文档详细内容(约69页)
7:607(2003) Internet Surveillance Law After the Usa Patriot Act PROBABLE CAUSE The government must obtain a search war- SEARCH WARRANT rant before acquiring the information. The search warrant requires"probable cause, which in the criminal context means that the government must offer facts establish ing a likelihood that a crime has occurred and that evidence of the crime exists in the location to be searched. 62 SUPER"SEARCH WARRANT The government must obtain a special search warrant before acquiring the infor mation that adds threshold requirements beyond those of ordinary search warrants (e.g, requiring the government to exhaust all other means of obtaining the informa tion, requiring special authorization ).63 THE GOVERNMENT MAY NOT The law may forbid the government from ACQUIRE THE INFORMATION BY acquiring the information regardless of the ANY LEGAL PROCESS This list is illustrative rather than exhaustive. lt reflects the continuum of court orders and legal processes that Congress currently uses to govern law enforcement surveillance of communications networks. For the most art, the greater the privacy interest at stake, the higher the threshold Con- gress uses. Exactly what thresholds apply is up to Congress when it enacts statutory privacy laws and the courts when they interpret the Fourth 6. Direct Versus Indirect Surveillance("How).-The second issue raised by government surveillance is the difference between what I will call"""" government surveillance. Direct govern- ment surveillance rules authorize the government to conduct surveillance of the network on its own. In contrast, indirect government surveillance rules authorize the government to compel providers to conduct surveillance on the governments behalf. The difference between direct and indirect sur- 62 See FED. R. CRIM. P. 41(authorizing the issuance of search warrants based on probable cause) 18 U.S.C.A.$ 2703(a)(requiring a search warrant to compel an ISP to disclose the contents of certain types of stored communications held by the ISP) See 18 U.S.C.A.$ 2516( describing procedure for obtaining a Wiretap order) 621
97:607 (2003) Internet Surveillance Law After the USA Patriot Act 621 PROBABLE CAUSE SEARCH WARRANT The government must obtain a search warrant before acquiring the information. The search warrant requires “probable cause,” which in the criminal context means that the government must offer facts establishing a likelihood that a crime has occurred and that evidence of the crime exists in the location to be searched.62 “SUPER” SEARCH WARRANT The government must obtain a special search warrant before acquiring the information that adds threshold requirements beyond those of ordinary search warrants (e.g., requiring the government to exhaust all other means of obtaining the information, requiring special authorization). 63 THE GOVERNMENT MAY NOT ACQUIRE THE INFORMATION BY ANY LEGAL PROCESS The law may forbid the government from acquiring the information regardless of the legal process. This list is illustrative rather than exhaustive. It reflects the continuum of court orders and legal processes that Congress currently uses to govern law enforcement surveillance of communications networks. For the most part, the greater the privacy interest at stake, the higher the threshold Congress uses. Exactly what thresholds apply is up to Congress when it enacts statutory privacy laws and the courts when they interpret the Fourth Amendment. b. Direct Versus Indirect Surveillance (“How”).—The second issue raised by government surveillance is the difference between what I will call “direct” and “indirect” government surveillance. Direct government surveillance rules authorize the government to conduct surveillance of the network on its own. In contrast, indirect government surveillance rules authorize the government to compel providers to conduct surveillance on the government’s behalf. The difference between direct and indirect sur- 62 See FED. R. CRIM. P. 41 (authorizing the issuance of search warrants based on probable cause); 18 U.S.C.A. § 2703(a) (requiring a search warrant to compel an ISP to disclose the contents of certain types of stored communications held by the ISP). 63 See 18 U.S.C.A. § 2516 (describing procedure for obtaining a Wiretap order)
