Summary and Analysis of Key Sections of USA PATRIOT ACT of 2001 To: Interested Persons From: E-Commerce & Privacy Group Ron Plesser (202) 861-3969 Jim Halpert (202) 861-3938 Milo Cividanes (202) 861-3911 Date: October 31, 2001 We have tried in as compact a manner as possible to summarize those portions of the "USA Patriot Act of 2001" (hereafter "the Act" or "the Patriot Act") of interest to Internet companies, Internet service providers, and telecommunications carriers. Therefore, we are primarily interested in the responsibilities and immunities that the Patriot Act provides for various providers. There are important sections of the Act that we do not discuss because they are related to internal governmental issues, immigration law issues, or other issues beyond the scope of this memo. Nor do we evaluate here the constitutionality or wisdom of policy choices reflected in any part of this bill. Our hope is that this will be helpful to better understand and prepare for the changes brought about by the Patriot Act. SUMMARY Service providers have expanded obligations under this Act. For example, the definitions of trap and trace device have been significantly expanded to allow for access to certain information (excluding content) concerning Internet activity. Another example is the obligation to respond to a nationwide service of process that in some instances may not identify your company on the face of the service document. The Act does permit you to seek clarifications. The Patriot Act contains three favorable features for communications companies. First, it provides specifically that nothing in the Act creates any new requirements for technical assistance, such as design mandates. Therefore, the right, if any, of the government to require use of design mandates such as "Carnivore" technology or other technical assistance by service providers is not affected or augmented by the Patriot Act. Second, in several important areas, the Act expands service provider protections (including immunities and good faith defenses) for complying with new or existing surveillance authority, as is the case in FISA wiretaps and disclosures of records. The Act also creates expanded ability for the government to conduct wiretaps, at the request of service providers, of hackers and other "trespassers" on service provider networks. Third, the Patriot Act amends and limits the Cable Act to make it clear that companies offering cable-based Internet or telephone service will be subject to the requirements of the Cable Act to notify subscribers of government surveillance requests only where detailed cable viewing information is being sought. In all other instances, cable operators offering these services can respond to a government surveillance request under ECPA, which does not require service providers to notify subscribers of requests. Section 103: Increased funding for the FBI's technical support center. Bottom Line: Significantly more money will be spent on electronic surveillance by the government. This section authorizes $200 million each year for the next three fiscal years (FY 2002, 2003, and 2004) for the FBI's technical support center. The center is a principal source of government technical surveillance initiatives, and this funding could accelerate more such proposals. Section 202: Authority to intercept wire, oral or electronic communications relating to computer fraud and abuse offenses. Bottom Line: Expands ability for service providers to get government help with hacking, denial of service attacks, and related Computer Fraud and Abuse Act violations. Section 202 amends 18 U.S.C. § 2516(1)(c) to add the Computer Fraud and Abuse Act offenses (18 U.S.C. § 1030) to the list of predicates for obtaining Title III wiretaps, thereby facilitating government investigation of hacking offenses. Section 203: Authority to share criminal investigative information. Bottom Line: Information obtained from grand juries and wiretaps will be accessible to a wider range of government offices and officials. This section amends the Federal Rules of Criminal Procedure and 18 U.S.C. § 2517 to allow intelligence information obtained in grand jury proceedings and from wiretaps to be shared with any federal law enforcement, protective, intelligence, immigration, and national defense or security personnel, provided that recipients of information could only use such information in connection with their official duties and subject to the disclosure limitations in existing law. In the case of grand jury information, it would require notification to the court after disclosure. Although this section broadens the categories of individuals with whom criminal investigative information can be shared, it was narrowed in the legislative process to require these individuals to use this information only in connection with their official duties. Section 204: Clarification of intelligence exceptions from limitations on interception and disclosure of wire, oral, and electronic communications. Bottom Line: No change. Clarifies existing law. Explicitly carves out foreign intelligence surveillance operations from the criminal procedure protections of ECPA, thereby further clarifying that these types of operations are