Schneier on Security
A blog covering security and security technology.
« APEC Conference in Sydney Social Engineered |
| The No-Fly List Catches an Actual Terrorist »
September 7, 2007
Federal Judge Strikes Down National-Security-Letter Provision of Patriot Act
Article, ACLU press release, some legal commentary, and actual decision.
From the article:
The ACLU had challenged the law on behalf of an Internet service provider, complaining that the law allowed the FBI to demand records without the kind of court supervision required for other government searches. Under the law, investigators can issue so-called national security letters to entities like Internet service providers and phone companies and demand customers' phone and Internet records.
In his ruling, Marrero said much more was at stake than questions about the national security letters.
He said Congress, in the original USA Patriot Act and less so in a 2005 revision, had essentially tried to legislate how the judiciary must review challenges to the law. If done to other bills, they ultimately could all "be styled to make the validation of the law foolproof."
Noting that the courthouse where he resides is several blocks from the fallen World Trade Center, the judge said the Constitution was designed so that the dangers of any given moment could never justify discarding fundamental individual liberties.
He said when "the judiciary lowers its guard on the Constitution, it opens the door to far-reaching invasions of liberty."
Regarding the national security letters, he said, Congress crossed its boundaries so dramatically that to let the law stand might turn an innocent legislative step into "the legislative equivalent of breaking and entering, with an ominous free pass to the hijacking of constitutional values."
He said the ruling does not mean the FBI must obtain the approval of a court prior to ordering records be turned over, but rather must justify to a court the need for secrecy if the orders will last longer than a reasonable and brief period of time.
Note that judge immediately stayed his decision, pending appeal.
EDITED TO ADD (9/9): More legal commentary.
Posted on September 7, 2007 at 10:05 AM
• 17 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
This is nearly an off-topic, but I think we can draw some security-related conclusions from this piece of news:
In shorth, Comcast has cut off their Internet service to customers who have been downloading "too much" information. Comcast decision and the way they try to explain it to the journalists are very similar to what politicians and bureaucrats often do when dealing with security issues. One great example:
"Companies have argued that if strict limits were disclosed, customers would use as much capacity as possible without tipping the scale, causing networks to slow to a crawl."
Oh, yes, I love that one. So, in order to prevent people from downloading "too much" data, they simply don't tell people what "too much" is.
Luckily, there are a few sensible people out there:
"Some AT&T customers use disproportionately high amounts of Internet capacity, "but we figure that's why they buy the service," said Michael Coe, a spokesman for the company."
Please remember that those guys at Comcast might one day be in charge of deciding whether to give your Internet usage records to the FBI. What will be their answer?
As far as I can see, the decision doesn't really hobble the present production of NSLs on an industrial scale. It just says that Congress did not have the power to put NSLs beyond judicial review. That's a step in the right direction, but it's a baby step at best.
The post-911 change in the law governing NSLs that turned them from a worry into a major civil rights menace was the streamlining of the authorization process. Prior to the Patriot Act, a senior FBI official -- the Director, or one of the Deputies -- had to sign off on each NSL. A field agent had no authority to write one, and had to go through extremely constricted channels to obtain one. The Patriot Act gave NSL rubber stamps to field agents, who have been busily beavering away ever since, generating NSLs for fun and profit --- about 48,000 per year between 2003 and 2005, which is an average of 5 NSLs/hour (counting evenings and weekends). Presumably there's a Word macro somewhere that streamlines the process to the one-keypress level.
No judge can fix this idiocy. At best the worst abuses can be curbed, or at least those inflicted upon ISPs and telcos that have the spine to appeal, rather than fold. Most will certainly fold. Under the current legal regime, that means that the Feds will be secretly poking through our communications at the unregulated whim of field agents at rates too high to effectively monitor them for legality.
If NSLs are to be tolerable at all in a democracy -- and I would dispute this -- at a minimum, the process for obtaining them has to be restored to the pre-2001 level of constriction. If a judge isn't going to sign off on what is, effectively, a warrant, then we should demand that accountability flow at a minimum to the Director of the FBI. Joe Field Agent should not have this scary level of power.
