USA Patriot Act: how to be response ready: concerned about protecting staff and student privacy while complying with new anti-terrorism laws? It's never too late to establish a chain of command, procedures, and protocols, say the experts. (Legislation).
"The Patriot Act is like a puzzle," says Tracy Mitrano, Cornell University's co-director of the Computer Policy and law program, and policy adviser in the Office of Information Technologies. "You can't just sit down and open the Act and read it from beginning to end." Truth is, she says, when administrators attempt to read the 132-page Act (which contains amendments and provisions to, among other things, The Family Educational Rights Privacy Act [FERPA], the Foreign Intelligence Surveillance Act [FISA], and the Electronic Communications Act [ECA]), they find they can barely make heads or tails of it.
But the greatest obstacle, Netz maintains, is that of dealing with staff in traditionally sensitive areas: campus administrators and professionals who are having a tough time getting used to the fact that privacy is no longer absolute.
STEP ONE: Make a Start
Even though privacy is no longer a given, college administrators say that putting a Patriot Act response policy in place will show staff and students that an institution is doing everything it possibly can to protect their privacy. What's more, having a solid policy in place is the most effective means of deterring well-meaning campus officials who may be just too willing to hand over information to law enforcement officials. A well-structured policy can help those individuals recognize legitimate requests, and question dubious ones.
Says Mitrano: "It makes people feel more secure to know that there are procedures in place to respond to requests for legal papers, especially in the case of the amendment of FERPA, which allows for emergency disclosure. Thanks to the procedures we've created at Cornell, we are in a much better position to follow fair information practices--even in the midst of a war on terrorism."
A good policy should spell out for administrators what procedures they need to follow to respond to court orders, warrants, and subpoenas, while remaining within the scope of the liability protections provided by the Patriot Act. A well thought-out policy can also help clarify for administrators the murkiest areas of the Patriot Act, such as the sections which relate to computer trespass, and which seem to give law enforcement unchecked powers. College officials should know how to handle those requests, especially, before they are actually made, say the experts.
And while the Patriot Act does contain liability-minimizing language (e.g., a college or university "shall not be liable to any person" for good-faith disclosure of education records in response to a federal law enforcement request), Mitrano advises institutions to consider liability situations proactively--that is, in advance. "Liability consideration means assessing: What will be the cost we may incur, by not routing legal requests for papers? From imprudent `emergency' disclosures? From the potential constitutional problems that arise through civil rights liability?" These, she says, are the questions that must be asked in advance--and answered with specifics--before a Patriot Act policy can be constructed.
STEP TWO: Utilizing Legal Counsel
Martin Michaelson is partner of the Washington, D.C. law firm Hogan and Hartson LLP--the largest legal firm in the capital, and experts at deciphering complex legislation for some of the most famous clients in the world. Michaelson advises institutions to self-assess prior to creation of policy regarding the new legislation. "The range of issues that are addressed by the USA Patriot Act apply quite differently to some institutions than to others," he says. "For example, institutions involved in little if any laboratory work with select agents [e.g., biochemical or biological agents] would be less concerned with the potentially quite burdensome--albeit important--requirements of the Patriot Act that involve select agents." The real key to devising an effective policy, says Michaelson, is to first find out--through university legal counsel--what areas of the Act are most applicable to the campus, and what the corresponding requirements of the law are. After that, says the attorney, those requirements need to be allocated across the various offices on campus.
In fact, Cornell administrators did just that, says Mitrano: They asked university legal counsel to review the Patriot Act, and outline any relevancy it had to the institution's various departments, such as the Office of Information Technology and the Registrar's office. Then the counsel's office advised each department about creating protocols. For instance, in the Office of Information Technology, Mitrano herself explained to employees what the computer trespass provision provides. "Then we made it our own departmental policy that if anyone believes he has experienced a trespass and wants to have federal authorities involved, he must take it through the policy officer and the vice president; after that, we contact counsel's office," she says. "We don't want people all over the university calling the FBI just because they feel it's now legal to ask for federal intervention. We needed to set up the proper protocol in advance."
