Blog entry from
Patching the Dragnet (An Overview of the USA Patriot Act)
Patching the Dragnet
(An Overview of the USA Patriot Act)
By: David Williams Russell, Partner
Harrison & Moberly, LLP, Indianapolis
A.Overview.
Back in the days of derring-do, when “Wild Bill” Donovan created the Office of Strategic Services (“OSS”) and Allen Dulles dispatched double-agents from the OSS successor, the Central Intelligence Agency (“CIA”), our government intelligence was a strategy game. The best and brightest were recruited from the Ivy League, trained in subterfuge and running agents, and dispatched on dangerous missions to work with scurrilous traitors to unearth the plots of our enemies. International espionage meant hard bargains, like the dubious partnership with the Mafia to deliver poisoned cigars to Castro.
It was the refracted game portrayed in Norman Mailer’s Harlot’s Ghost, of wheels within wheels, secrets within secrets. It was abstract and medieval, but there was method and strategy to it.
If we could discover the secrets of our enemies, as we had with the Japanese and German secret codes during World War II, we could outflank and perhaps disarm our enemies. Remember the Cuban missile crisis when our surreptitious spy plane photographs were used strategically to force the Russians to take their missiles out of Cuba?
Unfortunately the strategic approach to intelligence depended too much on a few good men deployed by leaders of superior ability and it began to experience some notable failures. Remember the Bay of Pigs, the inadequately planned CIA invasion of Cuba based on faulty CIA predictions of Cuban resistance?
By the mid-1960’s, we were well into the dawning of the information age, and it was time to replace flimsy U-2 high altitude spy planes flown by oddball pilots like Francis Gary Powers with orbiting spy satellites with remote sensing devices, night vision and state of the art tele-optics feeding information to huge UNIVAC super computers crunching information in nanoseconds deep in the bowels of the huge government intelligence complexes which began covertly to be established, in part financed through secret government appropriations. Intelligence gathering was still “hush-hush,” but it had been centralized and bureaucratized. The emphasis had been shifted from the vulnerable spy “out in the cold,” to the cosseted technocrat conducting ultra-sophisticated data analysis deep within the intelligence community.
The shift from strategic, as in OSS, the Office of Strategic Services, to central, in the case of its successor, the CIA, or Central Intelligence Agency, was aided by changes in technology. Vast amounts of data could be gathered by central monitoring of huge telephone trunk lines or broadband microwave transmissions, and the big UNIVACs could sort and sift it all out and feed the results to teams of CIA or FBI or Justice Department analysts.
This centralized, bureaucratic operation of the CIA (and the FBI and Justice Department in purely domestic matters) had advantages. It was more amenable to political control, so Bay of Pigs-type embarrassments could be avoided. It was compatible with the increasing centralization of technology within the military-industrial complex. Most important, our main cold-war enemy, the Soviet Union, was itself a centrally-planned economy which managed itself with even bigger, more mathematically advanced supercomputers than we used. Using our détente strategy, if we could get a hint of what the Soviets were doing, we could block it, preventing adverse moves. We had little need to know what the enemy was doing before it happened. Both sides were playing a long-term game for huge stakes. Our approach deterred sudden moves.
But then, at the end of 1989, the Berlin Wall came down, and first the Soviet Bloc, then the Soviet Union and finally the world order itself, started to unbundle.
At the same time, the same thing started happening with technology via the Internet. Originally designed by government contractors and agencies to share information amongst themselves, the Internet was based upon a method of electronic communication called “packet switching.” In packet switching, information is broken down into individual bundles of electronic impulses, and each bundle proceeds via a web - or net-like network to a receiving point, at which point the various bundles, each of which may have followed a different path across the network to the ultimate address, are reassembled into the original message.
The Internet and its progeny, the Worldwide Web, from the mid-1990’s on, completely changed and unbundled the communications paradigm. As Internet usage mushroomed and then supernovaed, it was no longer possible for intelligence officers to sit in central locations and monitor communications. To intercept an e-mail, unlike a letter, telephone call, telefacsimile, telex, telegraph, radio or telephonic communication, you either had to intercept it at the dispatch or at the receiving computer, or else gain access to the records stored on the disc memories of these computers. Mere central monitoring along the transmission route would no longer suffice.