NORTHWESTERN UNIVERSITY LAW REVIEW veillance lies in the implementation of court orders: does the government install its own monitoring device and tap into the network directly, or does it serve the order on the provider and require the provider to conduct the monitoring and provide the results to law enforcement? The former is di rect surveillance. the latter indirect surveillance The law may distinguish between direct and indirect surveillance be cause the two can raise somewhat different privacy concerns. Indirect sur- veillance imposes a third-party screen between the network and the government, and the governmen nt sees only what the provider shows them If the prospect of government overreaching concerns us more than that of provider overreaching, a law that imposes more serious legal constraints on direct surveillance would be a more favorable option. At the same time, if there is reason to believe that a provider will be unwilling or unable to comply fully with a surveillance order, it may be preferable to allow the government to engage in direct surveillance. Each type of surveillance re- quires trust in someone; the difference comes in who receives the grant of trust. Direct surveillance asks us to trust the government, and indirect sur- veillance asks us to trust the provider These competing concerns occupied center stage in the recent debate over Carnivore. the Fbl's tool for conducting direct surveillance of the Internet. 4 Carnivore (later incarnations of which have been known as DCS-1000)is a packet sniffer, an Internet wiretap that reads traffic while it is in transit in packet form 6s Carnivore is discussed in depth in Section Ill, but for now it is important to note that the Carnivore debate revolves in part around the issue of whether Internet surveillance should proceed by way of direct surveillance or indirect surveillance. Should providers be trusted to use their own surveillance devices to implement surveillance or ders. or can the fbi be trusted to conduct the surveillance with Carnivore? Either way, an accountable party must conduct the surveillance pursuant to a court order and turn over the results to law enforcement 2. Provider Powers -Providers themselves often conduct surveil lance of their network. as a result surveillance rules must also consider when and how providers can collect information about the communications within their network, and also when they can disclose that information to law enforcement. The rules regulating provider surveillance focus gener- ally not on legal process, but rather on the factual circumstances in which See, e.g, Thomas R McCarthy, Don t Fear Carnivore: It Mo L REV. 827(2001); Christian David Hammel Schultz, Note, Unrestricted Federal Agent: "Carni- ore"and the Need To Revise the Pen Register Statute, 76 NOTRE DAME L REV. 1215(2001), Manton M. Grier, Jr, Comment, The Software Formerly Known as"Carnivore". When Does Email Surveil nce Encroach Upon a Reasonable Expectation of Privacy?, 52S.C. L REv. 875(2001); Aaron Ken dal, Comment, Carnivore: Does the Sweeping Sniff Violate the Fourth Amendment?, 18 T M. COOLEY L.REv.183(2001) 622
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W 622 veillance lies in the implementation of court orders: does the government install its own monitoring device and tap into the network directly, or does it serve the order on the provider and require the provider to conduct the monitoring and provide the results to law enforcement? The former is direct surveillance, the latter indirect surveillance. The law may distinguish between direct and indirect surveillance because the two can raise somewhat different privacy concerns. Indirect surveillance imposes a third-party screen between the network and the government, and the government sees only what the provider shows them. If the prospect of government overreaching concerns us more than that of provider overreaching, a law that imposes more serious legal constraints on direct surveillance would be a more favorable option. At the same time, if there is reason to believe that a provider will be unwilling or unable to comply fully with a surveillance order, it may be preferable to allow the government to engage in direct surveillance. Each type of surveillance requires trust in someone; the difference comes in who receives the grant of trust. Direct surveillance asks us to trust the government, and indirect surveillance asks us to trust the provider. These competing concerns occupied center stage in the recent debate over Carnivore, the FBI’s tool for conducting direct surveillance of the Internet.64 Carnivore (later incarnations of which have been known as DCS-1000) is a “packet sniffer,” an Internet wiretap that reads traffic while it is in transit in packet form.65 Carnivore is discussed in depth in Section III, but for now it is important to note that the Carnivore debate revolves in part around the issue of whether Internet surveillance should proceed by way of direct surveillance or indirect surveillance. Should providers be trusted to use their own surveillance devices to implement surveillance orders, or can the FBI be trusted to conduct the surveillance with Carnivore? Either way, an accountable party must conduct the surveillance pursuant to a court order and turn over the results to law enforcement. 2. Provider Powers.