“Electronic Surveillance, Security, and Privacy”
-
Upload
adrienne-conway -
Category
Documents
-
view
27 -
download
0
description
Transcript of “Electronic Surveillance, Security, and Privacy”
“Electronic Surveillance, Security, and Privacy”
Professor Peter P. Swire
Ohio State University
InSITes -- Carnegie Mellon
February 7, 2002
Overview of the Talk
Overview of electronic surveillance, before and after September 11
Security vs. privacy Security and privacy
Wiretaps and Surveillance
History of wiretaps 2000 Administration proposal 2001 USA Patriot Act
Wiretap History
1920s Olmstead– Wiretaps permitted by police without warrant where
tap applied outside your home 1960s Katz
– Reasonable expectation of privacy, even in a phone booth
1968 Title III– Strict rules for content, more than probable cause, as
a last resort, reporting requirements
History (cont.)
1984 ECPA– Some protections for e-mail– Some protections for to/from information; pen
registers (who you call); trap and trace (who calls you)
2000 Administration Proposal
How to update wiretap and surveillance for the Internet age
15-agency White House working group Legislation proposed June, 2000
– S. 3083– Hearings and mark-up in House Judiciary,
further toward privacy than our proposal
2000 Administration Proposal
Update telephone era language Upgrade email and web protections to same
as telephone calls Identify new obstacles to law enforcement
from the new technology Sense of responsibility -- assure privacy,
give law enforcement tools it needs
2001 USA Patriot Act
Introduced less than a week after September 11
Key provisions often have a point, but maybe went too far
4 year “sunset” for many surveillance provisions and what to do next
Emergency orders
Before, “imminent threat” of serious harm to get wiretap before a court order
Now, for any ongoing computer attack, or else ability to trace back may be lost
For anything affecting “a national security interest”
Are these too broad?
Roving taps
Old days, order for each phone What if suspect buys a dozen disposable cell
phones? Uses someone else’s computer? But, how far can the order rove? Anyone in
the public library? Problem -- less of a suppression remedy for
email and web use
Nationwide trap and trace
Old days, serve order on ATT and it was effective nationwide
Today, e-mail may travel through a half-dozen providers, have needed that many court orders
New law -- one order effective nationwide Query -- order from a judge in Idaho, served
late at night, how do you challenge that?
Computer trespasser exception
Previous law:– ISP can monitor its own system– ISP can give evidence of yesterday’s attack– ISP cannot invite law enforcement in to catch
the burglars Problem for:
– DOD and many hack attacks– Small system owners who need help
Computer trespasser proposal
Law enforcement can “surf behind” if:– Targets person who accesses a computer “without
authorization”– System owner consents– Lawful investigation– Law enforcement reasonably believes that the
information will be relevant– Interception does not acquire communications other
than those transmitted to or from the trespasser
Computer trespasser
Issues of concern:– Never a hearing in Congress on it– No time limit on each use– No reporting requirement– FBI can ask the ISP to invite it in, and then
camp at ISP permanently– Limited suppression remedy if go outside
permitted scope
II. Security & Privacy After 9/11
Less tolerance for hackers and other unauthorized use
Cyber-security and the need to protect critical infrastructures such as payments system, electricity grid, & telephone system
Greater tolerance for surveillance, which many people believe is justified by greater risks
Security vs. Privacy
Security sometimes means greater surveillance, information gathering, & information sharing
USA Patriot increases surveillance powers Computer trespasser exception Moral suasion to report possible terrorists
Security and Privacy
Good data handling practices become more important -- good security protects information against unauthorized use
Audit trails, accounting become more obviously desirable -- helps fight sloppy privacy practices
Part of system upgrade for security will be system upgrade for other requirements, such as privacy
In Conclusion
USA Patriot has 4 year sunset of many of the surveillance provisions
Imagine an architecture that meets legitimate security needs and also respects privacy
Need accountability to ensure the new powers are used wisely
Our homework -- how to do that wisely
Contact Information
Professor Peter P. Swire phone: (301) 213-9587 email: [email protected] web: www.osu.edu/units/law/swire.htm