July 28, 2014

The USA PATRIOT Act

By Mary Minow

Three librarians explore this controversial act and how you can protect patron privacy without breaking the law

The USA PATRIOT Act
By Mary Minow
Make Sure You Are Privacy Literate
By Karen Coyle
New Encroachments Recall Old Ones
By Paula Kaufman

Congress passed the USA Patriot Act on October 26, 2001, barely six weeks after the terrorist attacks on the World Trade Center and the Pentagon. The bill was passed with little debate at the height of the anthrax contamination scare when many lawmakers did not have access to their offices. Sen. Russell Feingold (D-WI), the lone dissenter in the Senate, remarked that few had even read summaries, let alone the fine print.

Public response has been heated. Supporters of the Patriot Act say they’re not against civil liberties, but public safety requires granting the government greater surveillance powers. Dead people, this camp argues, have no civil liberties at all. Privacy advocates, including many library professionals, say we need national security and public safety but not at the expense of our rights as citizens. If we give up too many freedoms, they argue, the terrorists will have won. These advocates maintain that the U.S. Constitution exists to protect free speech in paranoid times when a slide toward repression is most likely to be accepted by the public.

This is a critical time to remind staff that patron records are protected by law. Library staff do not have discretion to turn over records to anyone, including federal law enforcement, unless permitted by law. The Patriot Act has shifted the balance in terms of when court orders (including those for patron records) may be obtained. The decisions to turn over records are still made by the justice system and not by librarians. However, librarians do have discretion in the actual practice of creating and maintaining records in the first place. By better understanding the Patriot Act and knowing what to do if faced with an incident, librarians can be prepared to do the right thing and protect privacy.

Inside the Patriot Act

The USA PATRIOT Act, short for Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act, is not one standalone law. Most of its 132 pages amend existing federal statutes ranging from foreign surveillance to money laundering and were in the hopper before September 11.

Among the statutes amended is the Foreign Intelligence Surveillance Act (FISA). Expanding its reach could have a big impact on libraries. FISA was enacted in 1978 in response to shocking revelations of extensive FBI surveillance of U.S. citizens during the 1960s and 1970s. It was intended to put a firewall between domestic and foreign intelligence gathering. In essence, the intent was to help the domestic side keep a much higher set of safeguards than those deemed necessary to gather foreign intelligence.

The Patriot Act, however, extends FISA authority by including the issuance of “roving wiretaps” that can follow a person from, for instance, a public phone to a neighbor’s computer to a library computer. Critics say this is a violation of the Fourth Amendment, which requires that warrants must “particularly” describe the place to be searched and the persons or things to be seized.

To date, hard information on how often or where the FBI has used the Patriot Act remains impossible to get. In some situations, “gag” orders are imposed, meaning it is illegal for librarians to share information freely. The American Civil Liberties Union (ACLU) in conjunction with the American Booksellers Foundation for Free Expression and the Electronic Privacy Information Center has asked for a full account of investigations from the Department of Justice.

In a 12-page letter to Attorney General John Ashcroft, House Judiciary Chair James Sensenbrenner (R-WI) and ranking member John Conyers (D-MI) on June 13 asked the number of times the government has directed a library, bookstore, or newspaper to produce “tangible things” (as per Section 215, see below) including individuals’ records and requests for entire databases. A partial reply dated July 26 from Assistant Attorney General Daniel J. Bryant said that the information “is classified and will be provided in an appropriate channel.”

In any case, these searches are strictly secret. NSL authority, according to Lee S. Strickland, a former attorney for the CIA, is essentially the intelligence corollary to the administrative subpoena provisions for criminal investigations. NSLs come with gag orders, prohibiting disclosure that the FBI has sought such information.

Sensenbrenner remains dissatisfied with the Justice Department’s response. He is considering taking the unusual step of issuing a subpoena to Attorney General Ashcroft. Library privacy advocates challenge the view that library patron record privacy is trivial compared with stopping terrorism.

