The USA Patriot Act was passed with much fanfare last October, but it was soon clear that lawmakers passed the package without examining all the parts. Today, we’re still struggling to determine how new law enforcement powers granted by Patriot are being used.
In June, the House Judiciary Committee asked the Attorney General for specifics on this issue. On October 17, the committee released the DOJ’s answers.
Much of what was learned was troubling. For example, Patriot opened loopholes that let electronic communications service providers give customer records to law enforcement officials without a warrant. In lay terms, the folks that provide your email account are an electronic service provider, and your actual emails could fall into the category of customer records.
In a letter to the House Judiciary Committee, the Attorney General’s office confirmed that they have received anecdotal accounts of providers turning over records without a warrant but “there are no statistics detailing the number of times that disclosures have occurred or the basis for such disclosures.”
In this context, a recent amendment to the Senate’s Homeland Security bill seems all the more ominous. The amendment, offered by Orrin Hatch, was based on a bill passed in the House on July 15 just before the August recess called the Cyber Security Enhancement Act, or CSEA. Introduced by Rep. Lamar Smith, who brought us Patriot’s computer surveillance language, CSEA, if passed, would make it even easier for government agents to get your electronic records, without a warrant and without telling you.
Traditionally getting electronic records, which can include your actual emails, has required a warrant, and companies that handed over such information without that warrant could face penalties. The Patriot Act created an exception to that requirement: communications providers can now voluntarily disclose customer records to law enforcement officials in situations where the provider has a reasonable belief that disclosing the records is necessary to prevent an imminent danger. The language in Hatch’s amendment expands that exception in two ways. First, it removes the imminence requirement. Under the new rules, a provider would only have to believe that disclosing the records would help prevent some theoretical future danger. Second, a provider would no longer need to have a reasonable belief that the communication relates to this vaguely defined danger. He or she will only have to be acting in good faith.
These changes make it much easier for law enforcement officials to access previously difficult-to-obtain personal information without a warrant. After all, if a danger no longer has to be imminent to eliminate the need for court oversight, when will a warrant be needed? And changing the standard required of the provider to a “good faith” belief would make it harder for providers to refuse law enforcement requests. “Good faith” is a very subjective guideline — all it means is that an employee at an ISP or phone company must sincerely believe that they are acting to avoid danger, regardless of whether a reasonable person would agree. It’s easy to imagine that if an FBI agent shows up at your ISP’s door and says that seeing your emails would help them avoid a future threat, that would be enough to give most employees a good faith belief that they should hand them over.