Regulatory Watch : Telcos Face Realities of Increased Police Powers

The law has a long name and far-reaching implications: Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism. The USA-PATRIOT Act, among other things, greatly expands law enforcement’s ability to detain material witnesses (seemingly indefinitely) and gain easier access to financial and other personal transactions.

The act has already forced changes in rules governing the telecom industry’s proprietary and customer information. The FBI, the National Security Agency and the CIA allege that Osama bin Laden and his lieutenants in the al Qaeda network used PCs, laptops, email, information embedded in Internet images, satellite phones, wireless devices, pay phones and even disposable cell phones to organize attacks on U.S. interests.

The irony that a supposedly low-tech group of individuals used high-tech communications to achieve its ends has not been lost on either the government or telecommunications companies. The PATRIOT law—as well as other antiterrorism legislation—greatly expands police powers to obtain customer billing and account information. Telecommunications companies, including small-town phone companies, mega ISPs and cable companies that offer voice and data services, must reexamine the privacy rights of customers regarding their usage and billing information, passwords for third-party voice mail, email, and email attachments—and be prepared to hand that information over when the FBI or other intelligence agencies come knocking.

Telecom companies are just now reviewing the new rules, putting together committees of lawyers, security personnel and billing and OSS managers to bone up on what the changes mean. Some rules may mean technical changes to make information more easily accessible.

“From a business perspective, it’s too early to tell what staffing and technical changes we’ll have to make,” says Verizon spokesperson Susan Butta. “In light of the Sept. 11 attacks, we are seriously evaluating the legitimate concerns that have been raised. We’re studying the law, … and we will comply with law enforcement and comply with the law.”

Verizon’s security office in New York is studying a field manual published and distributed by the Department of Justice (DOJ) that outlines expanded law enforcement power.

Billing World and OSS Today obtained a copy of the field manual, “New Authorities Enacted in the 2001 Anti-Terrorism Legislation,” which summarizes the rules agents had to follow in the past, and what the new laws allow them to do.

The law is now in effect. U.S. Attorney General John Ashcroft told the U.S. Mayor’s Conference on Oct. 25, “investigators will be directed to pursue aggressively terrorists on the Internet” and to use “devices that capture senders’ and receivers’ addresses.” Ashcroft also promised to use “roving” wiretaps—the tapping of multiple phones a suspect may use.

What follows is a summary of the old police powers and the new kinds of information telecommunications providers might be ordered to turn over.

Section 209: New Rules for Voice Mail

The Electronic Communications Privacy Act (ECPA) of 1986 previously governed law enforcement access to stored electronic communications such as email, but not stored wire communications such as voice mail. Instead, wiretap statutes governed such access because the definition of “wire communication” included stored communications, arguably requiring law enforcement to use a wiretap order rather than a search warrant to obtain unopened voice messages stored in voice mail boxes, unlike those in a home answering machine.

But according to the DOJ, “Regulating stored wire communications created large and unnecessary burdens for criminal investigations. Stored voice communications possess few of the sensitivities associated with the real-time interception of telephones, making the extremely burdensome process of obtaining a wiretap order unreasonable.”

Not only that, but the old law treated phone calls differently from non-voice communications such as faxes, pagers and email. “With the advent of multipurpose Internet mail extensions (MIME)” the field manual says, “email may include one or more attachments consisting of any type of data, including voice recordings.” Therefore, the DOJ argues, agents trying to obtain a suspect’s unopened email from an ISP by means of a search warrant had no way of knowing whether the inbox messages included voice attachments that could not be covered by a search warrant.

To fix this hang-up, Congress amended Section 209 to alter the way the wiretap statute and ECPA apply to stored voice communications. The new law ensures that stored wire communications are covered under the same rules as stored electronic communications. Agents can now grab embedded voice messages off email with a search warrant instead of a wiretap order.

Section 210: Scope of Subpoenas for Electronic Evidence

Under previous law, agents could use a subpoena to compel carriers to hand over a limited class of information, such as the customer’s name, address, length of service, and means of payment. Those subpoenas did not include other records such as a credit card number or other form of payment that could help determine a customer’s true identity.