governed exclusively by FISA. Section 206: Roving surveillance authority under the Foreign Intelligence Surveillance Act of 1978. Bottom Line: Will result in increased roving tap activity. Expands FISA court orders to allow "roving" surveillance in a manner similar to ECPA wiretaps. (The federal wiretap statute, but not FISA, was amended 15 years ago to allow "roving taps.") A roving wiretap enables government investigators to intercept all of a suspect's wire or electronic communications relating to the conduct under investigation, regardless of the suspect's location when communicating. The quintessential situation requiring a roving wiretap in the past has been when a suspect goes from phone booth to phone booth numerous times in an effort to prevent his calls from being wiretapped. Since September 11, 2001, the Administration has cited surveillance challenges posed by "disposable" cell phone situations‹where a suspect buys a cell phone on day one and a week later buys another cell phone with another number and moves from cell phone to cell phone seeking to avoid interception. But "roving tap" authority is not limited to voice communications; it could equally be used to intercept the e-mail communications of a suspect who changes Internet accounts every day, or several times a day. Section 209: Seizure of voice mail messages pursuant to warrants. Bottom Line: Stored voice mail will be treated as stored data under § 2703 and not as an intercept governed by wiretap procedures. This section enables law enforcement to seize voice mail messages via a search warrant, instead of a Title III wiretap order, which harmonizes the manner in which both voice mail and e-mail messages can be accessed. It thereby overturns case law that requires the government to apply for a Title III warrant before it can obtain unopened voice mail messages (but not e-mail messages) held by a service provider. See U.S. v. Smith, 155 F.3d 1051 (9th Cir. 1998), cert. denied, 119 S. Ct. 804 (1999). Section 210: Scope of subpoenas for records of electronic communications. Bottom Line: May produce a major increase in subpoenas regarding subscribers. Broadens the types of subscriber records that law enforcement can obtain via subpoena from service providers, including ISPs, to include "the means or sources of payment for such services," "records of session times and durations," and "any temporarily assigned network address." The means-of-payment category was broader earlier in the legislative process, but was subsequently narrowed to clarify that it encompasses credit card or bank account number used as a means of payment for the communication service. Therefore, this provision does not apply to payment information that is stored briefly on a service provider's system or information contained in a "digital wallet." Section 211: Clarification of scope. Bottom Line: Changes procedures that apply to cable operators responding to a subpoena and in most instances will eliminate any obligations to notify customers of cable-based Internet service. Clarifies that ECPA governs the release of most subscriber records of cable television companies that provide Internet service. It will provide certainty to cable-based ISPs when served with lawful surveillance requests. Fixing a drafting flaw in the Administration's original proposal, Section 211 will result in cable operators responding to law enforcement requests by producing customer data about Internet service subscribers without first having to notify the subscribers. This is consistent with recent court decisions ruling that ECPA must have implicitly repealed a conflicting Cable Act requirement that subscribers receive advance notice of the government's request. One category of Internet subscriber information that still remains subject to the advance notice provisions of the Cable Act is "records revealing cable subscriber selection of video programming from a cable operator." Section 212: Emergency disclosure of electronic communications to protect life and limb. Bottom Line: Expanded flexibility to disclose in emergencies. Permits service providers to disclose the content of stored e-mail messages and other customer information whenever the provider "reasonably believes" that an emergency involving immediate danger of "death or serious physical injury to any person" requires such disclosure. There was no provision in existing law expressly permitting service providers to make such emergency disclosures. This section should help resolve an ambiguity in current law that inhibits service providers from disclosing customer information in emergency situations involving death or serious physical injury. Section 214: Pen register and trap and trace authority under FISA. Bottom Line: Expansion of FISA pen register/trap and trace authority in FISA that should lead to a significant increase in such requests. Makes it easier for the government to obtain a court order under FISA for pen register or trap and trace surveillance. Eliminates the requirement in 50 U.S.C. § 1842(c)(3) that the government certify that it has reason to believe that the surveillance is being conducted on a line or device that is or was used in "communications with" someone involved in international