Lessons from history

Libraries and the FBI have a chilling history. The FBI’s infamous Library Awareness Program aimed at identifying Soviet spies in research libraries in the 1970s and 1980s. The program tried to control access to “sensitive but unclassified” information such as National Technical Information Service (NTIS) reports. Agents reportedly flashed badges to front desk staff and asked about “suspicious patrons” with East European accents. Staff were asked not only about what books had been checked out but also about database search histories and reference questions. In fact, the FBI did not have the legal authority to get this information by these methods.

The recent ruling on the Tattered Cover case reinforced patron privacy. In 2000, the Denver bookstore was asked to turn over purchase records to police working on a drug investigation. Quick action and negotiation between the attorneys paid off. When Denver police tried to execute a local search warrant on the bookstore, owner Joyce Meskis immediately contacted the bookstore’s attorney, who in turn contacted the Denver District Attorney’s (DA) office. The Denver DA persuaded the police officers not to execute the warrant until the Tattered Cover could litigate its validity.

Ultimately, the Colorado Supreme Court ruled that the search warrant was not enforceable and should not have been issued. It ruled that an innocent, third-party bookstore must be given an opportunity for a hearing, to apply the balancing test, recognizing that a seizure of documents, books, or films is conceptually distinct from a seizure of objects such as guns or drugs.

In its decision, the Colorado Supreme Court sets out a balancing test that allows law enforcement access to records only after passing a number of hurdles. Law enforcement must show a compelling need, no reasonable alternatives (such as identifying clothing on the scene instead), and the warrant must not be unduly broad (e.g., records for 30 days instead of one). Additionally, the court must consider whether the purchase records are sought because of the books’ content, creating a chilling effect on readers.

The last factor makes the distinction between book purchase records that are sought because of their content and those sought merely to prove a fact unrelated to the content. In this case, law enforcement found books about methamphetamine labs and wanted to establish motive. The court weighed this factor against law enforcement. If a book, unrelated to the motive, had been found in the meth lab, however, the court said it would place its owner at the scene and would not likely produce a chilling effect.

This decision, while a precedent only in Colorado, illustrates that even though we live in a climate of fear, court protection for free speech remains strong.

Court orders

We must train all staff and volunteers—not just librarians already sensitized to privacy issues—to pass all inquiries by law enforcement for patron records to the library director or the designated person (with help from an ALA attorney if necessary). Badges and inquiries, then as now, are legally insufficient to compel librarians to turn over records, particularly when state laws protect these records. When I was approached by some public librarians in California for advice on policies and procedures post–Patriot Act, I decided to contact the local FBI office. I recommend librarians consider this line of communication, as they can express concerns about patron privacy and learn about FBI priorities and practices. For example, we were shown FBI credentials and encouraged to call the local office to verify if an agent was legitimate.

In light of the Patriot Act, librarians can expect more court orders. “Patron records” and “patron information” are defined differently. The Patriot Act makes it easier for federal law enforcement to get court orders and subpoenas in many situations. For example, the act makes it possible for courts to issue national search warrants in terrorism cases. This removes the hurdle of getting multiple warrants in different jurisdictions. Librarians and their lawyers should review the different types of federal, state, and local orders that may be issued to them.

ISP(S) is a mnemonic for Intercepts, Search warrants, Pen/trap orders and (Subpoenas). In each case, a parallel set of rules with lower burdens is invoked under FISA, to gather evidence on an agent of a foreign power.

Search warrants consider past content. This is the most critical court order with which library staff need to be familiar. The Patriot Act amends the law so that courts may now issue national search warrants for investigations involving terrorism. While it is possible that librarians at a given institution will have warning that a warrant will be served, they may not. The director, or designated point person, may ask for a delay in order to reach an attorney; however, search warrants are immediately executable, with or without cooperation.

Some libraries, particularly in large institutions, already have policies and procedures in place. Others may want to establish them in consultation with their attorneys or representatives of ALA and then set up a general staff training session. Items to consider include identifying a designated staff member, identifying an agent-in-charge of the search (including cell phone number), faxing copy of the warrant to library’s attorney, and requesting a delay to have an attorney present. Procedures should also be considered for situations in which the agent will not wait, such as determining the validity and scope of the warrant, avoiding “consent” that goes beyond the scope of the warrant, monitoring the search, instructing staff on assisting in records retrieval, handling agents’ questions, requesting signatures, and preserving evidence.

