乔治华盛顿大学：《国际监督法》（英文版）

THE GEORGE WASHINGTON UNIERSITY LAW SCHOOL PUBLIC LAW AND LEGAL THEORY WORKING PAPER NO 043 INTERNET SURVEILLANCE LAW AFTER THE USA PATRIOT ACT THE BIG BROTHER THAT ISNT Orin s. Kerr This paper can be downloaded without charge from the Social Science Research Network Electronic Paper Collection http://ssrn.com/abstract=317501

THE GEORGE WASHINGTONWASHINGTON UNIVERSITYUNIVERSITY LAW SCHOOL PUBLIC LAW AND LEGAL THEORY WORKING PAPER NO. 043 THE BIG BROTHER THAT ISN’T Orin S. Kerr This paper can be downloaded without charge from the Social Science Research Network Electronic Paper Collection: http://ssrn.com/abstract=317501 INTERNET SURVEILLANCE LAW AFTER THE USA PATRIOT ACT:

night 2003 by Northwestem University School of Law INTERNET SURVEILLANCE LAW AFTER THE USA PATRIOT ACT: THE BIG BROTHER THAT ISNT Orin S. Kerr INTRODUCTION Following the September 1 l terrorist attacks on New York and Wash ington, Congress rushed into action and quickly passed antiterrorism legis lation known as the USA Patriot Act. The Patriot Act has been widely understood as a"sweeping" antiterrorism law that gave the government vast new powers to conduct electronic surveillance over the Internet The Act's surveillance provisions proved so controversial that Congress added a sunset provision that will nullify several of its key provisions after four years, on December 31, 2005. To many legislators, the vast law en- Associate Professor, George Washington University Law School. From the fall of 1998 until the summer of 2001. I was a in the Computer Crime and Intellectual Property Section of DOj's isted before the Patriot Act ence at DOJ included working with the Internet surveillance laws that e> hat influenced portions of what later became the Patriot Act I hope that my familiarity with these laws from my time in government will shed light that outshines the ccasionally myopic effect of personal experience. All of the views expressed in this Article are solely own and do not reflect the positions of the Department of Justice. Thanks to Peter Swire, Steve altzburg, Beryl Howell, Jeffrey Rosen, Dan Solove, Lee Tien, Peter Raven-Hansen, Cynthia Lee, Jon Molot, and Mark Eckenwiler for commenting on earlier drafts. All errors remain my own See Uniting and Strengthening America by Providing Appropriate To Obstruct Terrorism Act (USA Patriot Act)of 2001, Pub. L. No. 107-56, 115 Stat. 272. The formal title is the"Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism(USA Patriot Act) Act of 2001, Id. The awkward name of the USA Patriot Act rives from its legislative history: the Act combines elements of two antiterrorism bills, the Senate's USA Act, Senate Bill 1510, and the House of Representative's Patriot Act, House Bill 2975. The Senate approved the "Uniting and Strengthening America Act "(or"USA"Act) by a vote of 96 to l on October 1, 2001. The House approved the "Provide Appropriate Tools Required to Intercept and obstruct Te orism Act"(or"Patriot "Act), by a vote of 337 to 79 on October 12, 2001. The final bill started with the basic framework of the Senate bill and then added many of the components of the House bill to cre- ate a compromise bill that combined both titles to create the USA Patriot bill. The USA Patriot bill was approved by the House on October 24th by a vote of 356 to 66, passed the Senate on October 25th,a vote of 98 to 1, and was signed by President Bush on October 26th. For simplicity's sake, I will refer t the final enacted law as the "USA Patriot Act, "the Patriot Act, or simply"the Act. 2 Jesse J. Holland, New Powers To Fight New Threat: Bush Vows Stiff Enforcement of Anti Terrorism Las. SEATTLE TIMES. Oct 26. 2001. at Al See Uniting and Strengthening America by Providing Appropriate Tools Required To Intercept and Obstruct Terrorism (USA Patriot Act) Act of 2001, Pub. L No 107-56,$ 224, 115 Stat. 272, 295 607