terrorism or intelligence activities that may violate U.S. criminal law, or a foreign power or its agent whose communication is believed to concern terrorism or intelligence activities that violate U.S. law. Instead, Section 214 makes the FISA pen register/trap & trace requirements more closely track ECPA's requirements for such surveillance (i.e., providing a certification that the information obtained would be relevant to an ongoing investigation). However, Section 214 clarifies that a FISA court order should not authorize the gathering of foreign intelligence information for an investigation concerning a U.S. person or surveillance where the person has been singled out for investigation "solely upon the basis of" First Amendment activities. Section 215. Access to records and other items under the Foreign Intelligence Surveillance Act. Bottom Line: Potentially a broad expansion of the types of items which may be subject to FISA subpoena; may include servers, but provides for immunity for good faith disclosures. This provision substantially revises the FISA provisions governing access to business records for foreign intelligence and international terrorism investigations. Most significantly, the provision no longer limits the FBI's ability to obtain business records pursuant to an ex parte court order to specific categories of businesses. Previously, section 501 of FISA (50 U.S.C. § 1862) had subjected only common carriers, public accommodation facilities, physical storage facilities, or car rental facilities to FISA business record authority. By eliminating these categories and allowing these subpoenas to be issued to any person, Congress has, for example, included Internet service providers, banks, and any other business within the reach of business record authority. Second, Section 215(e) creates immunity for good faith disclosures of business records under this provision, and provides that disclosure of records does not waive any privilege in any other proceeding or context. Third, Section 215 eliminates a previous limitation of FISA business record authority to "a foreign power or an agent of foreign power," 18 U.S.C. § 1862(b)(2)(B), and expands the scope of items that may be obtained through this authority from "records" to "any tangible things," which might include, for example, a computer server on which information is stored. Fourth, the provision specifically prohibits investigations under this authority of U.S. persons that are conducted solely based on First Amendment activities. Finally, this section amends 50 U.S.C. § 1863 to require the Attorney General to fully inform and provide reports to select congressional committees, on a semiannual basis, of all requests for production of "tangible things," and to indicate in his report the total number of applications made, in the preceding six-month period, for court orders and, of those, the number of applications that were granted, modified, or denied. Section 216: Modification of authorities relating to use of pen registers and trap and trace devices. Bottom Line: Probably the most significant surveillance expansion in the Act. Clarifies that pen register/trap and trace authority applies to Internet traffic, permits nationwide service of process, and requires reports on use of "Carnivore"-type technology. Does not sunset. This provision makes three changes to existing law. First, by adding the terms "routing" and "addressing" to the phrase "dialing and signaling information," this amendment is intended to clarify that the pen register and trap and trace authority under ECPA applies to Internet traffic, provided that the information retrieved by these devices "shall not include the contents of any communication." Although the term "content" has a statutory definition, see 18 U.S.C. § 2510(8) (the term content "includes any information concerning the substance, purport, or meaning of [the] communication"), it is vague and has not been tested in the context of Internet communications. It will be important to monitor law enforcement requests to determine what Internet-related information law enforcement seeks to obtain under the new law beyond the "to" and "from" header information in e-mail communications that it already receives under existing pen register and trap trace law. Second, this provision also grants federal courts the authority to issue pen register and trap and trace orders that are valid anywhere in the United States, not just within their own jurisdiction. The advent of nationwide service will likely result in providers being asked with some frequency to render assistance even though they are not specifically named in the order and the assistance being requested is not specifically defined in the order. We worked on two modifications to this provision that permit service providers to demonstrate that in they are in fact complying with this new authority, and are eligible for a statutory good-faith defense or immunity from suit. First, Section 216 provides that a service provider has the right to receive a written certification from law enforcement confirming that the order applies to the provider being served with it. Moreover, Section 216 amends 18 U.S.C. § 3124(d) to clarify that