—Providers themselves often conduct surveillance of their network. As a result, surveillance rules must also consider when and how providers can collect information about the communications within their network, and also when they can disclose that information to law enforcement. The rules regulating provider surveillance focus generally not on legal process, but rather on the factual circumstances in which 64 See, e.g., Thomas R. McCarthy, Don’t Fear Carnivore: It Won’t Devour Individual Privacy, 66 MO. L. REV. 827 (2001); Christian David Hammel Schultz, Note, Unrestricted Federal Agent: “Carnivore” and the Need To Revise the Pen Register Statute, 76 NOTRE DAME L. REV. 1215 (2001); Manton M. Grier, Jr., Comment, The Software Formerly Known as “Carnivore”: When Does Email Surveillance Encroach Upon a Reasonable Expectation of Privacy?, 52 S.C. L. REV. 875 (2001); Aaron Kendal, Comment, Carnivore: Does the Sweeping Sniff Violate the Fourth Amendment?, 18 T.M. COOLEY L. REV. 183 (2001). 65 See infra Part III
97:607(2003) Internet Surveillance Law After the Usa Patriot Act the law prohibits provider surveillance and disclosure. Consider the follow- ing example. Imagine that a band of computer hackers breaks into a pro- vider's computer network, and that the hackers set up illegal servers from within the network to distribute counterfeit software to other hackers the provider would likely notice the illegal entry when the unauthorized traffic slowed down the rest of the network. To locate the problem and block the unauthorized traffic a network administrator would likely conduct various forms of surveillance. He might look through the network for the illegal server(conducting retrospective surveillance), set up a sniffer to watch the unauthorized traffic in an effort to trace it(prospective surveillance), and, if that is successful, may wish lose the records to the police to help them crack the case(disclosure). The rules governing the providers regu- late when the provider can conduct specific types of surveillance and when the provider can disclose that information to law enforcement. 66 IL. THE PATRIOT ACT AND APPLYING THE PEN REGISTER STATUTE TO THE INTERNET The passage of the USA Patriot Act on October 26, 2001 has been widely portrayed as a dark moment for the civil liberties of Internet users The aclu declared that the act gave law enforcement"extraordinary new bb The different categories can be summarized using a fairly simple matrix. A blank matrix might look like this TABLE 3 TYPE OF INFORMATION CONDITIONS WHEN CONDITIONS WHEN GOVERNMENT PROVIDER SURVEILLANCE SURVEILLANCE AND DISCLOSURE TO ALLOWED GOVERNMENT ALLOWED Envelope Information Direct. Prospective Prospective Content Information Indirect: 623
97:607 (2003) Internet Surveillance Law After the USA Patriot Act 623 the law prohibits provider surveillance and disclosure. Consider the following example. Imagine that a band of computer hackers breaks into a provider’s computer network, and that the hackers set up illegal servers from within the network to distribute counterfeit software to other hackers. The provider would likely notice the illegal entry when the unauthorized traffic slowed down the rest of the network. To locate the problem and block the unauthorized traffic, a network administrator would likely conduct various forms of surveillance. He might look through the network for the illegal server (conducting retrospective surveillance), set up a sniffer to watch the unauthorized traffic in an effort to trace it (prospective surveillance), and, if that is successful, may wish to disclose the records to the police to help them crack the case (disclosure). The rules governing the providers regulate when the provider can conduct specific types of surveillance and when the provider can disclose that information to law enforcement.66 II. THE PATRIOT ACT AND APPLYING THE PEN REGISTER STATUTE TO THE INTERNET The passage of the USA Patriot Act on October 26, 2001 has been widely portrayed as a dark moment for the civil liberties of Internet users. The ACLU declared that the Act gave law enforcement “extraordinary new 66 The different categories can be summarized using a fairly simple matrix. A blank matrix might look like this: TABLE 3 TYPE OF INFORMATION CONDITIONS WHEN GOVERNMENT SURVEILLANCE ALLOWED CONDITIONS WHEN PROVIDER SURVEILLANCE AND DISCLOSURE TO GOVERNMENT ALLOWED Envelope Information, Prospective Direct: Indirect: Envelope Information, Retrospective Direct: Indirect: Content Information, Prospective Direct: Indirect: Content Information, Retrospective Direct: Indirect:
