In our ongoing series looking into Federal and State level Cyber Security Legislation we reviewing the USA Patriot Act and how it affected Cyber Security.
The USA PATRIOT Act (USAPA) was signed into law in 2001 by President George W. Bush with the intent of giving law enforcement agencies a tool against dangerous groups. The bill was partially renewed in 2011 by President Barack Obama with the PATRIOT Sunsets Extension Act of 2011, which extends the bill until 2015. In 2015, the U.S. Congress did not vote to extend the Patriot Act again and parts of the bill that were extended under the Sunsets Extension died.
However, the USA Freedom Act (USAFA) was passed on June 2nd which brought back the Patriot Act with some provisions and doesn’t expire until 2019. The purpose of USAFA was to place a limit on bulk data collection being performed on American citizens, which constituted a violation of their 4th Amendment rights.
Under USAPA Federal agencies could appeal to a collection of judges under the Foreign Intelligence Surveillance Act (FISA) for electronic surveillance of a group or individual. A modification of USAPA removed the requirement that it be shown that said group or individual was performing clandestine intelligence gathering, that requirement became one of the several possible applicable criteria for surveillance.
The USAFA reinstated this requirement, and any agency requesting bulk collection, detailed records or tangible records must now show to the court that the data in question is relevant to the investigation and a clear, articulated suspicion that the induvial or group is working with a foreign power or an agent of a foreign power. Section 110 of Title I of USAFA is written so that the act may not be used to acquire the contents of any electronic communication from the service provider.
Put simply, USAFA replaces the requirement that a policing agency must show a reasonable suspicion that the suspect falls under the provisions of FISA. This requirement puts a restriction on mass data collection programs run by the NSA such as PRISM by requiring investigators to have court approval before being subjected to bulk data collection.
If an agency does acquire FISA approval however, the records that are available to them under USAPA/USAFA are extensive. USAPA allows agencies to gain permission from an employer or provider to allow the agency access to a protected computer, allowing the agency to bypass the much stricter wiretapping laws. Agencies can request call numbers, durations, the identity of who was called, as well as payment information, credit card numbers and your bank account. It also establishes that providers may freely provide this information if they believe there is a credible threat to “life and limb.”
One of the more controversial parts of the bill is the alteration of how wiretaps function. Normally an individual must be notified that their communications are being monitored within a set time, USAPA allowed that time to be indefinitely extended. The argument put forward for this provision by law enforcement was that suspects would alter their communication habits once they were alerted that they were being wire tapped. Previously a wiretap notice would have to include which providers and numbers were being tapped, under USAPA that information no longer had to be provided. However, this provision was struck down as unconstitutional as it violated a person’s 4th Amendment rights.
The final tool in the USAPA was Title V: Removing Obstacles to Investigating Terrorism, which allowed any federal agency to request an administrative subpoena. This subpoena compelled an entity (such as a business or internet service provider) to provide all records requested and included a gag order which denied them the right to notify anyone that said records had been requested. This was struck down as unconstitutional in 2005, and was never reaffirmed into law under the USAFA.