Gary Wagner, director of the Office of Curriculum and Registration at the University of Arizona, responded to the Patriot Act by sending a letter to all deans, directors, and department heads, instructing them in procedure, should law enforcement request a non-consensual release of student information. The letter states that the assistant registrar is the individual responsible for handling all law enforcement student record requests. The letter goes on to say that the assistant registrar will routinely consult with the university attorney, regarding specific data requests.
Dorothy Robinson, VP and general counsel at Yale University, believes it is wise for university officials in a position to receive requests for information to have those requests reviewed by legal counsel, before responding. "Many schools were not sensitized to this necessity in the weeks immediately following September 11," she says. "Registrars at some colleges were responding without further review, but now they're taking these matters seriously. They want to understand their legal responsibilities and they also want to fulfill their obligations to protect the privacy of students and employees."
WHAT THE ACT MEANS TO YOU
To provide you with a quick primer, we've identified the four predominant areas of the USA Patriot Act as:
* PRIVACY OF STUDENT RECORDS
* INFORMATION TECHNOLOGY
* SUBPOENAS AND WARRANTS
* ENVIRONMENTAL HEALTH & SAFETY
With the help of excerpts from a memorandum prepared by Hogan and Hartson LLP, forwarded to 200 colleges and universities ("Re: Anti-terrorism legislation," October 25, 2001), below are the provisions of the USA Patriot Act likely to have the greatest impact on colleges and universities. Following each excerpt are issues of concern raised by our interviewees. We suggest you use the impact descriptions and the discussions beneath them to open or continue your own discussions with other university administrators and with legal counsel, in order to help your institution form an appropriate Patriot Act Response Policy.
PRIVACY OF STUDENT RECORDS
What the USA Patriot Act does, and its impact: Amends the Family Educational Rights and Privacy Act (FERPA) to permit educational institutions to disclose education records to federal law enforcement officials without student consent in some circumstances:
* By certifying that "specific and articulable facts" support the request, a U.S. assistant attorney general or a higher-ranking official may obtain a court order that requires an educational institution to turn over records relevant to a terrorism investigation.
* Institutions do not violate FERPA by responding to such an order without student consent.
* The institution need not make a record of the disclosure, as FERPA ordinarily requires. (The U.S. Attorney General, after consulting the Secretary of Education, is to issue guidelines--directed at law enforcement agencies, not educational institutions--on retention, dissemination, and use of disclosed records.)
* A college or university "shall not be liable to any person" for good-faith disclosure of education records in response to such an order.
* Does not explicitly amend FERPA's "health or safety emergency" exception. The precise interplay of that exception and the Act's provisions is subject to interpretation.
* Access to NCES survey information. Permits federal law enforcement officials to collect student information from the National Center for Educational Statistics.
* Monitoring of foreign students. Calls for full implementation, and expansion to all foreign students (other than those who hold immigrant visas) of existing law--not enforced to date by the federal government to the extent of its authority--that permits federal agencies to collect from colleges and universities information (name and address; visa classification and issuance or extension date; full-time enrollment status; and disciplinary action resulting from criminal conviction) about such students. Existing law exempts from FERPA such disclosures. New INS information requests to colleges and universities are likely.
Campus Concerns: Under FERPA, there existed an exception to the protection of student records; that is, records could be accessed without the permission of the student if the health and safety of the individual was at stake, as in the case of a student who expressed suicidal intentions. The new exception prodded by the USA Patriot Act is narrowly tailored to terrorism and allows federal law enforcement officials access to student records without the consent of the student--if there is reason to believe that individual may be involved in terrorist activity.
Says Mitrano: "Critics say, `We already had an exception, why do we need this one?' But the new exception is appropriate under the circumstances of September 11 because the existing exception was created to safeguard the individual and this one is designed to protect the health and safety of everyone else. And because it is narrowly tailored towards terrorism, law enforcement officials should not be able to request the records for other investigations." The downside? "The term `terrorism' might come under judicial scrutiny," says Mitrano. Even though the Patriot Act defines terrorism, she points out, what one person might consider terrorism, another person might not. "There were those who thought Martin Luther King was a communist conspirator, and today we celebrate his birthday," she notes.