Copyright 2003 by Northwestern University School of Law Printed in U.S.A. Northwestern University Law Review Vol. 97, No. 2 607 INTERNET SURVEILLANCE LAW AFTER THE USA PATRIOT ACT: THE BIG BROTHER THAT ISN’T Orin S. Kerr∗ INTRODUCTION Following the September 11 terrorist attacks on New York and Wash￾ington, Congress rushed into action and quickly passed antiterrorism legis￾lation known as the USA Patriot Act.1 The Patriot Act has been widely understood as a “sweeping”2 antiterrorism law that gave the government “vast new powers”3 to conduct electronic surveillance over the Internet. The Act’s surveillance provisions proved so controversial that Congress added a sunset provision that will nullify several of its key provisions after four years, on December 31, 2005.4 To many legislators, the vast law en- ∗ Associate Professor, George Washington University Law School. From the fall of 1998 until the summer of 2001, I was a lawyer in the Computer Crime and Intellectual Property Section of DOJ’s Criminal Division. My experience at DOJ included working with the Internet surveillance laws that ex￾isted before the Patriot Act. I also commented on and helped draft the legislative proposals to amend those laws, including some proposals that influenced portions of what later became the Patriot Act. I hope that my familiarity with these laws from my time in government will shed light that outshines the occasionally myopic effect of personal experience. All of the views expressed in this Article are solely my own and do not reflect the positions of the Department of Justice. Thanks to Peter Swire, Steve Saltzburg, Beryl Howell, Jeffrey Rosen, Dan Solove, Lee Tien, Peter Raven-Hansen, Cynthia Lee, Jon Molot, and Mark Eckenwiler for commenting on earlier drafts. All errors remain my own. 1 See Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act (USA Patriot Act) of 2001, Pub. L. No. 107-56, 115 Stat. 272. The formal title is the “Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA Patriot Act) Act of 2001.” Id. The awkward name of the USA Patriot Act derives from its legislative history: the Act combines elements of two antiterrorism bills, the Senate’s USA Act, Senate Bill 1510, and the House of Representative’s Patriot Act, House Bill 2975. The Senate approved the “Uniting and Strengthening America Act” (or “USA” Act) by a vote of 96 to 1 on October 11, 2001. The House approved the “Provide Appropriate Tools Required to Intercept and Obstruct Ter￾rorism Act” (or “Patriot” Act), by a vote of 337 to 79 on October 12, 2001. The final bill started with the basic framework of the Senate bill and then added many of the components of the House bill to cre￾ate a compromise bill that combined both titles to create the USA Patriot bill. The USA Patriot bill was approved by the House on October 24th by a vote of 356 to 66, passed the Senate on October 25th, a vote of 98 to 1, and was signed by President Bush on October 26th. For simplicity’s sake, I will refer to the final enacted law as the “USA Patriot Act,” “the Patriot Act,” or simply “the Act.” 2 Jesse J. Holland, New Powers To Fight New Threat; Bush Vows Stiff Enforcement of Anti￾Terrorism Laws, SEATTLE TIMES, Oct. 26, 2001, at A1. 3 Id. 4 See Uniting and Strengthening America by Providing Appropriate Tools Required To Intercept and Obstruct Terrorism (USA Patriot Act) Act of 2001, Pub. L. No. 107-56, § 224, 115 Stat. 272, 295