compliance with a pen register/trap and trace "order," rather than the express "terms of such order" makes a service provider eligible for statutory immunity. Nevertheless, nationwide service could make it very difficult for local or regional service providers to oppose, modify, or contest court orders because it will require service providers to travel to numerous courts, in multiple jurisdictions, to address concerns over the breadth of court orders. Third, Section 216 directs law enforcement to file an ex parte and in camera report with the court whenever it uses a "Carnivore" device (defined as "installing and using its own pen register or trap and trace device on a packet- switched network" of a provider). The report would identify, inter alia, "the configuration of the device at the time of its installation" and "any information which has been collected by the device." The existence of these reports may help in future public policy debates on the propriety of the government compelling ISPs to install "Carnivore" devices and the extent of the use of such devices. The provision is a permanent change to federal law and is exempted from the sunset provision of Section 224. Section 217: Interception of computer trespasser communications. Bottom Line: Protects the government from liability for warrantless interceptions of hackers and similar "trespassers" at the request of a service provider; service providers' protection is less clear. This section provides new protection from liability for government officials if they conduct warrantless wiretaps of computer "trespassers" (persons who are not known to owner or operator of the computer to have a contractual relationship with that owner or operator and who gain unauthorized access to the system). The drafters presume that, under the "switchboard" provision of existing law (18 U.S.C. § 2511(2)(a)(i)), owners or operators of computers have the authority to intercept the communications of trespassers. Section 217 is designed to protect law enforcement officials when the owner or operator delegates that authority to law enforcement. (Under the "switchboard" exception, a service provider can intercept or disclose a user's communications when "necessary . . . to the protection of the right or property of the provider.") Although the House Judiciary Committee bill contained language that would have explicitly protected the service provider from liability for authorizing or providing facilities or technical assistance for this surveillance, the final legislation does not contain this language. To the extent that a court determines that the "switchboard" exception does not authorize owners or operators of computers to intercept the communications of trespassers, this omission could present a problem because there is case law indicating that ECPA's good faith defenses are not a basis for avoiding liability where actions are taken on the basis of an erroneous belief that a statutory provision authorizes the action. Nevertheless, Section 217 does not compel service providers to permit law enforcement to engage in the warrantless surveillance of trespassers, but rather leaves that decision entirely to the discretion of the service provider. Section 218: Foreign intelligence information requirement for FISA authority. Bottom Line: Relaxed standard for FISA surveillance. This provision amends FISA to require a certification that "a significant purpose," rather than "the purpose," of surveillance or search under FISA is to obtain foreign intelligence information. This reflects a compromise between existing law and a lower standard requested by the Administration. Section 219: Single-jurisdiction search warrants for terrorism. Bottom Line: Greatly facilitates nationwide warrants for terrorism investigations. This provision amends the Federal Rules of Criminal Procedure to allow federal judges to issue nationwide search warrants for investigations involving domestic or international terrorism (i.e., federal magistrate judges may issue search warrants in any jurisdiction where activities related to the terrorism may have occurred for a search of property or for a person within or outside the district). It will be much more difficult to seek review of orders that are issued remotely. To the extent that this modification makes government investigations easier, providers can expect to see an increased volume of requests. Also, the government in some instances will be able to choose a forum that is more likely to approve its requests. Section 220: Nationwide service of search warrants for electronic evidence. Bottom Line: Provides for expanded nationwide search warrants. This provision amends ECPA to allow a single court having jurisdiction over the offense to issue a search warrant for stored data such as e-mail that would be valid anywhere in the U.S. In its final form, this provision seeks to address forum-shopping concerns raised in response to the Administration's initial proposal by requiring that the court issuing the warrant have jurisdiction over the offense under investigation. To the extent that this modification makes government investigations easier, providers can expect to see an increase in volume of requests for