It seems that there is at least one US judge who has read and understood the constitution.
Patriotism is the last refuge of a scoundrel -- Samuel Johnson
"He said when "the judiciary lowers its guard on the Constitution, it opens the door to far-reaching invasions of liberty." "
So normally judges and justices are busy guarding our liberty, eh? Heh, that's rich. Which dozen or so of hundreds of thousands of example cases from years 1800 through 2006 shall we site as the most egregious affirmations of reductions in liberty?
Quis custodiet ipsos custodes? The answer is You.
Judge Marrero held the same ruling for the original USA PATRIOT Act, and was asked to review its constitutionality after the 2005 revisions by the 2nd Circuit Court of Appeals.
"Patriotism is the last refuge of a scoundrel." -- Samuel Johnson
"I beg to submit that it is the first." -- Ambrose Bierce
Thank you Judge Marrero!
I'm glad to see we have at least one judge who is not asleep at the wheel.
I am glad some judge has shown some wisdom. It has been sad to witness the downfall of over 200 years of liberty and civil right within a couple of years.
OT Just wondering, i am not American. So I am a bit confused: is this a satire?
"All Congresses and Parliaments have a kindly feeling for idiots, and a compassion for them, on account of personal experience and heredity."
"It could probably be shown by facts and figures that there is no distinctly native American criminal class except Congress."
- Mark Twain
@Rs: "is this a satire?"
Only the part about clown suits. I have no doubt that the author is very serious about the rest of it.
Deep down, Bush, Cheney, and Rove realize that the judiciary acts as a check on abuses in the other branches. That's why they have systematically packed the federal bench with appointees chosen in accordance with the only criterion they value-- unquestioning loyalty to the Unitary Executive, the Majority Party, and their favored donors.
Judge Marrero obviously was not a Bush appointee. But fear not-- this is only a temporary setback. When the time comes, Cheney will call his duck-hunting buddy Tony and outline an appropriate majority ruling for Chief Justice Roberts to deliver. Then America will be safe again. No liberal judge who hates America will ever surrender this country to terrorists!
Marrero was nominated by Pres. William J. Clinton and confirmed in October 1999.
I like that Mark Twain quote... fitting
01298519 59101924 021981256 23524373
Sadly, it is unlikely to do much good, when the same guys breaking the laws are the guys who are supposed to enforce them. All executive branch.
Bruce's recent "An Expectation of Online Privacy" has related info.
A few weeks ago my outbound "POP" email stopped working - all accounts on my wife and my own workstations.
After spending hours insuring it wasn't a problem with either of my hardware firewalls, DNS, etc, I tried TELNET 25 to several email servers. No connection.
I called Comcast, my ISP. Their solution was to use THEIR smtp.comcast.net servers rather than (my email service)'s SMTP server.
Eventually I realized they meant regardless of my email domain/provider, I must use comcast.net for the smtp gateway. Also, you must use TCP port 587, because they block 25 even to themselves. This also requires you use their logon credentials on your outbound SMTP server, different credentials from your POP server. (Hope your email clients can all do that!)
They are apparently migrating "everyone" to a new service and one feature is no outbound TCP 25 (normal SMTP) traffic. None at all - for anyone.
I'm pretty sure I saw an article a few years back where their spokesperson explictly said they were doing this to known spammers but would never want to block everyone - or words to that effect.
So, now one of the hugest ISP's is funnelling all their customer's email - even those who don't use Comcast's email - through their own servers "to prevent spam."
Nevermind that I can now spoof the "From" as anyone I want (except maybe another comcast.net email user) or that incoming spam is really the recipient's problem.
Good to know the Feds don't need the inconvenience of a warrant to look at my email anymore. My guess is, the Feds have at least one desk permanently assigned to them somewhere in a Comcast facility.
The good news is, I learned my preferred smtp server will now also accept connections on port 587 - with or without encryption - so I can still use it.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.