NORTHWESTERN UNIVERSITY LAW REVIEW forcement authorities unleashed by the patriot act seemed too dangerous to extend indefinitely The Patriot Act triggered tremendous anxiety in part because few unde stood exactly what it did. At the time of its passage, even many key legisla- tors seemed to have little idea of the laws governing electronic surveillance, both before the Patriot Act and following it. Did the Act go too far? How much privacy did Internet users have, and how much were they giving away? No one seemed to know, and because the legislation rushed through Congress with remarkable speed, little in the way of Committee reports or other legis- lative history existed to help explain it. 8 Most commentators simply assumed the worst: they sensed that Internet users probably had very little privacy on- line before the Patriot Act, and that the Patriot Act bargained away whatever precious drops of privacy they had left This Article argues that the common wisdom on the USa Patriot Act is incorrect. The Patriot Act did not expand law enforcement powers dramati cally, as its critics have alleged. In fact, the Patriot Act made mostly minor amendments to the electronic surveillance laws. Many of the amendments merely codified preexisting law. Some of the changes expanded law en- forcement powers, but others protected privacy and civil liberties. Several of the most controversial amendments may actually increase privacy pro tections, rather than decrease them. Most importantly, none of the changes altered the basic statutory structure of electronic surveillance law created by the Electronic Communications Privacy Act of 1986. 0 While critics of the Patriot Act have rightly insisted that the government should have no more surveillance power than it needs they have failed to see that the Patriot Act generally offers a balanced approach that in some ways protects civil liber ties more than the laws it replaced The Patriot Act is hardly perfect, but it is not the big brother law that many have portrayed it to be (]his title and the amendments made by this title.. shall cease to have effect on December 31 electronic surveillance: it applies to about half of the provisions. See id (explaining the section 2005.). This so-called sunset does not apply to all of the Patriot Act s amendments involvin which the sunset provision does not apply) See Adam Clymer Robin Toner, A Nation Challenged: The House: Vote Approves New Po e201a准2(mhmh House voted on House Bill 2975 on October 12. 2001."all of members of both parties com- plained they had no idea what they were voting on, were fearful that aspects of the... bill went too far-yet voted for it anyway") The Bush Administration introduced its proposed Anti-Terrorism Act on September 19, 2001, just eight days after the attacks. President Bush signed the Patriot Act on October 26, 2001. See Martha Mendoza, New Anti-Terror Lan Brings Consternation, Security: Oficials and Layers Try To Deci- pher Complex Provisions, Federal Guidance Is in Short Supply, L.A. TIMES, Dec 16, 2001, at A4 House Judiciary Committees Report on House 2975. See H.R. REP. No. 107-236(2001), aailable at ftp: //ftp. loc gov /pub/thomas/cp107/hr236pltxt. Pub.L.No.99-508,§§101-l1,100stat.1848,1848-59 608

N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W 608 forcement authorities unleashed by the Patriot Act seemed too dangerous to extend indefinitely.5 The Patriot Act triggered tremendous anxiety in part because few under￾stood exactly what it did. At the time of its passage, even many key legisla￾tors seemed to have little idea of the laws governing electronic surveillance, both before the Patriot Act and following it.6 Did the Act go too far? How much privacy did Internet users have, and how much were they giving away? No one seemed to know, and because the legislation rushed through Congress with remarkable speed,7 little in the way of Committee reports or other legis￾lative history existed to help explain it.8 Most commentators simply assumed the worst: they sensed that Internet users probably had very little privacy on￾line before the Patriot Act, and that the Patriot Act bargained away whatever precious drops of privacy they had left.9 This Article argues that the common wisdom on the USA Patriot Act is incorrect. The Patriot Act did not expand law enforcement powers dramati￾cally, as its critics have alleged. In fact, the Patriot Act made mostly minor amendments to the electronic surveillance laws. Many of the amendments merely codified preexisting law. Some of the changes expanded law en￾forcement powers, but others protected privacy and civil liberties. Several of the most controversial amendments may actually increase privacy pro￾tections, rather than decrease them. Most importantly, none of the changes altered the basic statutory structure of electronic surveillance law created by the Electronic Communications Privacy Act of 1986.10 While critics of the Patriot Act have rightly insisted that the government should have no more surveillance power than it needs, they have failed to see that the Patriot Act generally offers a balanced approach that in some ways protects civil liber￾ties more than the laws it replaced. The Patriot Act is hardly perfect, but it is not the Big Brother law that many have portrayed it to be. (“[T]his title and the amendments made by this title . . . shall cease to have effect on December 31, 2005.”). This so-called sunset provision does not apply to all of the Patriot Act’s amendments involving electronic surveillance: it applies to about half of the provisions. See id. (explaining the sections to which the sunset provision does not apply). 5 See Adam Clymer & Robin Toner, A Nation Challenged: The House: Vote Approves New Pow￾ers for Antiterror Investigators, N.Y. TIMES, Oct. 18, 2001, at B9. 6 See Editorial, Stampeded in the House, WASH. POST, Oct. 16, 2001, at A22 (noting that when the House voted on House Bill 2975 on October 12, 2001, “all manner of members of both parties com￾plained they had no idea what they were voting on, were fearful that aspects of the . . . bill went too far—yet voted for it anyway”). 7 The Bush Administration introduced its proposed Anti-Terrorism Act on September 19, 2001, just eight days after the attacks. President Bush signed the Patriot Act on October 26, 2001. See Martha Mendoza, New Anti-Terror Law Brings Consternation; Security: Officials and Lawyers Try To Deci￾pher Complex Provisions, Federal Guidance Is in Short Supply, L.A. TIMES, Dec. 16, 2001, at A4. 8 The only existing Committee Report is the House Judiciary Committee’s Report on House Bill 2975. See H.R. REP. NO. 107-236 (2001), available at ftp://ftp.loc.gov /pub/thomas/cp107/hr236p1.txt. 9 See infra notes 68–79. 10 Pub. L. No. 99-508, §§ 101–11, 100 Stat. 1848, 1848–59