Furthermore, the various federal laws on communications interceptions, ranging from laws on money laundering to the wiretap laws, while oriented towards electronic communications, varied greatly in the extent to which they could be adapted to increasing terrorist threats – particularly where cyberterrorism – mainly terrorism involving e-mails – was involved.
What followed the unbundling of the world order was a series of increasingly aggressive hostile – but low-tech - attacks against the United States and its institutions. Suicide bombers boated a bomb into the side of a United States warship. A disgruntled Army veteran blew up a federal building in Oklahoma City employing a rental truck and converted fertilizer to make a massive vehicle bomb. Abruptly our enemies had become terrorists seeking to shock and without the resources to play a waiting game.
Finally, on September 11, 2001, marginally educated, suicidal middle easterners used then-legal pointed hand tools to commandeer domestic aircraft they could barely steer, much less fly, and crashed them into the biggest buildings in the United States, thereby causing the most damage and loss of life of any domestic terrorist incident since the Japanese sneak attack on Pearl Harbor 60 years before.
Not surprisingly, some critics began to suspect that the centralized approach to intelligence gathering was no longer proving as effective as it had been during the cold war and that a return to a more strategic approach using well-trained humans to infiltrate terrorist cells, and possibly having more predictive capabilities might again make sense.
But redeployment of a vast federal bureaucracy takes time. What could be done, now?
We started slowly. First we banned pointed hand tools on airlines.
Then we started rounding-up and jailing roughly 8,000 (mostly middle-eastern) immigrants to make sure they weren’t terrorists.
Then we federalized the high-school dropouts who manned the aircraft checkpoints nationwide. The original plan had been to replace them all with better trained and educated federal employees. Subsequently it was feared that educated people might be too bored to be good checkpoint checkers (thereby ignoring the possibility that the present cadre of high-school dropouts might have dropped out from boredom). The real problem was time and money. It would simply be too expensive and take too much time to replace all the airport checkers and train new ones.
We also bombed the government of Afghanistan - known to be friendly to people with connections to the suicide bombers - out of power, invaded and conquered Iraq in the perhaps vain hopes of establishing a beachhead and bastion in the middle-eastern, terrorist-spawning heartland, and prepared to attack other governments determined to be “evil empires” fostering or encouraging terrorist attacks on the United States. While the strategy we employed might be deemed by some to embody the ancient Chinese technique of ‘killing the chickens to scare the monkeys,” since we were engaging few, if any terrorists in these actions, it may have been somewhat effective in deterring new terrorist attacks in the United States, since there have been no major such attacks since 2001.
You may note, however, that none of these United States reactions has utilized many of the centralized, high-technology methods of intelligence gathering favored by the CIA, FBI and Justice Department. Indeed, it is reported that the Army is so disillusioned with the quality of the CIA’s intelligence as to the whereabouts of one Osama Bin Laden, an avowed terrorist and enemy of the United States, that it is beginning to disregard it and enhance its own intelligence-gathering capabilities.
In the aftermath of the September 11, 2001, attacks, however, the United States intelligence community put together a laundry list of provisions designed to patch perceived holes in the pastiche of security laws in their arsenal and to grant to the FBI and Justice Department the same sorts of freewheeling intelligence gathering powers at home that the CIA has employed abroad for years. This laundry list, by and large unmodified by Congress, is essentially what passed and was signed into law by President Bush on October 26, 2001, as the USA Patriot Act of 2001 (“Patriot Act”).
The true dimension and scope of the Patriot Act as applied may never be known, since so much of its operation will be, by design, conducted covertly, often without the oversight of the judiciary.
It is, however, intriguing to observe that the preponderance of the provisions of this huge piece of legislation, over 150 pages in length, are specifically directed towards the Internet or electronic types of cybercrime or cyber terrorism.