assistance. Section 222. Assistance to law enforcement agencies. Bottom Line: Critical provision that makes it clear that the Act does not affect, either way, the ability of the government to require technical mandates. Makes clear that the legislation preserves the status quo with regard to technical mandates and other obligations on service providers to provide technical assistance to law enforcement. The language recognizes that there are technical mandates in other areas (namely CALEA, which applies to telecommunications services, but generally does not apply to the Internet), while at the same time making clear that the Act does not require ISPs to reconfigure their systems in any way to allow interception of, or to store, Internet Protocol traffic. Section 223. Civil liability for certain unauthorized disclosures. Bottom Line: Somewhat greater accountability of government agents for willful unauthorized disclosures of fruits of wiretaps and production of stored data. This provision makes a number of changes to prohibitions against unauthorized disclosure of by the government of information obtained through the surveillance authority provided by ECPA. The most significant of these changes is an explicit clarification that civil lawsuits are not available against the federal government under 18 U.S.C. §§ 2520 or 2707 for unauthorized interceptions or disclosures. However, it does not preclude actions against government agents, specifically prohibits willful unauthorized disclosure or use of information that the government obtains through surveillance, and increases the accountability of the government to discipline employees who willfully violate these sections. The end result is nonetheless more favorable to the government than the initial version of this provision, an amendment by Rep. Barney Frank (D-MA) approved in the House Judiciary Committee mark-up of the bill, which would have allowed lawsuits against the federal government for certain ECPA violations. Section 224: Sunset. Bottom Line: Four-year sunset for many relevant portions of this Act. This section, subject to a laundry list of exceptions, sunsets in four years the surveillance and intelligence gathering provisions (all of Title I and Title II) of the bill. The list of exceptions not covered by the sunset is as follows: Section 203(a)‹broadening the authority to share grand jury information. Section 203(c)‹establishment of procedures regarding the sharing of criminal investigative information. Section 205‹expedition of employment of translators to support counterterrorism. Section 208‹designation of FISA judges. Section 210‹broadening the scope of subpoenas for electronic communications service providers by requiring disclosure of the means and source of payment, including bank account or credit card numbers. Section 211‹treating cable companies that provide Internet services the same as other ISPs and telcos for such services. Section 213‹broadening the authority to delay notification of search warrants in criminal investigations if prior notice would have an adverse effect. Section 216‹extending trap and trace to Internet traffic so long as excludes "content." Section 219‹single-jurisdiction search warrants for terrorism. Section 221‹trade sanction amendments. Section 222‹no imposition of technical obligations on provider of a wire or electronic communication service, landlord, custodian, or other person who furnishes facilities or technical assistance. Section 225: Immunity for compliance with FISA wiretap. Bottom Line: Very important expansion of service provider immunity for compliance with FISA. This section provides immunity for civil liability from subscribers, tenants, etc. for entities that comply with FISA wiretap orders. This is language that we worked on creating complete immunity for providing "any information, facilities, or technical assistance in accordance with a court order or request for emergency assistance under [FISA]." Previously, FISA had failed to include protection for complying with FISA wiretaps. Section 225's liability protection is important because FISA wiretaps are likely to increase in the current climate. Section 351 et. seq. Bank Secrecy Act amendments and related improvements. Bottom Line: Expansion of Bank Secrecy Act in connection with bank records. These sections generally amend the law in ways that will permit increased government access to information from banks that relates to terrorism. At the same time, institutions and their directors, officers, employees, and agents are protected from liability for such reporting of suspicious banking activities. Similar provisions also apply to securities brokers and dealers regulated by the Securities and Exchange Act of 1934. Likewise, the Fair Credit Reporting Act is amended to allow consumer reporting agencies to provide consumer reports to government agencies for counterterrorism purposes. The provisions also require financial institutions to develop anti-money laundering programs. The banking provisions allow the Secretary of the Treasury to impose sanctions, including cutting off all dealings with United States financial institutions, on banks in a nation whose bank secrecy laws deny information to the Federal Bureau