Anti-terrorist law puts business privacy at risk

By Heather A. Thomas
Portland Press Herald
November 23, 2001

On Oct. 26, 2001, President Bush signed into law the USA Patriot Act. Its implementation will illustrate the far-reaching impact of the Sept. 11 terrorist attacks on life in America - not only for American citizens, but also for American companies.

How will a law passed to combat terrorism and promote patriotism affect companies?

The act broadly expands domestic law enforcement surveillance powers, allowing the government to request information from companies during criminal investigations much more easily and for much less cause than in the past. This triggers countless privacy issues for companies, their employees and, for Internet service providers (IS Ps), their customers.

No matter how small, companies need clear guidelines to follow when a request is made from law enforcement officials.

The most important thing for companies to know is that the law does not mandate companies to turn over information voluntarily.

Although you may feel obligated to hand over information without question to the government because it seems like the patriotic thing to do, you should not hand over information without requiring proof of a court order (which includes wiretap warrants, search warrants and pen/trap orders) or a subpoena.

In this regard, the following list will prove helpful:

Voicemail/stored wire communications:

If law enforcement officials seek voicemail and other stored wire communications, they should have a search warrant. Before the new law, officials had to obtain a wiretap warrant, which is more difficult to get from a court.

E-mail information:

If law enforcement officials seek e-mail information (dialing, routing, addressing), they should have a court order authorizing the installation and use of a pen register or trap and trace device. Compared to obtaining a search warrant, pen/trap orders are easy for law enforcement officials to obtain.

Officials merely need to certify to the court that the information likely to be obtained is "relevant to an ongoing criminal investigation." Significant to note is that officials cannot obtain "contents" of electronic communications. Although the law fails to define the term content, you should be aware of this exclusion since it may give you leverage in the event that you object to the government's tracing of the "contents" of e-mails.

Also be aware that the act gives law enforcement officials the ability to install their own tracking technology, known as "Carnivore."

Stored electronic information:

The Electronic Communications Privacy Act (ECPA) regulates government access to stored wire and electronic communications held by ISPs.

Law enforcement officials must have a warrant to obtain the contents of stored e-mails, and a subpoena to obtain subscriber information, such as length of service and types of service utilized. Subpoenas are easier for law enforcement officials to obtain than warrants.

The Patriot Act expanded records that can be sought by subpoena to include connection records, records of session times and durations, temporarily assigned network addresses, and means and source of payment for services, including credit card or bank account numbers.

In addition to developing guidelines and procedures, companies should carefully consider whether handing over information would result in violations of published privacy policies.

Companies, particularly those in the legal, health-care or financial services industries, should be sensitive to issues of confidentiality and privilege.

The last thing a company needs is an unexpected lawsuit while attempting to comply with a new law.

If you have any questions regarding the new law, contact an attorney. The act is the product of hurried negotiations between House and Senate leaders. It was signed into law within a period of five weeks with little debate.

Whether every office of the House and the Senate analyzed and dissected the provisions of the act is questionable. As a result, countless issues may arise as the law is being implemented.

Although some believe that the Sept. 11 attacks warranted a quick response from lawmakers, the law that passed will not so quickly disappear.

While some provisions expire in 2006, provisions governing surveillance of the Internet will not, and these latter provisions allow government eavesdropping during criminal investigations that don't involve terrorism at all.

With such a broad law, American companies must act as a guard dog: Be alert and do everything in your power to protect the privacy rights of yourself and those around you.