NORTHWESTERN UNIVERSITY LAW REVIEW powers. 67 Another civil liberties group, the Electronic Frontier Founda- ion, announced that"the civil liberties of ordinary Americans have taken a tremendous blow with this law. 68 The website of the Electronic Privacy Information Center featured a drawing of a tombstone that stated "the Fourth Amendment: 1789-2001. 0% Major media outlets agreed. The New York Times viewed the Act as an overreaction to September 11th, and con cluded that the law gave the government unjustified "broad new powers. 7 The Washington Post also opposed the Act: its editorial board described the Patriot Act as panicky legislation"that reduce[d] the healthy oversight of the courts 71 The unanimous verdict was that the patriot act created a sweeping and probably unjustifiable expansion of law enforcement author Is this verdict justified? To answer this, it is crucial to recognize that the patriot Act is not a single coherent law. The Act collected hundreds of minor amendments to federal law, grouped into ten subparts or Titles, " on topics ranging from immigration to money laundering. With many of these amendments, the devil is in the details: especially in the electronic surveillance context, the complex relationship among sections of statutory text means that the changes often defy easy soundbites. Further, the lan- guage that passed on October 26th differed in significant ways from the anguage the Justice Department first proposed just a few days after Sep- tember 11th. The congressional negotiations that ensured the quick passage of the Patriot Act led to many compromises, and even considerable victo ries for the Acts opponents. Altogether, these features make broad charac- terizations of the patriot act difficult to maintain When we focus on the Internet surveillance provisions that passed into law, however, it becomes clear that the popular understanding of the Patriot Act is substantially wrong. The Patriot Act did not tilt the balance between 67 ACLU Legislative Analysis, USA Patriot Act Boosts Government Powers While Cutting Back TraditionalChecksandBalancesatwww.aclu.org/congress/11010la.html(lastvisitedFeb.4,2003) Elec. Frontier Found, EFF Analysis of the Provisions of the USA Patriot Act That Relate to OnlineActivities(oCt.31,2001),atwww.eff.org/privacy/surveillance/tErrorismmilitias/2001 Patricia Cohen, 9/11 Law Means More Snooping? Or Maybe Less N.Y. TIMES, Sept. 7, Robin Toner Neil A Lewis House Passes Terrorism Bill Much Like senates. But with 5-Year Limit. N.Y. TIMES. Oct. 13. 2001. at B6 ee Editorial. A Panicky Bill. WASH. POST. Oct. 26. 2001. at A34 As a student author recently concluded: "Although it is unlikely that the USA PATRIOT Acts I-reaching extensions of surveillance law would have enabled the government to prevent the tragedy we witnessed on September 11th, 2001, it is patently apparent how we will all pay the price of a false nse of security at the cost of cherished freedoms. Sharon H. Rackow, Comment, How the US PATRIOT Act Will Permit Governmental Infringement upon the Privacy of Americans in the Name of Intelligence"Investigations, 150 U PA L REV. 1651, 1696(2002). See Pub. L. No. 107-56, 115 Stat. 272. The Act consists of ten subparts, Title I through Title x. Only one of these subparts, Title Il, directly relates to Internet surveillance laws. See id. 624
N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W 624 powers.”67 Another civil liberties group, the Electronic Frontier Foundation, announced that “the civil liberties of ordinary Americans have taken a tremendous blow with this law.”68 The website of the Electronic Privacy Information Center featured a drawing of a tombstone that stated “The Fourth Amendment: 1789–2001.”69 Major media outlets agreed. The New York Times viewed the Act as an overreaction to September 11th, and concluded that the law gave the government unjustified “broad new powers.”70 The Washington Post also opposed the Act: its editorial board described the Patriot Act as “panicky legislation” that “reduce[d] the healthy oversight of the courts.”71 The unanimous verdict was that the Patriot Act created a sweeping and probably unjustifiable expansion of law enforcement authority in cyberspace.72 Is this verdict justified? To answer this, it is crucial to recognize that the Patriot Act is not a single coherent law. The Act collected hundreds of minor amendments to federal law, grouped into ten subparts or “Titles,” on topics ranging from immigration to money laundering.73 With many of these amendments, the devil is in the details: especially in the electronic surveillance context, the complex relationship among sections of statutory text means that the changes often defy easy soundbites. Further, the language that passed on October 26th differed in significant ways from the language the Justice Department first proposed just a few days after September 11th. The congressional negotiations that ensured the quick passage of the Patriot Act led to many compromises, and even considerable victories for the Act’s opponents. Altogether, these features make broad characterizations of the Patriot Act difficult to maintain. When we focus on the Internet surveillance provisions that passed into law, however, it becomes clear that the popular understanding of the Patriot Act is substantially wrong. The Patriot Act did not tilt the balance between 67 ACLU Legislative Analysis, USA Patriot Act Boosts Government Powers While Cutting Back on Traditional Checks and Balances, at www.aclu.org/congress/110101a.html (last visited Feb. 4, 2003). 