97607(2003) Internet Surveillance Law After the Usa Patriot Act This Article will explain how and why the conventional wisdom about the Patriot Act misses the mark. It begins by explaining what Internet sur- veillance is and how it works, which provides some guidance for unde standing how Congress has decided to regulate it. It then applies this framework to study three of the major criticisms of the Patriot Act. This pproach unfortunately sacrifices breadth for depth, but it allows us to see ow misconceptions about both the law and technology of the Internet has led to significant misunderstandings about Internet surveillance law and the effect of the USA Patriot Act The argument proceeds in four Parts. Part I explains the basic frame- work of network surveillance law that governs any communications net work. It classifies the types of laws employed to govern the surveillance of communications networks such as the postal system, the telephone, and the Internet using a series of dichotomies. Once a framework has been devel oped, it is then possible to articulate an entire set of surveillance laws for each network and make comparisons across different technologies. This Part also explains how Internet surveillance includes both email and packet- level surveillance, and how laws that govern Internet surveillance must grapple with both levels of surveillance Part II considers the highly controversial pen register amendments the Patriot Act. These amendments apply a privacy law originally designed for the telephone to the Internet. The amendments have been widely criti- cized on the ground that they granted the government sweeping powers to investigate crime involving the Internet. After explaining why Internet sur- veillance is primarily governed by statutory law, rather than the constitu- tional protections of the Fourth Amendment, Part II argues that the criticisms of the pen register amendments are unfounded. The pen register amendments merely reaffirmed preexisting practice, and if anything proba- bly increased privacy protections afforded to Internet communications, rather than decreased them Part Ill studies the Patriot Acts impact on the fBI Internet surveillance tool popularly known as"Carnivore. The Patriot Act has received broad criticism for expanding the use of Carnivore, which itself has been por trayed as a dangerous tool that enables the Fbi to invade privacy online This Part argues that the public understanding of Carnivore has it largely backwards. The analysis explains how surveillance tools such as Carnivore work, and how Carnivore was itself designed to protect privacy and to en- sure compliance with court orders, not invade privacy in an effort to cir- cumvent judicial review. The Part explains that the Patriot Act did not expand the use of Carnivore, but rather added new regulations on its use Part Iv analyzes the new computer trespasser exception to the wire tap Act. The trespasser exception has drawn criticism for weakening th retap Acts privacy protections in cyberspace. The analysis explains ow the Wiretap Act applies to the Internet, and how the application of this law designed for the telephone to the Internet creates the need for a tres- 609