What the USA Patriot Act does, and its impact: As providers of communication services--including telephones, computers, and Internet access--colleges and universities will be affected by Title II of the Act, Enhanced Surveillance Procedures. Many Title II provisions will "sunset"--i.e., cease to have effect unless renewed by Congress--on December 31, 2005.
* Voluntary disclosure of electronic communications or records. Amends the criminal code pertinent to voluntary disclosure of information by providers of electronic communication service.
* A provider may disclose to law enforcement official's contents of an electronic communication, if the provider reasonably believes that an emergency involving immediate danger of death or serious physical injury requires disclosure without delay.
* A provider may disclose information about a "customer" or "subscriber" (which for a college or university may include faculty, staff, students, and possibly others in some circumstances) to a government entity, if the provider reasonably believes that an emergency involving immediate danger of death or serious injury justifies disclosure.
* Required disclosure of electronic communications or records. Expands the scope of technology-related information law enforcement officials may obtain through warrants, subpoenas, and court orders.
* Permits government officials to seek stored voice-mail messages without wiretap authorization.
* Adds categories of customer information that electronic communication service providers must disclose in response to an administrative subpoena, including subscribers' local and long-distance telephone connection records; records of session times and durations; length of service and types of service; telephone or instrument number or other subscriber number or identity, including any temporarily assigned network address; and means and source of payment (including credit card or bank account number).
* Electronic Surveillance. Expands the government's ability to obtain, and the scope and reach of, court orders for some electronic surveillance devices. For example:
* Internet addresses. To cover the Internet, expands existing law enforcement surveillance authority. A so-called "pen register" or "trap-and-trace device" may lawfully be used to obtain dialing, routing, addressing, or communication if such information does not include communication content. Unclear is whether law enforcement agencies will now be permitted to use such devices to obtain a record of URLs a user has visited. Although the statute authorizes collection of "addressing" information, a record of URLs might be considered "content."
* Internet surveillance. Authorizes the government to install certain devices, such as "Carnivore," to track Internet use. Carnivore was the controversial program sponsored by the FBI that enabled government criminal investigators to intercept and collect information on the Internet. The Act as passed, unlike earlier versions, imposes on service providers no new obligation to furnish facilities or technical assistance to aid law enforcement in this regard, and authorizes compensation for reasonable expenditures incurred in providing such aid.
* Computer trespassers. In some circumstances, authorizes providers to permit law enforcement officials and persons acting for them to intercept without a warrant communications of "computer trespassers" (persons who access protected computers without authorization). A person who has an "existing contractual relationship with the owner or operator of the computer for access to all or part of the protected computer" is not a "computer trespasser."
* Computer hacking. Increases penalties for certain computer hacking crimes, including accessing and transmitting destructive programs, such as viruses, to computers. If loss exceeds $5,000--for example, if the hacker damaged university equipment--the hacker may be sued.
Campus Concerns: Mitrano believes that the amendments to the Electronic Communications Privacy Act leave some questions open. For instance, once an IHE asks federal law enforcement officials to come onto the campus and investigate, the law does not say whether or not that college official can request taw enforcement to leave just as quickly as they arrived. The lack of a clear definition of the boundaries of this type of investigation may limit the ability of a school to protect its students and staff from "gestapo" tactics.
And, says Mitrano, individuals in the IT departments at schools have another concern, given the nature of network communications. Because the federal government is empowered to monitor both international and domestic electronic communications without a warrant, it is likely that federal law enforcement could detect trespass of a university network's air space. Under the Patriot Act, the FBI can contact the school and suggest law enforcement officers come in and further investigate the invasion.
"You have to be prepared to handle all of the implications of that kind of request, or you will be taken off guard," Mitrano says. "No one wants to make investigations of terrorism difficult, but by the same token, we don't know how or in what ways these laws or this war on terrorism may, ironically, come to impinge upon our own civil liberties, or the autonomy of our academic institutions. If you haven't considered, in advance, how to handle a situation like that, you might find yourself in a compromised situation."