Unquestionably, whatever one’s political view of the Patriot Act, one result has been that a great deal more information is being swept up in the government’s intelligence dragnet.
Unfortunately, if history provides guidance, more information is rarely the answer to intelligence problems. More often the problem is too much undigested information making cogent predictions impossible. Reportedly, for example, the United States government had adequate raw information in its various systems to anticipate and perhaps defend against the Japanese strike at Pearl Harbor. What was lacking was adequate digested and analyzed intelligence at the appropriate decision levels to enable prediction and deterrence of the Japanese attack.
With this in mind, consider a couple of predictions regarding the Patriot Act.
First, the bad/good news, depending upon your perspective, is that, as a result of the Patriot Act, our government will have ever more information, making it far easier for federal prosecutors to build a case against perpetrators of terrorist and other (particularly cyber -) crimes and acts.
Second, the good/bad news, depending upon your perspective, is that, as the result of the Patriot Act, it is unlikely that our government will be able to discover or deter significantly more violent crimes and acts as a result of the Patriot Act. The sheer volume of information to be gathered, in addition to the staggering amount of information currently being gathered, by our intelligence establishment is virtually impossible to subject to a cogent strategic analysis in time for decision makers to act prior to the commission of futilely tragic acts of terrorism, so the limited predictive value of our security network is likely to continue.
B.A Summary of Certain Provisions of the Patriot Act
With the foregoing overview as background, let us examine generally, some of the major provisions of the Patriot Act.
The Patriot Act is divided into ten subtitles as summarized briefly below:
Title I – Entitled “Enhancing Domestic Security Against Terrorism,” generally provides background authority for the Patriot Act’s initiatives, most significantly including an extra $200,000,000 per year for “technical support and tactical operations,” presumably to assist the FBI in handling all the extra counterterrorism activities, including information handling, requisite under the Patriot Act.
Title II – Entitled “Enhanced Surveillance Procedures” predominantly deals with surveillance of electronic communications, including Internet and computer traffic.
Title III – Entitled “Internet Money Laundering Abatement and Anti-terrorist Financing Act of 2001” predominantly deals with money laundering, principally electronically, but also with currency crimes such as counterfeiting.
Title IV – Entitled “Protecting the Border” relates to immigration and border protection.
Title V – Entitled “Removing Obstacles to Investigating Terrorism” authorizes payment of rewards to combat terrorism, contains measures to coordinate the activities of various federal agencies, and requires disclosure to law enforcement of by educational institutions of certain student and survey information.
Title VI – Entitled “Providing for Victims of Terrorism, Public Safety Officers, and Their Families,” authorizes additional financial aid for victims of terrorism.
Title VII – Entitled “Increased Information Sharing for Critical Infrastructure Protection” essentially provides additional funds for the Bureau of Justice to fight domestic terrorism nationwide.
Title VIII – Entitled “Strengthening the Criminal Laws Against Terrorism” creates new domestic terror crimes and redefines old ones in fields, including cyber-terrorism and attacks on communities and transportation facilities.
Title IX – Entitled “Improved Intelligence” grants new security and intelligence gathering powers and rights to the CIA.
Title X – Entitled “Miscellaneous” defines “electronic surveillance” broadly and contains a number of catchall provisions.
* * *
Given that brief summary of the various Titles of the Patriot Act, let us now survey those of its provisions which could have the most significant impacts upon privacy rights, electronic commerce and banking, a many of which deal with perceived “holes” in the nation’s intelligence dragnet.
1. Title II – Augmenting the Cybercrime Net.
Many of the electronic surveillance “fixes” in the Patriot Act are outlined in Title II. Some of the more interesting provisions include:
(a) Voice Communications.
Section 202 allows voice communication by computer wire to be intercepted under the federal wiretap statute formerly only useful for authorizing telephone taps, while Section 209 allows stored voice mail to be intercepted pursuant to a mere search warrant, without need to comply with the more stringent requirements for a wiretap, so long as the voice mail is stored off site outside the user’s possession.