In many cases, the manual argues, subscribers register with ISPs using false names. “In order to hold these individuals responsible for criminal acts committed online [such as planning terrorist attacks] the method of payment is an essential means of determining true identity.”

Not only that, the DOJ says, old rules primarily covered traditional telephone communications. The old list included “local and long distance telephone toll billing records” but did not define what that phrase meant in the context of the Internet.

How to fix this? The new rules update and expand the list of records to include session times and durations. The new customer information the FBI can now obtain also includes “any temporarily assigned network address,” including the IP address for the session, as well as the remote IP address from which the customer connects to the provider. “Obtaining such records will make the process of identifying computer criminals and tracing their Internet communications faster and easier,” the manual says.

The USA-PATRIOT Act also lets police obtain the means and source of payment the customer uses—including credit card number and bank account number. “This information will prove particularly valuable in identifying the users of Internet services where a [telecommunications] company does not verify its users’ biographical information,” the manual says.

By the way, unlike other provisions of the USA-PATRIOT Act, this portion does not have a “sunset” provision making it void after a determined time.

Section 211: Weakening Protections in the 1984 Cable Act

With the advent of cable DSL and cable voice communications, the Cable Communications Act of 1984 did not give law enforcement groups leeway to eavesdrop or obtain customer information. Cable privacy is protected under both ECPA (for voice and Internet access) and the Cable Act, which guards the privacy of traditional cable service customers.

“The Cable Act set out an extremely restrictive system of rules governing law enforcement access to most records possessed by a cable company,” the DOJ says. It did not allow, for instance, the use of subpoenas or even search warrants to obtain such records. Cable companies had to tell the customer before law enforcement agents could act. In fact, the Cable Act gave the customer the right to first appear in court with an attorney as the police or FBI tried to justify to the court the need to obtain customer records. The court could then order disclosure of the records only if it found that the subscriber was reasonably suspected of engaging in criminal activity by “clear and convincing evidence,” a standard greater than probable cause or even preponderance of evidence. “This procedure was completely unworkable for virtually any criminal investigation,” the manual argues.

The new rules “clarify” that the ECPA, the wiretap statute, and the trap-and-trace statute (see below) now govern disclosures by cable companies that provision voice and data services. The new rules don’t affect customer information regarding traditional cable TV services, such as pay-per-view shows. So investigators can only get information pertaining to the customer’s cable Internet or voice accounts.

Other Aspects of Antiterrorism Legislation

Changes in the law also include:

• If an ISP learns independently that one of its customers is part of a conspiracy to commit an imminent terrorist attack, prompt disclosure of the customer account information could save lives. The new rules permit, but don’t require, the ISP to disclose to police or other law enforcement agencies content or non-content customer records in emergencies involving an imminent risk of death or serious injury to another person

• Service providers do have the statutory authority to disclose non-content records to protect their rights and property

• The pen register and trap-and-trace rules (enacted as part of ECPA) governs the collection of non-content traffic information associated with communications, such as the phone numbers that dial or are dialed by a particular telephone. (Pen registers are devices that capture phone numbers dialed on outgoing calls; trap-and-trace devices capture the originating numbers for incoming calls). Section 216 updates the statute in three ways: agents can use pen/trap orders to trace communications on the Internet and other computer networks; such orders issued by federal courts now have nationwide effect; and authorities must file a special report with the court whenever they use such an order to install their own monitoring device, such as the FBI’s Carnivore system for Internet eavesdropping

• In domestic and international terrorism cases, a search warrant issued in one district where activities related to terrorism have occurred is good in other jurisdictions. Police previously had to get a search warrant in each jurisdiction where crimes occurred

• The same national search warrant rules apply to email: a court order in one district allowing a search of email is good in any other jurisdiction. This saves time going to judges in each state to get permission, the DOJ argues.

The feds, in some cases, aren’t even bothering with subpoenas.

A report in the Washington Post (“Legal Niceties Aside … Federal Agents Without Subpoenas Asking Firms for Records,” Nov. 7, 2001) said that at least two telecommunications firms found themselves confronted by FBI agents demanding records, even though the agents weren’t armed with subpoenas. The article warns of a new reality in search and seizure surrounding company financial and customer data.

“In short,” the article said, “the new law lays the groundwork for a domestic intelligence-gathering system with unprecedented power.”