of Investigation or other agencies. Foreign banks maintaining correspondent accounts in United States banks must designate someone in the United States to receive subpoenas related to those accounts and their depositors. If those subpoenas are not answered, the accounts could be ordered closed. These amendments also bar United States banks from doing business with "shell banks" overseas that have no physical facilities and are not part of a regulated banking system. In addition, they empower the Treasury Secretary to require United States banks to exercise enhanced "due diligence" to find out who their private banking depositors are if they come from nations that will not assist United States officials. Section 814: Deterrence and prevention of cyber-terrorism. (Computer Fraud and Abuse Act Amendments: Narrowing Civil Liability) Bottom Line: Expands government's authority to prosecute hacking and denial of service attacks, codifies In re DoubleClick decision for private litigation under the Computer Fraud and Abuse Act, clarifies the meaning of damage/loss under the CFAA, and precludes private lawsuits for negligent design or manufacture of hardware or software. At the Administration's request, Section 814 increases criminal penalties for Computer Fraud and Abuse Act (CFAA) violations, adds computers located outside the U.S. to the definition of "protected computers" covered by the statute, adds a definition for the important, but previously undefined, statutory term "loss," and clarifies that criminal prosecutions for hacking or unauthorized transmissions may be brought under 18 U.S.C. § 1030(a)(5) if a "related course of conduct" causes $5,000 in loss. At the same time, Section 814 contains several improvements upon current law for civil defendants, who have increasingly become a target of plaintiff class actions brought using the private right of action contained in the CFAA. First, § 814(a) provides that the CFAA $5,000 damage threshold is satisfied through loss caused by a related course of conduct "for purposes of an investigation, prosecution, or other proceeding brought by the United States only." The negative implication of this language appears to be that a single act, not a related course of conduct, producing $5,000 in harm is necessary for anyone other than the government to bring a private lawsuit under the CFAA. If this interpretation prevails in the courts, then this provision will codify a recent decision in In re DoubleClick Privacy Litigation, 154 F. Supp.2d 497 (S.D.N.Y. 2001), that a civil action under § 1030(g) generally may be brought only if a "single act" produces $5,000 of loss within the meaning of the statute. Second, § 814(d) generally preserves the current $5,000 threshold for private lawsuits under § 1030(g) of the CFAA for "loss" to a computer system, except for cases involving damage to a system used by the government for the administration of justice, national defense, or national security. It also clarifies that the $5,000 threshold required for a private lawsuit under § 1030(g) applies both to actions for "damage" and "loss," thereby eliminating a statutory ambiguity that plaintiffs' class action lawyers had attempted to use to avoid the $5,000 threshold. Third, § 814(d) contains a provision from the original Senate bill stating that "[n]o action may be brought under this subsection for the negligent design or manufacture of computer hardware, computer software, or firmware." Although this language could be somewhat clearer, this provision likely will be very helpful in obtaining dismissal of CFAA claims such as the ones challenging alleged defects in software or hardware that have been brought by several large class actions. Section 815: Additional defense to civil actions relating to preserving records in response to government requests. Bottom Line: Expands service provider defense in civil actions alleging disclosure to governments. Section 815 adds a new defense to civil or criminal liability under ECPA for service providers who preserve stored data at the request of a law enforcement official under 18 U.S.C. § 2703(f). The defense, which is added to 18 U.S.C. § 2707(e) (a provision providing defenses to private lawsuits for unauthorized access to or disclosure of stored data), provides additional protection for service providers against civil liability under ECPA. More complete information is at the website: http://www.epic.org/privacy/terrorism/usapatriot/ -------------------------------------------------------------------- PATRIOT II -------------------------------------------------------------------- Justice Dept. Drafts Sweeping Expansion of Anti-Terrorism Act By Charles Lewis and Adam Mayle (WASHINGTON, Feb. 7, 2003) -- The Bush Administration is preparing a bold, comprehensive sequel to the USA Patriot Act passed in the wake of September 11, 2001, which will give the government broad, sweeping new powers to increase domestic intelligence-gathering, surveillance and law enforcement prerogatives, and simultaneously decrease judicial review and public access to information. The Center for Public Integrity has obtained a draft, dated January 9, 2003, of this previously undisclosed legislation and is making it available in full text. The bill, drafted by the staff of Attorney General John Ashcroft and entitled the Domestic Security Enhancement Act of 2003, has not been officially released by the Department of Justice, although rumors of its development have circulated around the Capitol for the last few months under the name of the 'Patriot Act II' in legislative parlance. 