records of all kinds, says it is working more closely with law enforcement on several fronts since last September, including "authentication" of individuals' identity.
Civil libertarians complain that federal authorities are giving little to no indication of how this information is being used. A recent attempt by several congressmen to obtain a report on how the new legal tools were being used in investigations was rebuffed by the Justice Department, which asked for more time to answer their detailed questions.
"It's very important that that information be disclosed," said David Sobel, general counsel of the Electronic Privacy Information Center, a group that helped bring the FBI's use of Net monitoring tools to light for the first time with its Freedom of Information Act requests.
EPIC, along with the American Civil Liberties Union and the American Booksellers Foundation for Free Expression, filed on Aug. 21 its own Freedom of Information Act request for details on how Patriot Act powers are being used.
"There aren't yet any answers," Sobel said.
Nor is it clear what online behavior might be considered suspicious--and some believe that Internet service providers, companies and organizations may take unduly severe actions on their own in erring on the side of caution. Overzealous network managers, for example, could arbitrarily restrict certain communication or access to some Web sites, just as they often block pornography or filter e-mail that contains obscenities.
More spying or same as it ever was?
Much of the security-vs.-privacy debate has centered on legislation enacted quickly after the September attacks, the turgidly named "Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act."
The American Civil Liberties Union called it a far-reaching law that badly undermined privacy and judicial oversight. Many of the nation's largest newspapers editorialized against the measure as reactionary.
Nine months later, however, many judicial experts are playing down initial fears over the legislation's severity. A law review article scheduled for publication early next year by former Justice Department attorney Orrin Kerr provides one of the first detailed analyses of the so-called Patriot Act that compares it to previous investigative practices.
"The law is a lot more balanced than people thought," Kerr said, adding that it does little to change the way authorities do their jobs. "The government ended up introducing a law that didn't really take any major steps."
At its core, the Patriot Act explicitly spells out new rules under which authorities can monitor online communications such as e-mail or Web surfing. As was the case with wiretapping or other surveillance, agents must get judicial permission to obtain more information.
Under the law, authorities can obtain information such as where e-mail was sent or originated, and at what time. Roughly analogous to reading an envelope but not the letter inside, this means no court order is needed. If agents want to monitor an Internet service account to determine when messages are sent, www.parkmykid.com they need a judge's permission but with relatively little justification.
If agents seek the contents of a missive, which would include such elements as the body and subject line of an e-mail, they would need a court order requiring a much higher level of justification, legal experts say. Although new, these laws mirror previously secret court decisions on FBI attempts to install high-tech spying equipment, according to Kerr and lawyers representing ISPs.
ISPs are reluctant to discuss surveillance details, citing national security concerns. But they do say that surveillance requests have increased since last September, though their extent is difficult to gauge.
"There has been some upswing, but it's not very significant," said Mike Harrad, a spokesman for Road Runner, Time Warner's cable Net service. "The view here is that the increase in requests has probably more to do with the more vigilant approach taken by enforcement agencies in the post-9/11 world than it has to do with the Patriot Act per se."
Others are more concerned. "In some instances, law enforcement is being aggressive in interpreting USA Patriot to go beyond what was intended," says Stewart Baker, a Washington attorney who represents ISPs.
Baker and other ISP sources say some law enforcement agents make requests for records of subscribers' past communications--for which no court order is needed--so frequently that it has nearly amounted to real-time information. For instance, agencies might request information about a subscriber several times a day or more, instead of seeking a week's worth of log files.
Authorities hitting the books
Libraries also have concerns about the Patriot Act, particularly provisions that lower the standards for obtaining patron records. Under one portion of the law, federal agents need only a search warrant--which requires immediate release of the records--and no longer have to show that they might find evidence of a crime.
What's more, the process is now secret. The court that approves these searches holds closed sessions, and librarians face prosecution if they disclose information about the inquiry to anyone, including the subject of the investigation.
For years, many libraries have had electronic systems that delete checkout records after a few weeks. But information about people who have books checked out and those who owe fines are kept in the database until they return the books or pay the fees.
Of 1,026 libraries surveyed by the American Library Association earlier this year, 85--or 8.3 percent--had received Sept. 11-related requests for records from government agents.
"If you use libraries, whatever you take out is information that could be demanded by the FBI," ALA President Mitch Freedman said. "The library user is just one small person who's been impacted by this dramatic expansion of investigative powers."
The FBI and other law enforcement organizations declined to comment on any details regarding terrorism-related investigations. But comments made by officials in public have heightened concerns among civil liberties groups.
On a recent trip to San Francisco, John Frazzini, a special agent with the Electronic Crimes Branch of the Secret Service, pleaded with companies to cooperate more fully in online investigations and report break-ins. He also warned of new crackdowns on hackers.
