What is the USA PATRIOT Act?
A complete rundown of the USA PATRIOT Act and its most controversial sections
Next year will mark the 20th anniversary of one of the most controversial laws in U.S. history. The USA PATRIOT Act was a direct response to the Sept. 11, 2001 terrorist attacks on the U.S.
Signed into law less than two after 9/11, it expanded the rights of law enforcement and intelligence agencies in the U.S., leading to an unprecedented level of data collection on American citizens and laying the groundwork for Edward Snowden's revelations 12 years later. What did the PATRIOT Act do and why is March 15, 2020 such an important date for the legislation?
The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act began as H.R 2975 in the House of Representatives and S.1510 in the Senate. It modified existing law to grant new powers in what lawmakers saw as an emerging battle against terrorism.
While the Act's author has said publicly that it was never intended for bulk data collection, it nevertheless made it easier for law enforcement to cast the net.
"Companies hold a lot of information that can be considered 'tangible things' that they collect from their users," explains James Mariani, an associate at law firm Frankfurt Kurnit Klein & Selz PC. "This information is undeniably useful for investigation, especially at the inception of an investigation when you are casting a wide net and looking for leads.”
The legislation amended a swathe of prior laws including the 1986 the Electronic Communications Privacy Act. The ECPA had locked down eavesdropping on electronic communications and telephone calls by the U.S. government, carving out specific conditions in which it would be allowed.
Sections 201 and 202 of the PATRIOT Act expanded the list of serious crimes that would warrant government eavesdropping to include computer and terrorist crimes. Under the Act, intentional access to protected government computers is now a crime that can trigger a wiretap application.
Section 209 made it easier to collect voicemail by putting it in the same category as email rather than treating it as a phone call when it came to surveillance. This lowered its standard of protection, making it easier to gather.
Section 210 of the Act added to the kinds of records authorities could subpoena from a communication services provider. It now included records of session times and duration, temporarily assigned network addresses and credit card or bank account numbers.
Section 216 extended pen register and trap and trace orders for electronic communications covering "dialing, routing, addressing, or signalling information". That expanded its coverage to internet communications including email and web surfing. Along with section 219, this section also expands the application of pen register surveillance warrants so any district court could issue them for anywhere else in the country.
Under section 217, the Act also allowed law enforcement agencies to intercept communications with a trespasser in a protected computer system (assuming the system's owner agreed). The definition of a protected computer is one used in interstate or foreign commerce or communication, which really means any internet-connected computer. This hides the surveillance from judicial oversight while, according to the Electronic Privacy Information Center, allowing even file sharers to be watched.
One of the most controversial sections of the PATRIOT Act was section 215, also known as the "tangible things" or "business records" section of the law. This amended the 1978 Foreign Intelligence Surveillance Act (FISA), expanding the kinds of records the FBI could ask a business to provide. These now included books, records and documents. The list was wide enough that it applies to any records relevant to an individual, according to EPIC, including medical and educational records.
The American Library Association criticised this section, warning it allowed the authorities to collect information about peoples' borrowing habits en masse without any reason to believe that they were engaged in illegal activity. It also introduced a gag order that stopped businesses from mentioning these requests, so if the FBI asked an ISP for a customer's email, it wasn't allowed to let that customer know.
The US government relied on section 215 of the PATRIOT Act when it instigated a mass-surveillance program that hoovered up records of U.S. citizens' phone calls under President Bush in 2002.
According to a class-action lawsuit in 2006, the NSA conspired with AT&T, BellSouth and Verizon to collect and hand over the records. It was followed by an ongoing bulk telephone-metadata collection program authorized by the FISA Court in 2006, which came to light in 2013.
The new measures that the PATRIOT Act introduced were supposed to expire -- U.S. lawmakers called it '”sunsetting” -- in 2005. It was renewed then and again in 2011 and then again in the USA Freedom Act on June 2, 2015. That Act was passed in a hurry after the PATRIOT Act provisions sunsetted the day before, crippling the NSA's information-gathering capabilities.
The USA Freedom Act extended section 215's sunset period to December 2019, but to win that concession, supporters of the NSA's surveillance program had to compromise by curtailing the mass collection of phone and internet metadata and limiting the government's data collection to the "greatest extent reasonably practical."
Now, instead of handing over to the NSA, the phone companies would have to hold onto the call metadata. Government agencies could only query it using specific sectors to limit the number of records gathered.
It was a start, but there's still a long way to go, says Marc Rotenburg, president at EPIC. "[There was] some progress after the Freedom Act, but still 215 requires reforms," he warns.
The EFF and some senators agree. Ron Wyden (D-Oregon) wrote to the Office of the Director of National Intelligence in 2019 asking whether the intelligence community is using section 215 to collect location-based data from citizens' phones or carriers. He said, “If Congress is to reauthorize Section 215 before it expires in December, it needs to know how this law is being interpreted now, as well as how it could be interpreted in the future.” The DNI responded that it hasn't used section 215 in this way yet and hadn't decided if it was appropriate to do so.
The situation is even more complex. In April 2019 the NSA asked the White House for permission to end its mass phone-surveillance program because of the technical complexity involved. The new restrictions seemed to make the program not worth the effort, and the extra-careful handling now required made errors more likely.
The NSA admitted in June 2018 that "technical irregularities" meant it had collected some call data records that it wasn't supposed to.
Nevertheless, the NSA is still arguing for the right to reintroduce the program at a future time, against fierce opposition from lawmakers.
"They are likely hoping that the promise of only using it within tighter and more publicly acceptable constraints (e.g. more clearly linked and relevant to detecting international terrorism) will keep it on the table rather than ending their 'business records' power altogether," says Mariani.
Lawmakers will vote on whether to extend section 215 on March 15, after putting off the decision for 90 days in December. It'll be another landmark date in the USA's long and stormy history of domestic surveillance.
ZTNA vs on-premises VPN
How ZTNA wins the network security gameFree Download
The global use of collaboration solutions in hybrid working environments
How companies manage security risksFree Download
How to build a cyber-resilient business ready to innovate and thrive
Outperform your peers in your successful business outcomesFree Download
Accelerating your IT transformation
How Cloudflare is innovating for CIOs to start 2023Watch now