(b) Financial Information.
Section 210 makes it possible for investigators of users of communication services to obtain their financial records and the identities using only a subpoena without necessitating the court supervision obtaining a search warrant would entail.
(c) Cable and Non-Cable Communication Services.
Section 211 deletes privacy protections for cable subscribers who communicate via cable, making cable subscribers subject to the same wiretap and telephone trap and trace procedures as apply to telephone users, while Section 212 allows communications providers “voluntarily” to disclose content and non-content communications to law enforcement in emergencies involving the risk of death or injury to anyone.
(d) Secret Searches.
When a search has been conducted pursuant to a search warrant and/or when “under reasonable necessity” property or communications have been seized during a search, Section 213 allows notice that the search has been conducted to be “delayed” indefinitely to avoid an “adverse result.” Prior federal law had required prompt contemporaneous notice of such search warrants and seizures to enable scrutiny for accuracy, proper issuance and the like. (Note: This provision has does not “sunset” in 2005.)
(e) Telephone and E-Mail Records Monitoring.
Section 216 allows any United States Attorney or state attorney general to conduct or order real-time “pen register” surveillance, short of actual interceptions or monitoring of the actual contents of messages, via systems like Carnivore of anyone’s computer activities, including every Web-address visited or the address of every e-mail correspondent communicated with, without first obtaining a court order. (Note: This provision does not “sunset” in 2005.)
(f) Police/Private Monitoring of “Computer Trespassers.”
Section 217 allows computer servers not only to monitor the activity on their machines to protect their computers, but to get police help in doing so. An open issue is whether an employee of the computer owner could be monitored by his employer and turned in to the police as a trespasser. The definition of “computer trespasser” expressly excludes any person “known by the owner or operator of the protected computer to have an existing contractual relationship with the owner or operator for access to all or part of the computer.” 18 United States Code Section 510(21). Probably employees would be deemed “authorized users,” which should exempt them, but there could be an issue whether the employee’s “authorization” to use the computer arises to the level of a “contractual relationship” to do so. The same concern arises where there are other communities of computer users such as in libraries and universities where computer access is informal and specific “authorizations” or “contractual relationships” may be difficult to establish.
2. Title III – Money Laundering Morphs Electronic.
Money laundering provisions comprise the bulk of the Patriot Act. These provisions potentially impact import/export businesses, international business transactions, and financial dealings with foreign banks and foreign officials. The breadth and depth of the provisions is staggering. The overview is that banks have had very significant responsibilities to monitor and report to the government financial transactions by their foreign and domestic customers at least since the enactment of the Bank Secrecy Act in 1996, although some of banks’ duties date back to 1987. In the main, the Patriot Act seeks to bring other non-bank financial institutions within the reporting framework previously applicable to banks, while only slightly increasing the burdens on the banking industry. Take note of the following:
(a) Worldwide Jurisdiction.
In money laundering cases, all foreign banks having accounts in the United States are deemed subject to United States jurisdiction, including the power to obtain records and information regarding their customers. Long-arm jurisdiction over money laundering activities is deemed worldwide. Sections 317, 318.
(b) Foreign Corrupt Practices Act.
Now bribery of foreign officials can be the basis for a money laundering prosecution. Section 315.
(c) Terrorists Forfeit Property.
Suspected terrorists may forfeit assets, Sections 316, 319, 320, 322, 371, 372, even when the assets are in the United States and the judgment against the terrorist is rendered by a foreign court. Section 323.
(d) Unlicensed Conduits.
Unlicensed money transmitting businesses commit federal offenses. Section 373.
(e) Banks Must Establish Money Laundering Compliance Programs.
Section 311.
(f) Banks Must Scrutinize Private Banking and Correspondent Accounts.
Section 312.
(g) Offshore Banking Will Be Monitored.
Sections 311, 312, 313.
(h) Securities Broker/Dealers Will Have to Report “Suspicious Activities.”
Section 356.