97:607 (2003) Internet Surveillance Law After the USA Patriot Act 609 This Article will explain how and why the conventional wisdom about the Patriot Act misses the mark. It begins by explaining what Internet sur￾veillance is and how it works, which provides some guidance for under￾standing how Congress has decided to regulate it. It then applies this framework to study three of the major criticisms of the Patriot Act. This approach unfortunately sacrifices breadth for depth, but it allows us to see how misconceptions about both the law and technology of the Internet has led to significant misunderstandings about Internet surveillance law and the effect of the USA Patriot Act. The argument proceeds in four Parts. Part I explains the basic frame￾work of network surveillance law that governs any communications net￾work. It classifies the types of laws employed to govern the surveillance of communications networks such as the postal system, the telephone, and the Internet using a series of dichotomies. Once a framework has been devel￾oped, it is then possible to articulate an entire set of surveillance laws for each network and make comparisons across different technologies. This Part also explains how Internet surveillance includes both email and packet￾level surveillance, and how laws that govern Internet surveillance must grapple with both levels of surveillance. Part II considers the highly controversial pen register amendments to the Patriot Act. These amendments apply a privacy law originally designed for the telephone to the Internet. The amendments have been widely criti￾cized on the ground that they granted the government sweeping powers to investigate crime involving the Internet. After explaining why Internet sur￾veillance is primarily governed by statutory law, rather than the constitu￾tional protections of the Fourth Amendment, Part II argues that the criticisms of the pen register amendments are unfounded. The pen register amendments merely reaffirmed preexisting practice, and if anything proba￾bly increased privacy protections afforded to Internet communications, rather than decreased them. Part III studies the Patriot Act’s impact on the FBI Internet surveillance tool popularly known as “Carnivore.” The Patriot Act has received broad criticism for expanding the use of Carnivore, which itself has been por￾trayed as a dangerous tool that enables the FBI to invade privacy online. This Part argues that the public understanding of Carnivore has it largely backwards. The analysis explains how surveillance tools such as Carnivore work, and how Carnivore was itself designed to protect privacy and to en￾sure compliance with court orders, not invade privacy in an effort to cir￾cumvent judicial review. The Part explains that the Patriot Act did not expand the use of Carnivore, but rather added new regulations on its use. Part IV analyzes the new “computer trespasser” exception to the Wire￾tap Act. The trespasser exception has drawn criticism for weakening the Wiretap Act’s privacy protections in cyberspace. The analysis explains how the Wiretap Act applies to the Internet, and how the application of this law designed for the telephone to the Internet creates the need for a tres-

NORTHWESTERN UNIVERSITY LAW REVIEW asser exception. The Part also explains how the trespasser exception probably expands Internet privacy protections, rather than reduces them, by implicitly minimizing the scope of other exceptions to the wiretap Act tha otherwise could have been read to eviscerate privacy protections online . A GENERAL FRAMEWORK OF NETWORK SURVEILLANCE LAW Communications networks are a defining feature of modern life. I1 Hundreds of millions of Americans use the postal system, the telephone network. and the Internet to communicate with each other. 12 Although these technologies differ from each other in important ways, they share a common function: they are all global communications networks that allow users to send receive and store information Unfortunately, communications networks also provide a stage for the commission of criminal acts. 3 Networks can be used by criminals to con other conspirators, deliver threats, further frauds, or engage in countless tact co- iminal activities 14 When communications networks are used to fur- ther crimes, the network itself becomes a crime scene. Telephone records, stored emails, and undelivered packages can contain important clues for law enforcement. Much like a physical neighborhood, the networks themselves become surveillance zones, complete with criminals seeking to evade detec tion and police trying to catch them The goal of this Part is to offer a taxonomy of network surveillance law. A basic framework is necessary to understand the legal rules that ap ply to the surveillance of communications networks such as the Internet, the postal network, or the telephone network. The framework allows us to ap preciate the relationship between the different types of surveillance that can occur in a network, as well as to compare how the rules differ across differ See generally MANUEL CASTELLS, THE RISE OF THE NETWORK SOCIETY (2000); FRANCES CAIRNCROSS. THE DEATH OF DISTANCE: HOW THE COMMUNICATIONS REVOLUTION WILL CHANGE See CASTELLS, supra note 11, at 6-10 13 See Michael Edmund O Neill, Old Crimes in New Bottles: Sanctioning Cybercrime, 9 GEO MASON L REV. 237, 242-52(2000)(reviewing different types of Internet crimes). For more specific amples of how computer networks can be used to commit crimes, see Gretchen Morgenson, S.E.C. Says Teenager Had After-School Hobby: Online Stock Fraud, N.Y. TIMES, Sept. 21, 2000, at Al(usin computer networks to commit securities fraud): CYBERSTALKING: A NEW CHALLENGE FOR LAW ENFORCEMENT AND INDUSTRY (1999)(use of computer networks to engage in stalking available ar http://www.usdojgov/criminal/cybercrime/cyberstalking.htm(lastmodifiedOct.18,1999) e. g, United States v. Cohen, 260 F3d 68(2d Cir, 2001)(use of the Internet to gamble on events), PHILIP JENKINS, BEYOND TOLERANCE: CHILD PORNOGRAPHY ON THE INTERNET(200 the Internet to collect child pornography) See generally Scott Charney Kent Alexander, Computer Crime, 45 EMORY L.J. 931(1996) 15 See U.S. DEPT OF JUSTICE, SEARCHING AND SEIZING COMPUTERS AND OBTAINING EVIDENCE IN CRIMINAL INVESTIGATIONS, at vil(2001)[hereinafter CCIPS MANUAL]("The dramatic increase in mputer-related crime requires prosecutors and law enforcement agents to understand how to obtain lectronicevidencestoredincomputers"),availableatwww.cybercrimegov/searchmanual.wpd 610

