[ISN] Bill would narrow intruder surveillance

InfoSec News isn at c4i.org
Thu Sep 23 03:15:55 EDT 2004


By Kevin Poulsen
Sept 22, 2004

A proposal in the U.S. Senate would scale back a federal surveillance
law that permits law enforcement agencies to electronically monitor a
computer trespasser without a warrant with the consent of the victim.

Under a provision of the 2001 USA Patriot Act intended to give system
owners the ability to work with officials to combat intruders, the FBI
and other agencies can surveil the communications of an electronic
trespasser to, from or through a computer, provided the "owner or
operator of the protected computer authorizes the interception."

But in addition to intruders, the provision - called Section 217 --
leaves legitimate users of public computers at libraries, Internet
cafes, business lounges and hotels vulnerable to warrantless
surveillance, based only on a suspicion that the user is engaged in
some kind of unauthorized activity, argues senator Russ Feingold, who
introduced the Computer Trespass Clarification Act earlier this month.

"The computer owner authorizes the surveillance, and the FBI carries
it out," said Feingold, in introducing the bill. "There is no warrant,
no court proceeding, no opportunity even for the subject of the
surveillance to challenge the assertion of the computer owner that
some unauthorized use of the computer has occurred."

Section 217 protects users who have a contract with the computer's
owner granting them access; Feingold's bill would expand that
protection to users who have any authorized access to the computer,
even without a contract.

The proposal would also narrow the range of cases qualifying for
warrantless law enforcement surveillance to those in which the
computer's owner or operator "is attempting to respond to
communications activity that threatens the integrity or operation of
such computer and requests assistance to protect rights and property
of the owner or operator."

Additionally, it would permit officials to conduct the surveillance
for only 96 hours before they'd have to go to court and get a warrant,
and it would require the Justice Department to report annually to
Congress on its use of the provision.

"I strongly supported the goal of giving computer system owners the
ability to call in law enforcement to help defend themselves against
hacking," said Feingold. "Unfortunately, the drafters of the provision
made it much broader than necessary."

Enacted in response to the September 11, 2001 terrorist attacks, the
132-page USA Patriot Act passed in the Senate 98 to 1, with Feingold
casting the only dissenting vote. It passed in the House 356 to 66.

Section 217 is among the provisions set to expire, or "sunset," in
December, 2005, unless it's renewed by Congress.

In a July report arguing the importance of USA Patriot, attorney
general John Ashcroft wrote that Section 217 merely "places
cyber-intruders on the same footing as physical intruders."

"Hacking victims can seek law-enforcement assistance to combat hackers
just as burglary victims can invite police officers into their homes
to catch burglars," wrote Ashcroft.

More information about the ISN mailing list