(i) Currency Crimes Expanded.
Sections 371-377. Includes a 20 year prison penalty for copying United States currency and transmitting its image via the Internet. Section 375.
3. Title IV – Immigrants Lose Protections. In many ways, the Patriot Act hits immigrants harder than other groups. A couple of examples include the right to incarcerate a foreign a foreign citizen suspected of terrorism, but not subject to deportation, for up to 6 months with the approval of the Attorney General. Section 412. Section 414 calls for “utilization of biometric technology,” like face identification, eye or finger readers, for immigrant identification.
4. Title V – Title II‘s Electronic Surveillance
Expansion Mirrored for Communications Providers.
(a) Telephone and Credit Records.
Telecommunications companies and Internet service providers must turn over customer information, including numbers called or sites or addresses accessed, to the FBI without a court order and are forbidden to tell anyone they did so. Credit reporting companies must turn over all information requested to the FBI without a court order. Section 505.
(b) Educational Records.
Educational records of anyone must be surrendered to an Assistant Attorney General obtaining an ex parte court order therefor. Section 507. Records held pursuant to the National Education Statistics Act similarly must be turned over. Section 508.
5. Title VIII – “Terrorism” Broadly Redefined.
(a) “Terrorism.”
“Terrorism” now includes crimes currently deemed computer crimes, such as hacking into a federal system or damaging any Internet-connected computer, and now includes biochemical attacks. Section 808.
(b) RICO Applies to Terrorism.
Section 813 provides that the federal Racketeer Influenced Corrupt Organizations Act also applies to terrorism.
(c) “Cyberterrorism.”
“Cyberterrorism” is a new crime against hacking causing over $5,000 in damages or damage to medical equipment or physical injury. Section 814.
(d) Computer Forensic Laboratories.
Computer forensic laboratories are to be established by the Justice Department to analyze computer data concerning terrorism and cyberterrorism. Section 816.
C. Treaty on Cybercrime.
While we were busy enacting the Patriot Act, the Council of Europe was developing its own Treaty on Cybercrime, to which the United States soon will be a party.
Review of this draft treaty reveals that, not only does it call upon all countries to enact laws with the breadth and scope of the Patriot Act, but it in effect creates a national consortium of nations, all with the power, not only to snoop on their own cybercriminals, but to snoop on alleged cybercriminals identified by foreign governments. This treaty’s provisions go well beyond comity, and could raise some tricky issues should our government, for example, begin spying on its own citizens for the benefit of a foreign government.
Since treaties, once enacted, trump domestic law, this treaty, and its implications through amendments to the Patriot Act, will bear watching.
D. Conclusion.
At a time when our country has never needed an insightful, strategic approach to domestic and foreign terrorism more, the USA Patriot Act represents a frenzied attempt to augment the legal dragnet to seine up ever more data to be screened by an ever larger bureaucracy which soon will demand that all immigrants, and eventually all Americans, carry national identity cards imbedded with face, eye and finger scan data, to be used for entry and egress to venues of all sorts.
As the federal bureaucracy burgeons, and as the sheer cost and impossibility of adequately monitoring the looming masses of centrally collected data threatens to overwhelm the government, many successful prosecutions will result, but terrorist acts will continue to be unpredictable and to occur from time to time.
Americans will then be forced to decide whether to accept the uncertainties and risks that inevitably accompany the acceptance of our freedoms and responsibilities. The alternative will be to cede more and more of our independence and privacy to an overloaded bureaucracy which will inexorably demand more and more information to feed to the great sucking maws of its supercomputers, while remaining categorically unable, despite its best intentions, to protect us from the perils and vicissitudes of life in uncertain times and from the certainty of our deaths.
In his brilliant novel about the last great war, Gravity’s Rainbow, Thomas Pynchon commented to the effect that the only thing worse than paranoia is the realization that nothing is connected.
Americans must ultimately deal with the real-life anomie which comes with freedom, or accept virtual life within a government cyberworld cocoon tight enough to bind, but not strong enough to shield.