Tapped Out

Now imagine this: You illegally download a copyrighted MP3 file, violating your terms of service contract with America Online. Without your knowledge, AOL proceeds to authorize the federal government to monitor every e-mail you send and every website you visit in order to collect evidence to prosecute you as a "computer trespasser."

Welcome to the unintended consequences of the Anti-Terrorism Act of 2001, which is being debated in Congress this week. The central insight of the bill is sound: that law enforcement officials should have greater powers to investigate potential acts of terrorism than when they investigate less serious crimes. But in some respects, the bill doesn't empower the federal government to investigate genuine emergencies nearly enough. And in others it carelessly expands the definition of terrorism to cover low-level computer crimes. In other words, it threatens privacy without increasing security.

But in other areas, the bill would dramatically expand surveillance authority--for the investigation of all crimes, not just those involving terrorism--even where there is no immediate threat of harm. For example, one provision of the Anti-Terrorism Act would give the government essentially unlimited authority to install recording devices to monitor the "dialing, routing, addressing, or signaling information" of any citizen's electronic communications, including e-mail or Web browsing. In the past the Supreme Court has allowed law enforcement this kind of unregulated access to relatively public information, such as the local telephone numbers that we dial from home, on the theory that the phone company knows the local numbers anyway so no one expects them to remain private in the first place. But the e-mail and Web browsing information that will now be available to the government is far more revealing than a local phone number: It includes the subject lines on our e-mail and the URLs on which we click--which may contain, for example, the search terms we plug into Amazon or Google. This expanded monitoring authority might be defensible if it were limited to cases of potential terrorism. But it isn't. To begin monitoring, a federal agent need merely insist that the monitoring is relevant to the investigation of a crime, even a minor one. The Washington Post calls provisions like this "hitchhikers" --items that have long been on law enforcement wish lists but have nothing to do with terrorism.

Another troubling provision of the Anti-Terrorism Act allows the government to intercept the communications of computer "trespassers"--even those who can't remotely be considered terrorists. The act defines a computer trespasser very broadly as "a person who accesses a protected computer without authorization." Once someone is defined this way, an ISP like AOL or Microsoft can give unilateral consent to the government to monitor all of his or her communications as long as the monitoring is relevant to the investigation of some crime, no matter how minor. "If you were technically in violation of your ISP's terms of service--and given how broad they are that can happen quite easily--you suddenly forfeit privacy rights and the ISP can consent to surveillance of your activities," says Alan Davidson of the Center for Democracy and Technology.

Peter Swire, privacy czar under President Clinton, notes other examples of unauthorized computer access that the current legislation would define as federal terrorism offenses, punishable by up to life in prison: employees of a credit agency tampering with their customer's credit history; a store manager fraudulently using the store's computers to pay off gambling debts; and the unauthorized use of an ATM. These are certainly crimes, but they're not terrorism. Swire also points to another new federal terrorist offense created by the bill: "intentionally causing damage without authorization to a protected computer" by transmitting a "program, information, code, or command." This language, intended primarily to prohibit hacking and the intentional spread of viruses, has been applied in the past to former employees who inadvertently delete files after accessing an old account. By defining these computer abuses as terrorism, the versions of the bill currently being debated would subject a great deal of low-level crimes to federal scrutiny.

In addition to eroding electronic privacy, the terrorism bill contains a series of important amendments to the Foreign Intelligence Surveillance Act, or fisa. By certifying to a secret court that a particular individual is an agent of a foreign power, including a terrorist organization, fisa allows the government to wiretap and otherwise surveil someone without reasonable suspicion that he or she is about to commit a particular crime. This would normally violate the Fourth Amendment, but because fisa governs agents of foreign powers, traditional constitutional protections don't apply. Until now fisa has required that foreign intelligence-gathering be the primary purpose of an investigation. But the Anti-Terrorism Act changes this, allowing sweeping surveillance of a suspect even if foreign intelligence is only one of several purposes of the investigation. The current bill also authorizes roving wiretaps, permitting the government to monitor any communications device that a particular suspect used, including cell phones, work phones, computers--even search engines in public libraries. Roving wiretaps might make sense if there's evidence a suspect is trying to evade surveillance; but by allowing them to be placed on any suspect in any investigation that has some foreign intelligence component, Congress could expose a lot of innocent communications to government scrutiny. If, for example, your colleague is a target of a fisa investigation, the government could tap all your communications on a shared phone, work computer, or public library terminal.

The Anti-Terrorism Act also gives the government broad access to financial records, business records, and credit reports that are relevant to an investigation involving foreign intelligence--even when the people whose records are being examined are not themselves agents of a foreign power. And it allows domestic law enforcement authorities and foreign intelligence investigators to share secret grand jury information collected as part of a domestic criminal investigation. The logic for the constitutionality of fisa was always that the extraordinary powers it gave law enforcement were limited to foreign intelligence-gathering, not domestic law enforcement. By changing that balance, the new bill could make fisa vulnerable to constitutional challenge.

But at the same time that it unnecessarily expands law enforcement's power to investigate low-level crimes, the Anti-Terrorism Act does little to address immediate terrorist threats. Imagine the scenario I described earlier, in which the FBI receive an anonymous tip that a red van has just dumped biological weapons in the Central Park reservoir. Surely law enforcement officials should have the right to search red vans in the area, even if the tip turns out to be false. But the Supreme Court held last year that random searches designed to investigate crime were unconstitutional. Cars couldn't be stopped and briefly surrounded by drug-sniffing dogs, the Court held, because random car searches could only be justified for reasons that had nothing to do with the investigation of crime, such as promoting highway safety by checking cars for drunk drivers. One solution, suggested by Stephen Saltzburg of the George Washington University Law School, would be to empower the attorney general personally to authorize searches in emergency situations that don't meet ordinary constitutional standards. (When an immediate decision has to be made, this authority might be delegated to an officer on the scene.) "Rather than rely on judges, whom I think are in no position to respond to a requirement for immediate action," says Saltzburg, "the attorney general could be required to report within a short period of time to a select committee of Congress, which would have the authority to expand or restrict the scope of the searches." But the Anti-Terrorism Act doesn't do anything of the kind.

Throughout the twentieth century, law enforcement overreacted to the concerns of the moment in ways that had sweeping, unintended consequences. In the 1970s the Supreme Court and Congress unnecessarily restricted domestic intelligence-gathering because of fears about the Nixon administration's abuses. In the '80s and '90s, the Court and Congress expanded the government's power to investigate low-level drug crimes, which led some minority citizens to feel like they were living in a police state. Unfortunately, the Court and Congress have gotten out of the habit of balancing the invasiveness of the search against the seriousness of the crime. If, in the wake of last month's attacks, Congress increases surveillance powers for the most serious crimes, it may increase our security from terrorism. But if it thoughtlessly expands surveillance authority across the board, it will threaten individual privacy without giving government the tools it needs to respond to genuine emergencies. And so we will be less free, but no more safe, than we were before September 11.