SUBPOENAS AND WARRANTS
What the USA Patriot Act does, and its impact:
* Court order for education records. Amends FERPA to permit disclosure without student consent, pursuant to a court order, of education records law enforcement officials consider relevant to a terrorism investigation.
* Required disclosure of communications or records. Expands the scope of technology-related information law enforcement officials may obtain pursuant to warrants, subpoenas, and court orders.
* Electronic surveillance. Amends the criminal code regarding law enforcement agency use of certain electronic surveillance devices.
* Wiretapping. Expands law enforcement agency authority to intercept wire, oral, and electronic communications that relate to terrorism and computer fraud and abuse.
* Business records. Amends the Foreign Intelligence Surveillance Act of 1978 (FISA) to permit the FBI to seize, with a court order, certain business records pursuant to a terrorism or intelligence investigation. Prohibits any person from disclosing (other than persons necessary to produce the records) that the FBI sought or obtained records under FISA.
* Search warrants. Permits courts in some circumstances to issue a nationwide search warrant.
Campus Concerns: The broadened use of subpoenas requiring the disclosure of any records "relevant" to an investigation (a lower standard than the previous need for "probable cause"), raises issues of concern for colleges and universities.
"The way in which law enforcement now can apply for and be authorized to use pen registers and trap-and-trace devices is now below traditional Fourth Amendment standards," Mitrano says. And it is unclear exactly what type of information could be handed over under these lower standards, she explains. "Are subject lines content or not?" she asks. "If they are, we need either legal assurance that subject lines will not be gathered in those devices, or we need a higher standard that's more traditional when law enforcement requests access to content."
Regarding FISA amendments, a few is sues arise, says Mitrano: First, under FISA, subpoenas for business records override library confidentiality laws. In addition, a college or university does not have to keep a record of the business record request. But most significantly, under the Patriot Act, schools are restricted from disclosing that the request was ever made.
"The intention is to make sure that suspected terrorist is not `tipped off' that he is being investigated," Mitrano says. On the other hand, she offers, "If it turns out the individual investigated has not been involved in criminal activity, then school administrators are faced with a dilemma: Should they reveal an abusive investigation? If they do, they may face personal liability for revealing that the requests were made. That's a problem."
ENVIRONMENTAL HEALTH AND SAFETY
What the USA Patriot Act does, and its impact:
* Biological agents and toxins. Punishes by fine and/or up to 10 years imprisonment knowing possession of a biological agent, toxin, or delivery system of a type or in quantity not "reasonably justified" by a research or other "peaceful purpose."
* "Select agents." Makes it a crime for nationals of countries determined to support terrorism, persons indicted for or convicted of serious crimes, and certain others to possess or transport a "select agent" (including, for example, anthrax and other agents identified in Department of Health and Human Services regulations).
* Other legislative proposals, notably concerning bioterrorism, are currently pending in Congress.
Campus Concerns: Says Michaelson: "A number of research universities are tuning into the complexities of more law enforcement officials running background checks on folks who will be in the laboratories than was previously the case. An emerging concern: Potential collisions between the workings of anti-terrorism laws (including the Patriot Act) and the acceptance of classified research (which implies many universities)."
* The issues addressed by the Act apply differently to various institutions. For instance: Does your university lab handle select biological or biochemical agents? If not, you may be able to skip those sections.
* Cornell administrators asked university legal counsel to review the Act, and outline relevancy to the institution's various departments. The counsel's office then advised each department about creating protocols.
* A good policy should spell out for administrators what procedures they need to follow to respond to court orders, warrants, and subpoenas, while remaining within the scope of the liability protections provided by the Act.
* Gary Wagner, director of the Office of Curriculum and Registration at the University of Arizona, responded to the Patriot Act by sending a letter to all deans, directors, and department heads, instructing them in procedure, should law enforcement request a non-consensual release of student information.