68 Elec. Frontier Found., EFF Analysis of the Provisions of the USA Patriot Act That Relate to Online Activities (Oct. 31, 2001), at www.eff.org/Privacy/Surveillance/Terrorism_militias/2001 1031_eff_usa_patriot_analysis.html. 69 See Patricia Cohen, 9/11 Law Means More Snooping? Or Maybe Less?, N.Y. TIMES, Sept. 7, 2002, at B9. 70 Robin Toner & Neil A. Lewis, House Passes Terrorism Bill Much Like Senate’s, But with 5-Year Limit, N.Y. TIMES, Oct. 13, 2001, at B6. 71 See Editorial, A Panicky Bill, WASH. POST, Oct. 26, 2001, at A34. 72 As a student author recently concluded: “Although it is unlikely that the USA PATRIOT Act’s far-reaching extensions of surveillance law would have enabled the government to prevent the tragedy we witnessed on September 11th, 2001, it is patently apparent how we will all pay the price of a false sense of security at the cost of cherished freedoms.” Sharon H. Rackow, Comment, How the USA PATRIOT Act Will Permit Governmental Infringement upon the Privacy of Americans in the Name of “Intelligence” Investigations, 150 U. PA. L. REV. 1651, 1696 (2002). 73 See Pub. L. No. 107-56, 115 Stat. 272. The Act consists of ten subparts, Title I through Title X. Only one of these subparts, Title II, directly relates to Internet surveillance laws. See id
97:607(2003) Internet Surveillance Law After the Usa Patriot Act Internet privacy and security strongly in favor of security. Most of the Pa- trot Acts key changes reflected reasonable compromises that updated anti- uated laws. Some of these changes advance law enforcement interests but others advance privacy interests, and several do both at the same time None challenged the basic legal framework that Congress created in 1986 to protect Internet privacy. Studying the Internet surveillance provisions of the Act suggests that the media portrayal of the Patriot Act as"extraord ary and"panicky legislation has little in common with the law Congress actually enacted The remainder of this Article explores how the common understanding of the Patriot Act misses the mark by focusing on three particularly contro versial aspects of the Patriot Act. Admittedly, this approach sacrifices breadth for depth, as it ignores dozens of Patriot Act amendments that equally deserve careful study. 4 Howeve rer, the approach also lets us exam- ine a few specific controversies with care and to use them as examples that generally apply to the Patriot Act as a whole. 75 In particular, this Part of the Article will explore one of the most contro- versial provisions of the Patriot Act: the amendments making the pen regis 74 For example, the Patriot Act made many changes to the rules governing retrospective su veillance, which affected the privacy protections governing both voicemails and Internet records. These hanges appear in the newly revamped 18 U.S.C.A.$2703. However, the three examples I study in this article all involve prospective surveillance. The limited scope of my approach also means that I focus fairly specific changes to the surveillance laws, while ignoring others that may be related. For exan ple, the pen register amendments clarified that the laws applied to the Internet(which I discuss in this Part)and also allowed the government to obtain nationwide orders(which I do not discuss) Of course, some provisions of the Patriot Act may prove to have serious negative cor vela ivacy and civil liberties. The Patriot Act's amendments relating to the Foreign Intelligence Sur- veillance Act, 50 U.S.C.A. $5 1801-1811(West Supp. 2002), are particularly notable in this regard, is the broader restructuring of the relationship between law enforcement and the intelligence community in surveillance investigations At the same time, several provisions in the Patriot Act other than the ones I discuss in this Article vere controversial in large part "roving wiretaps" provides a good example. Congress first enacted a law allowing the govemment btain roving wiretaps in criminal cases in 1986, and the debate over their use goes back to that period See, e. g, Clifford S. Fishman, Interception of Communications in Exigent Circumstances: The Fourth Amendment, Federal Legislation, and the United States Department ofJustice, 22 GA L REV. 1(1987) These laws were challenged and upheld by the courts. See, e.g, United States v. Petti, 973 F2d 1441 1443(9th Cir. 1992)(Browning, J ) Section 206 of the Patriot Act expanded this authority to FIsA cases. so that it could be used in terrorism investigations. in addition