In addition to amending the law to permit national search warrants for terrorism investigations (Federal Rules of Criminal Procedure Rule 41a), the Patriot Act amended the Electronic Communications Privacy Act 18 U.S.C. §2703 to permit nationwide search warrants for e-mail and voice mail.

Under criminal law, probable cause of a crime must be shown and the evidence sought must be material to the crime. Under FISA, on the other hand, probable cause refers not to a crime taking place but to the likelihood that the target of investigation is a foreign power or an agent of a foreign power.

Intercepts (Wiretaps) involve real-time content. Unlike search warrants, which look for past information, intercepts look at “real-time” or future information, i.e., what your patrons will use your Internet terminals for. Intercepts look at content of communication. An intercept is the most invasive of the orders. Libraries should note that these orders are likely to be directed at Internet Service Providers (ISP). If the library outsources the ISP for its patrons, the surveillance may take place without anyone at the library knowing.

Under criminal law, as opposed to FISA, the Federal Wiretap Statute, 18 U.S.C. §2516, intercept orders (also known as “Title III” orders) are issued by federal judges when probable cause can be shown that a target committed one of a list of serious crimes. The Patriot Act expands that list to include additional crimes related to terrorism and computer abuse. The FBI has extensive internal procedures to determine if an intercept is appropriate.

Under FISA 50 U.S.C. §1805, probable cause must be shown only that a target is a foreign power or an agent of a foreign power. This is where “roving” wiretap was added. U.S. citizens and resident aliens may not be considered agents of a foreign power solely on the basis of activities protected by the First Amendment.

Pen Registers and Trap and Trace Orders examine real-time transaction records. They capture information that is not content, such as records of phone calls, e-mail headers, and URLs visited. Unlike wiretap surveillance authorizations, which monitor content, pen register surveillance orders require only an agent’s application in court. The agent must certify that the information is “relevant to an ongoing criminal investigation,” and when that is done, the courts must issue the order. An ISP may then be required to install hardware and/or software to comply.

Pen/Trap orders are named after telephone devices that track incoming and outgoing numbers (similar to caller ID). Like wiretaps, these trap future communications. The Patriot Act amends these statutes to include computer communications. Critics contend that e-mail addresses and URLs sometimes reveal content, and tools intended to “surgically” separate content from transactional information are imperfect. For example, the FBI’s Carnivore (renamed DCS1000 but still referred to as Carnivore) is a “sniffer” program installed on an ISP used to intercept digital information between servers. An independent technical review by the IIT Research Institute showed that Carnivore can perform fine-tuned searches, but if incorrectly configured, it can record any traffic it monitors.

Subpoenas

Not all subpoenas are enforceable court orders. They are issued by government officials under a variety of statutes. Talk to an attorney to see if the subpoena can be challenged; in some cases it must be. For example, some states like California require court orders before patron records may be turned over.

Law enforcement agencies now have expanded authority to subpoena records of ISPs. They can request detailed information about customers, including records of identification or network addresses [18 U.S.C. §2703(c)(2)]. Federal administrative subpoenas are issued when the information sought is relevant to inquiry, employing a reasonableness standard. Libraries may move to quash or modify administrative subpoenas in court. For a thorough list of federal administrative subpoena authorities, see Report to Congress on the Use of Administrative Subpoena Authorities by Executive Branch Agencies and Entities: Pursuant to Public Law 106-544 (May 13, 2002) issued in parts and posted at www.usdoj.gov/olp.

Before Tattered Cover was served the search warrant, it was served a Drug Enforcement Administration (DEA) subpoena. The bookstore challenged the subpoena, and it was dropped. The Court wrote, “Using such a subpoena was ordinarily a successful technique for DEA officers, though such a subpoena lacks any legal force or effect.”

