Letter

Letter to Reps. Smith and Scott Regarding "The Security Enhancement Act of 2001"

Document Date: February 12, 2002

The Honorable Lamar Smith, Chairman
Crime Sub-Committee of the House Judiciary Committee
207 Cannon House Office Building
Washington, DC 20515-4321

The Honorable Bobby Scott, Ranking Member
Crime Sub-Committee of the House Judiciary Committee
476 Russell Senate Office Building
2464 Rayburn House Office Building
Washington, DC 20515-4603

Re: H.R. 3482 “The Security Enhancement Act of 2001”

Dear Representatives Smith and Scott,

We are writing in regards to H.R. 3482 “The Cyber Security Enhancement Act of 2001 (CSEA).” Overall the bill does not pose serious civil liberties concerns, however, we recommend some slight modifications, which will protect the privacy rights of Internet users.

Section 101 – Amend Directive to Sentencing Commission

Section 101 directs that the United States Sentencing Commission “?shall amend the Federal Sentencing Guidelines and, if appropriate, promulgate guidelines or policy statements or amend existing policy statements.” This directive appears to mandate that the United States Sentencing Commission must amend the guidelines, even if amendment is not necessary or appropriate.

The ACLU is concerned that the USSC have the necessary flexibility to determine sentences that are fair. We oppose a directive that takes away this flexibility. A number of the provisions listed in Section 101 are already covered by current guidelines so further enhancement may be unnecessary. See USSC Guidelines 2B1.1 (Nov. 2001). We recommend striking the word “amend” to “review,” thereby requiring that the USSC review the guidelines with the detailed factors in mind without mandating an increased penalty.

Section 102 – Strike this provision or provide significant protections against abuses

The government should obtain a warrant based on probable cause before obtaining the contents of individuals’ e-mail or other electronic communications. The USA PATRIOT Act included a narrow “emergency exception” to this rule. Internet service providers are permitted to divulge the contents of an e-mail or electronic communication to law enforcement agencies if the “provider reasonably believes that an emergency involving immediate danger of death or serious physical injury to any person requires disclosure of the information without delay.” 18 USC s. 2702(b)(6)(C)

Section 102 of the CSEA would expand this narrow exception in two ways: 1) it allows service providers to disclose the contents of personal communications to any local, state, or federal government entity (not just a law enforcement agency); and 2) it allows service providers discretion to disclose information so long as they have a “good faith” belief that there a danger of death or serious physical injury.

First, the emergency exception included in the USA PATRIOT Act was rooted in the rationale that law enforcement should be able to protect people from imminent physical harm or death. Section 102 goes well beyond the purpose of public safety and allows service providers to disclose e-mails and other personal information to any government entity – at the federal, state, and local level. There is no justification for expanding this exception to every government entity across the country. Law enforcement agencies have primary responsibility for public safety and the “emergency exception” should remain limited to law enforcement. Service providers should not be in the position of determining what other agencies should or should not have access to this private information. If law enforcement needs to share information with other agencies, it should decide when that is appropriate, not the ISPs.

Second, under the USA PATRIOT Act, service providers may only disclose the contents of electronic communications with law enforcement agencies if they “reasonably believe” there is an emergency that involves immediate death or serious injury. Section 102 would eliminate the objective “reasonableness” standard and allow service providers to disclose information based on a subjective “good faith” belief that an individual is in danger. Under this subjective standard, providers would have wide discretion to divulge the contents of personal communications to any number of government agencies if they simply believed — no matter how unfounded — that the disclosure was necessary to prevent death or injury.

We understand that service providers may have concerns about their legal liability for disclosures. However, this provision conflates the standard for disclosure with the standard for determining liability. If Congress wants to afford the ISPs a good faith exception for liability purposes it should expand liability available under 17 U.S.C. sec. 2707. This is a separate issue from determining the appropriate standard as to when service providers should release information. Without an objective reasonableness standard, there would be no deterrent for service providers to go beyond the limits of the law.

Finally, under Section 102, these disclosures would take place without any oversight whatsoever. This provision creates the possibility that that law enforcement will abuse its power and avoid the requirements of 18 U.S.C. sec. 2702 by seeking to get information from the service provider by claiming to have reason to believe that there is an emergency that involves immediate death or serious injury, thereby evading any requirement to obtain a warrant.

The purpose of obtaining a warrant or court order is to ensure that law enforcement or other executive branch agencies are not abusing their authority or engaging in unreasonable searches and seizures. Section 102 fails to include even the most basic check and balance on the disclosure of personal communications. There is no notice to a court, a federal agency, or individuals themselves that personal communications have been disclosed to the government. There is no review – either before or after the disclosure — of whether the disclosure was justified in the first place. Under this provision, service providers could disclose information to a range of government agencies in secret — without any type of review or notice. Even the USA PATRIOT Act requires reporting to the courts when law enforcement utilizes Carnivore, a means of intercepting electronic communication.

This provision greatly undermines our privacy by failing to limit the “emergency exception” to the agency responsible for public safety; eliminating the objective “reasonableness” standard; failing to provide any checks and balances on disclosures of personal information; and failing to establish penalties that would act as a deterrent to unlawful disclosures of personal information.

The USA PATRIOT Act lowered the standard necessary for the government to obtain highly private information. See USA PATRIOT Act sections 201, 202, 209, 210 and 217. It also authorized the broad sharing of information between federal law enforcement agencies. See USA PATRIOT Act Sections 202, 701 and 901. We are very concerned that the Congress would expand this already broad authority at this time. There is a real concern that highly private information could be misused and we believe that the Congress should ascertain how the recent changes impact personal privacy before continuing to go down the road of further information sharing.

Sincerely,

Laura Murphy
Director

Rachel King
Legislative Counsel

Katie Corrigan
Legislative Counsel

Cc: House Judiciary Committee

Every month, you'll receive regular roundups of the most important civil rights and civil liberties developments. Remember: a well-informed citizenry is the best defense against tyranny.