to criminal investigations. The press and commentators sometimes ignored this preexisting authority, however, and instead discussed the Patriot Act as if it were the first law to introduce roving wiretaps. See, e.g, Editorial, Constitutional Concerns, DAILY OKLAHOMAN, Sept. 29, 2001, at 6A; Erwin Chemerinsky, Giving Up Our Rights foi Little Gain, L.A. TIMES, Sept. 27, 2001, at B17. As a result, to a large extent the public debate over the ving wiretap provisions of the Patriot Act concemed whether the events of September I Ith justified a law that Congress had already enacted fifteen years earlier. Of course, the fact that Congress enacted a law in 1986 does not in itself justify its existence today, but it does seem relevant to whether the 625
97:607 (2003) Internet Surveillance Law After the USA Patriot Act 625 Internet privacy and security strongly in favor of security. Most of the Patriot Act’s key changes reflected reasonable compromises that updated antiquated laws. Some of these changes advance law enforcement interests, but others advance privacy interests, and several do both at the same time. None challenged the basic legal framework that Congress created in 1986 to protect Internet privacy. Studying the Internet surveillance provisions of the Act suggests that the media portrayal of the Patriot Act as “extraordinary” and “panicky legislation” has little in common with the law Congress actually enacted. The remainder of this Article explores how the common understanding of the Patriot Act misses the mark by focusing on three particularly controversial aspects of the Patriot Act. Admittedly, this approach sacrifices breadth for depth, as it ignores dozens of Patriot Act amendments that equally deserve careful study.74 However, the approach also lets us examine a few specific controversies with care and to use them as examples that generally apply to the Patriot Act as a whole.75 In particular, this Part of the Article will explore one of the most controversial provisions of the Patriot Act: the amendments making the pen regis 74 For example, the Patriot Act made many minor changes to the rules governing retrospective surveillance, which affected the privacy protections governing both voicemails and Internet records. These changes appear in the newly revamped 18 U.S.C.A. § 2703. However, the three examples I study in this Article all involve prospective surveillance. The limited scope of my approach also means that I focus on fairly specific changes to the surveillance laws, while ignoring others that may be related. For example, the pen register amendments clarified that the laws applied to the Internet (which I discuss in this Part) and also allowed the government to obtain nationwide orders (which I do not discuss). 75 Of course, some provisions of the Patriot Act may prove to have serious negative consequences for privacy and civil liberties. The Patriot Act’s amendments relating to the Foreign Intelligence Surveillance Act, 50 U.S.C.A. §§ 1801–1811 (West Supp. 2002), are particularly notable in this regard, as is the broader restructuring of the relationship between law enforcement and the intelligence community in surveillance investigations. At the same time, several provisions in the Patriot Act other than the ones I discuss in this Article were controversial in large part because they were misrepresented in the press. The attention paid to “roving wiretaps” provides a good example. Congress first enacted a law allowing the government to obtain roving wiretaps in criminal cases in 1986, and the debate over their use goes back to that period. See, e.g., Clifford S. Fishman, Interception of Communications in Exigent Circumstances: The Fourth Amendment, Federal Legislation, and the United States Department of Justice, 22 GA. L. REV. 1 (1987). These laws were challenged and upheld by the courts. See, e.g., United States v. Petti, 973 F.2d 1441, 1443 (9th Cir. 1992) (Browning, J.). Section 206 of the Patriot Act expanded this authority to FISA cases, so that it could be used in terrorism investigations, in addition to criminal investigations. The press and commentators sometimes ignored this preexisting authority, however, and instead discussed the Patriot Act as if it were the first law to introduce roving wiretaps. See, e.g., Editorial, Constitutional Concerns, DAILY OKLAHOMAN, Sept. 29, 2001, at 6A; Erwin Chemerinsky, Giving Up Our Rights for Little Gain, L.A. TIMES, Sept. 27, 2001, at B17. As a result, to a large extent the public debate over the roving wiretap provisions of the Patriot Act concerned whether the events of September 11th justified a law that Congress had already enacted fifteen years earlier. Of course, the fact that Congress enacted a law in 1986 does not in itself justify its existence today, but it does seem relevant to whether the amendment broke new ground