Section 215

Section 215 of the Patriot Act concerns business records. The act expanded the FISA Court’s authority to issue orders for “business records,” which are now defined as “any tangible thing.” High-level government agents must still make a formal pleading at the FISA Court, which does not publish its rulings (a notable recent exception can be found at www.fas.org/irp/agency/doj/fisa/fisc051702.html).

U.S. persons may not be investigated based solely on activities protected by the First Amendment. However, the orders are sealed, and they come with a “gag” order, which means that librarians asked for information are only allowed to talk about the request with those directly involved with providing the information, such as their superiors and their attorneys.

Exigent circumstances

Search warrants are not required under “exigent circumstances.” Under this exception to the warrant requirement, federal agents can search if necessary to prevent physical harm, the destruction of relevant evidence, the escape of the suspect, or some other consequence improperly frustrating legitimate law enforcement efforts. Exigent circumstances can arise in computer cases because electronic data are perishable. However, this exception does not permit agents to search or seize beyond what is necessary to prevent the destruction of the evidence. When a computer is controlled by a suspect, it is possible that it will be seized.

When “innocent” third parties, such as libraries, have control of the data, a request to preserve evidence, pending a court order or other legal process, may be more appropriate than seizure. If this request is made by phone or fax, the library should request a confirmation letter for its own protection. Such a request may come under the Electronic Communications Privacy Act [ECPA 18 U.S.C. §2703(f)]. Requests are good for 90 days and may be extended 90 days.

The decisions to turn over records are made by the justice system, but librarians have discretion in the actual practice of creating and maintaining records in the first place. Karen Coyle’s article offers the tools you need.

The Patriot Act changes the rules, but with the right information and preparation, librarians can follow the law while abiding by the privacy ethic that makes libraries effective.

 

What You Can Do

  • Do not assume that law enforcement or the public shares librarians’ value in the privacy of patron records.
  • Meet with someone from the local office of the FBI (www.fbi.gov/contact/fo/info.htm). Ask to speak to someone in the Awareness of National Security Issues and Response (ANSIR) program or try “media relations.”
  • Become familiar with the Tattered Cover decision. It held that an innocent third-party bookseller in Colorado must have an opportunity for an adversarial hearing and thus invalidated a local search warrant.
    It also noted that the subpoena process allows the opportunity for a bookstore to participate in an adversarial hearing. Further, it is filled with eloquent language on the right to read as essential to the right to free expression.
  • Get familiar with important legal documents. Many samples can be found online. www.cybercrime.gov/s&smanual2002.htm links to a preservation of evidence request, a pen/trap order, subpoena language, a search warrant for electronic communication, and more.
    For a sample privacy policy, see Tulane University’s www.tulane.edu/~counsel/PolicySearchWarrant.doc. For sample legal memos see Latham and Watkins site (www.lw.com) and Crowell & Morning (www.crowell.com/) and search for “search warrants.”
  • Meet with library counsel before a crisis; examine sample court orders together, especially a search warrant, which can be immediately executable. Invite your attorney to an all-staff meeting to discuss search warrants.
  • Identify local computer rental supply sources in case of computer terminal seizure.
  • Train staff to refer all inquiries to the director or designated person.
  • Conduct a privacy audit of all patron records (see Karen Coyle’s article).
  • Ensure library privacy policy is consistent with practices.
    For example, reexamine any banner language on privacy and make sure it doesn’t make promises that can’t be upheld.
  • Rely on the American Library Association for information and advocacy. Several American Library Association web pages are dedicated to the Patriot Act:
    General information: www.ala.org/washoff/patriot.html
    Confidentiality and Coping with Law Enforcement Inquiries: www.ala.org/alaorg/oif/guidelineslibrary.html
    State laws: www.ala.org/alaorg/oif/stateprivacylaws.html


Author Information
Mary Minow, who was a public librarian for over ten years and is currently President of the California Association of Library Trustees and Commissioners, is a legal consultant with LibraryLaw.com. She is coauthor, with Tomas Lipinski, of The Library’s Legal Answer Book, to be published this December by the American Library Association.
Share