'We haven't heard anything from the Justice Department on updating the Patriot Act,' House Judiciary Committee spokesman Jeff Lungren told the Center. 'They haven't shared their thoughts on that. Obviously, we'd be interested, but we haven't heard anything at this point.' Senior members of the Senate Judiciary Committee minority staff have inquired about Patriot II for months and have been told as recently as this week that there is no such legislation being planned. RELATED DOCUMENTS The draft of the Domestic Security Enhancement Act of 2003 at . Read the transcript of Moyers' interview with Charles Lewis . Comstock later told the Center that the draft "is an early discussion draft and it has not been sent to either the Vice President or the Speaker of the House." Dr. David Cole, Georgetown University Law professor and author of Terrorism and the Constitution, reviewed the draft legislation at the request of the Center, and said that the legislation 'raises a lot of serious concerns. It's troubling that they have gotten this far along and they've been telling people there is nothing in the works.' This proposed law, he added, 'would radically expand law enforcement and intelligence gathering authorities, reduce or eliminate judicial oversight over surveillance, authorize secret arrests, create a DNA database based on unchecked executive 'suspicion,' create new death penalties, and even seek to take American citizenship away from persons who belong to or support disfavored political groups.' Some of the key provision of the Domestic Security Enhancement Act of 2003 include: Section 201, 'Prohibition of Disclosure of Terrorism Investigation Detainee Information': Safeguarding the dissemination of information related to national security has been a hallmark of Ashcroft's first two years in office, and the Domestic Security Enhancement Act of 2003 follows in the footsteps of his October 2001 directive to carefully consider such interest when granting Freedom of Information Act requests. While the October memo simply encouraged FOIA officers to take national security, 'protecting sensitive business information and, not least, preserving personal privacy' into account while deciding on requests, the proposed legislation would enhance the department's ability to deny releasing material on suspected terrorists in government custody through FOIA. Section 202, 'Distribution of 'Worst Case Scenario' Information': This would introduce new FOIA restrictions with regard to the Environmental Protection Agency. As provided for in the Clean Air Act, the EPA requires private companies that use potentially dangerous chemicals must produce a 'worst case scenario' report detailing the effect that the release of these controlled substances would have on the surrounding community. Section 202 of this Act would, however, restrict FOIA requests to these reports, which the bill's drafters refer to as 'a roadmap for terrorists.' By reducing public access to 'read-only' methods for only those persons 'who live and work in the geographical area likely to be affected by a worst-case scenario,' this subtitle would obfuscate an established level of transparency between private industry and the public. Section 301-306, 'Terrorist Identification Database': These sections would authorize creation of a DNA database on 'suspected terrorists,' expansively defined to include association with suspected terrorist groups, and noncitizens suspected of certain crimes or of having supported any group designated as terrorist. Section 312, 'Appropriate Remedies with Respect to Law Enforcement Surveillance Activities': This section would terminate all state law enforcement consent decrees before Sept. 11, 2001, not related to racial profiling or other civil rights violations, that limit such agencies from gathering information about individuals and organizations. The authors of this statute claim that these consent orders, which were passed as a result of police spying abuses, could impede current terrorism investigations. It would also place substantial restrictions on future court injunctions. Section 405, 'Presumption for Pretrial Detention in Cases Involving Terrorism': While many people charged with drug offenses punishable by prison terms of 10 years or more are held before their trial without bail, this provision would create a comparable statute for those suspected of terrorist activity. The reasons for presumptively holding suspected terrorists before trial, the Justice Department summary memo states, are clear. 