"If you're a U.S. citizen and you're breaking into computer networks, not only are you criminal but I think you're unpatriotic," he said.
Although they do not know of any prosecutions based on post-Sept. 11 changes, defense attorneys say they are already seeing their effects in other ways. Jennifer Granick, a defense attorney and director for Stanford University's Center for Internet and Society, said she and her colleagues have noticed that judges and juries are far more wary of hackers than they have been in years and are enforcing existing laws more actively.
"They hear you're a hacker, and in this post-9/11 climate, they just get scared," Granick said, adding that technologists and hackers who point out legitimate security concerns risk getting caught in law enforcement's new web.
She points to a case in Los Angeles, in which a man faced criminal charges after posting information on a Web site that pointed out insecurities in some e-mail software and offered a repair. The man was convicted under a federal computer break-in law and is awaiting sentencing.
"We are dismantling the checks and balances and basically letting government have a free-for-all," Granick said. "It may get uglier before it gets better."
Day 3 - Lessons: Networks as lifelines
WASHINGTON--Just over a year ago, a powerful legion of U.S. politicians strove to limit government surveillance of e-mail. Then came Sept. 11. Politicians endorsing privacy have since become scarce, losing the high ground to their pro-security counterparts, and laws previously unthinkable have been enacted with little dissent.
The abrupt change on Capitol Hill occurred with astonishing rapidity. Two days after jets crashed into the World Trade Center and the Pentagon, a pair of events took place that set the trajectory for the next year of debate over the future of technology, privacy and surveillance.
First, the Senate veered in exactly the opposite direction as the House did one year before. By a unanimous vote, the Senate approved a bill authorizing the FBI to use its Carnivore Net-surveillance system without obtaining a court order. The sponsors of the Combating Terrorism Act argued that it was necessary to thwart future terrorist strikes.
"It is essential that we give our law enforcement authorities every possible tool to search out and bring to justice those individuals who have brought such indiscriminate death," Sen. Orrin Hatch, R-Utah, said during the bill's floor debate.
The second event was a Sept. 13 floor speech by Sen. Judd Gregg, R-N.H., who called for a global prohibition on encryption products without backdoors for government surveillance.
"This is something that we need international cooperation on and we need to have movement on in order to get the information that allows us to anticipate and prevent what occurred in New York and in Washington," Gregg said.
His speech came at a time when privacy and national security, long at odds, had reached an uneasy detente, with privacy gaining ground. In response to business pressure and the reality of encryption embedded into everything from Linux to Internet protocols, the Clinton administration had chopped away most regulations intended to limit crypto dissemination.
As a measure of how suddenly the political winds have shifted from protecting business interests to protecting national security, consider this: Gregg has won 100 percent ratings from the U.S. Chamber of Commerce and the National Federation of Independent Business.
Yet the balance of power has not shifted entirely in favor of law enforcement. Gregg's hope for crypto restrictions--which drew applause from newspaper editorialists and some conservative activists--was defeated by an immediate outcry and mobilization by researchers, businesses and consumer activists.
"What's changed is a massive expansion of authority for the government to engage in all sorts of searches and surveillance, particularly electronic surveillance," says Barry Steinhardt, associate director of the American Civil Liberties Union.
Law enforcement has sought, and in some cases won, new measures that expand investigative powers in the wake of Sept. 11. Here's a roundup. What: Cyber Security Enhancement Act
When: July 2002
Status: Passed the House
What it does: Would allow for life sentences for hackers; would allow police to obtain suspects' telephone numbers, IP addresses, URLs or e-mail header information--but not the contents of messages--without a court order in the case of an "ongoing attack" on an Internet-connected computer or "an immediate threat to a national security interest."
What: TIPS program
When: July 2002
Status: Proposed by White House
What it does: Would create a group of volunteer citizens who would report suspicious activity. Volunteers could come from the ranks of mail carriers and cable technicians. Information may be kept in a database.
What: FBI reorganization
When: May 2002
Status: In the works
What it does: Makes cybercrime a new priority, creates a Cyber Division and devotes more agents to tech-related issues.
What: Loosening regulations on information gathering
When: May 2002
Status: Proposed by Dept. of Justice and FBI
What it does: Would allow agents to frequent public places, such as mosques and libraries, and mine publicly available databases for suspicious activity, even if they're not conducting a specific investigation.
What: USA Patriot Act
When: October 2001
What it does: Gives law enforcement officials expanded powers to monitor suspected terrorists and criminals by, among other things, lowering judicial oversight of monitoring tactics, increasing information sharing among agencies, broadening the definition of a terrorist, and increasing the amount of information agents can seek from ISPs.
Comments Notification on Notification off Tech Industry