Lawyer: Business As Usual Under Surveillance Law

Privacy issues aside, the USA Patriot Act is mostly harmless to ISPs and phone companies, says a former NSA attorney

MOUNTAIN VIEW, Calif.--While privacy advocates grimace over the recent passage of the USA Patriot Act, the controversial new surveillance law changes little for Internet service providers and telecommunications companies, an attorney and former NSA official said Tuesday.

"It seems to me that despite a remarkable amount of discussion about how important this bill is, it's been over-hyped in people's minds as to what it actually does," said Stewart Baker, a partner at the D.C.-based law firm Steptoe and Johnson, speaking on a panel at Microsoft's Trusted Computing Forum.

One of the new law's most controversial provisions allows law enforcement agents to secretly monitor Internet user's email 'From' and 'To' lines without a wiretap warrant, simply by certifying that the information would be useful to a criminal investigation.

But don't look for a dramatic increase in deployment of the FBI's "Carnivore" Internet surveillance tool, Baker said, because the Bureau was performing such surveillance years before the bill passed, without Congress' explicit approval.

"For the most part, law enforcement was already doing that, and businesses weren't challenging it, or had lost those challenges," said Baker.

Other provisions in USA Patriot, which passed late last month over objections from privacy and civil liberties groups, might help businesses combat computer crime, by clarifying what they're able to share with law enforcement, said Baker.

"If you have a computer hacker in your system, it used to be problematic as to whether you could bring in the government to watch over your shoulder while they hack your system," said Baker. USA Patriot explicitly allows ISPs, universities and network administrators to consent to government monitoring of computer trespassers.

But that silver lining for business was little consolation to the privacy advocates on the panel.

Alan Davidson from the Center for Democracy and Technology accused Congress of "gutting privacy protections" for Internet users, and tearing down the wall between law enforcement investigations and intelligence gathering. "Taken together, they are going to provide for far more surveillance on many more Americans than we've seen in the past," said Davidson.

LIABILITY RISK. Baker said one provision of the new law may open up Internet service providers and telecommunications companies to lawsuits, if they provide information to law enforcement too freely.

At issue is the "roving wiretap" provision of USA Patriot, which lets the FBI obtain court orders that apply to any telephone or Internet connection used by a suspect, regardless of who owns it.

The risk to a telecommunications provider, says Baker, is that law enforcement agents could show up with a warrant that names one person, while seeking surveillance assistance against another. Law enforcement could claim that they're entitled to monitor the innocent customer's account because the suspect named in the warrant is borrowing it. But if the provider doesn't document that assertion, the customer might sue them later.

"From a business point of view it's going to be essential that businesses insist on a paper trail from government," said Baker.

No stranger to electronic surveillance issues, Baker served as general counsel of the super-secret National Security Agency (NSA) in the early nineties, acting as the agency's public face in its efforts to block widespread adoption of unbreakable cryptography.

Today, Baker represents phone companies working to comply with a federal law that mandates their networks be wiretap friendly. Sounding much like a privacy advocate himself, Baker complained about the legal structure surrounding law enforcement surveillance in the U.S., which includes no requirement that innocent targets of government surveillance be notified that they were ever watched.

"The only people who find out they've been a victim of questionable search are people we indict, and that's nutty," said Baker. With the war on terrorism underway, "there are a lot of innocent people who are going to have their information gathered. They should be given notice," Baker said.

Microsoft's Trusted Computing Forum 2001 gathered 150 representatives from government, business, academic and advocacy groups to discuss security and privacy matters. The forum continues through Thursday.

By Kevin Poulsen