'This presumption is warranted because of the unparalleled magnitude of the danger to the United States and its people posed by acts of terrorism, and because terrorism is typically engaged in by groups ' many with international connections ' that are often in a position to help their members flee or go into hiding.' Section 501, 'Expatriation of Terrorists': This provision, the drafters say, would establish that an American citizen could be expatriated 'if, with the intent to relinquish his nationality, he becomes a member of, or provides material support to, a group that the United Stated has designated as a 'terrorist organization'.' But whereas a citizen formerly had to state his intent to relinquish his citizenship, the new law affirms that his intent can be 'inferred from conduct.' Thus, engaging in the lawful activities of a group designated as a 'terrorist organization' by the Attorney General could be presumptive grounds for expatriation. The Domestic Security Enhancement Act is the latest development in an 18-month trend in which the Bush Administration has sought expanded powers and responsibilities for law enforcement bodies to help counter the threat of terrorism. The USA Patriot Act, signed into law by President Bush on Oct. 26, 2001, gave law enforcement officials broader authority to conduct electronic surveillance and wiretaps, and gives the president the authority, when the nation is under attack, to confiscate any property within U.S. jurisdiction of anyone believed to be engaging in such attacks. The measure also tightened oversight of financial activities to prevent money laundering and diminish bank secrecy in an effort to disrupt terrorist finances. It also changed provisions of Foreign Intelligence Surveillance Act, which was passed in 1978 during the Cold War. FISA established a different standard of government oversight and judicial review for 'foreign intelligence' surveillance than that applied to traditional domestic law enforcement surveillance. The USA Patriot Act allowed the Federal Bureau of Investigation to share information gathered in terrorism investigations under the 'foreign intelligence' standard with local law enforcement agencies, in essence nullifying the higher standard of oversight that applied to domestic investigations. The USA Patriot Act also amended FISA to permit surveillance under the less rigorous standard whenever 'foreign intelligence' was a 'significant purpose' rather than the 'primary purpose' of an investigation. The draft legislation goes further in that direction. 'In the [USA Patriot Act] we have to break down the wall of foreign intelligence and law enforcement,' Cole said. 'Now they want to break down the wall between international terrorism and domestic terrorism.' In an Oct. 9, 2002, hearing of the Senate Judiciary Subcommittee on Technology, Terrorism, and Government Information, Deputy Assistant Attorney General Alice Fisher testified that Justice had been, 'looking at potential proposals on following up on the PATRIOT Act for new tools and we have also been working with different agencies within the government and they are still studying that and hopefully we will continue to work with this committee in the future on new tools that we believe are necessary in the war on terrorism.' Asked by Sen. Russ Feingold (D-Wis.) whether she could inform the committee of what specific areas Justice was looking at, Fisher replied, 'At this point I can't, I'm sorry. They're studying a lot of different ideas and a lot of different tools that follow up on information sharing and other aspects.' Assistant Attorney General for Legal Policy Viet Dinh, who was the principal author of the first Patriot Act, told Legal Times last October that there was 'an ongoing process to continue evaluating and re-evaluating authorities we have with respect to counterterrorism,' but declined to say whether a new bill was forthcoming. Former FBI Director William Sessions, who urged caution while Congress considered the USA Patriot Act, did not want to enter the fray concerning a possible successor bill. "I hate to jump into it, because it's a very delicate thing," Sessions told the Center, without acknowledging whether he knew of any proposed additions or revisions to the additional Patriot bill. When the first bill was nearing passage in the Congress in late 2001, however, Sessions told Internet site NewsMax.Com that the balance between civil liberties and sufficient intelligence gathering was a difficult one. 'First of all, the Attorney General has to justify fully what he's asking for,' Sessions, who served presidents Reagan and George H.W. Bush as FBI Director from 1987 until 1993, said at the time. 'We need to be sure that we provide an effective means to deal with criminality.' At the same time, he said, 'we need to be sure that we are mindful of the Constitution, mindful of privacy considerations, but also meet the technological needs we have' to gather intelligence. Cole found it disturbing that there have been no consultations with Congress on the draft legislation. 'It raises a lot of serious concerns and is troubling as a generic matter that they have gotten this far along and tell people that there is nothing in the works. What that suggests is that they're waiting for a propitious time to introduce it, which might well be when a war is begun. At that time there would be less opportunity for discussion and they'll have a much stronger hand in saying that they need these right away.' Copyright 2002, The Center for Public Integrity. All rights reserved 10