N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W 610 passer exception. The Part also explains how the trespasser exception probably expands Internet privacy protections, rather than reduces them, by implicitly minimizing the scope of other exceptions to the Wiretap Act that otherwise could have been read to eviscerate privacy protections online. I. A GENERAL FRAMEWORK OF NETWORK SURVEILLANCE LAW Communications networks are a defining feature of modern life.11 Hundreds of millions of Americans use the postal system, the telephone network, and the Internet to communicate with each other.12 Although these technologies differ from each other in important ways, they share a common function: they are all global communications networks that allow users to send, receive, and store information. Unfortunately, communications networks also provide a stage for the commission of criminal acts.13 Networks can be used by criminals to con￾tact co-conspirators, deliver threats, further frauds, or engage in countless other criminal activities.14 When communications networks are used to fur￾ther crimes, the network itself becomes a crime scene.15 Telephone records, stored emails, and undelivered packages can contain important clues for law enforcement. Much like a physical neighborhood, the networks themselves become surveillance zones, complete with criminals seeking to evade detec￾tion and police trying to catch them. The goal of this Part is to offer a taxonomy of network surveillance law. A basic framework is necessary to understand the legal rules that ap￾ply to the surveillance of communications networks such as the Internet, the postal network, or the telephone network. The framework allows us to ap￾preciate the relationship between the different types of surveillance that can occur in a network, as well as to compare how the rules differ across differ- 11 See generally MANUEL CASTELLS, THE RISE OF THE NETWORK SOCIETY (2000); FRANCES CAIRNCROSS, THE DEATH OF DISTANCE: HOW THE COMMUNICATIONS REVOLUTION WILL CHANGE OUR LIVES (1997). 12 See CASTELLS, supra note 11, at 6–10. 13 See Michael Edmund O’Neill, Old Crimes in New Bottles: Sanctioning Cybercrime, 9 GEO. MASON L. REV. 237, 242–52 (2000) (reviewing different types of Internet crimes). For more specific examples of how computer networks can be used to commit crimes, see Gretchen Morgenson, S.E.C. Says Teenager Had After-School Hobby: Online Stock Fraud, N.Y. TIMES, Sept. 21, 2000, at A1 (using computer networks to commit securities fraud); CYBERSTALKING: A NEW CHALLENGE FOR LAW ENFORCEMENT AND INDUSTRY (1999) (use of computer networks to engage in stalking), available at http://www.usdoj.gov/criminal/cybercrime/cyberstalking.htm (last modified Oct. 18, 1999); see also, e.g., United States v. Cohen, 260 F.3d 68 (2d Cir. 2001) (use of the Internet to gamble on sporting events); PHILIP JENKINS, BEYOND TOLERANCE: CHILD PORNOGRAPHY ON THE INTERNET (2001) (use of the Internet to collect child pornography). 14 See generally Scott Charney & Kent Alexander, Computer Crime, 45 EMORY L.J. 931 (1996). 15 See U.S. DEP’T OF JUSTICE, SEARCHING AND SEIZING COMPUTERS AND OBTAINING EVIDENCE IN CRIMINAL INVESTIGATIONS, at vii (2001) [hereinafter CCIPS MANUAL] (“The dramatic increase in computer-related crime requires prosecutors and law enforcement agents to understand how to obtain electronic evidence stored in computers.”), available at www.cybercrime.gov/searchmanual.wpd

97:607(2003) Internet Surveillance Law After the Usa Patriot Act ent networks. As the framework illustrates the basic contours of surveil ance law for any communications network involves only a small number of questions, which correspond to the"what, "who, "when, and"how"of thea cting evidence from the network. What kind of information exists in network? Who collects it how and under what circumstances? By illustrating these principles in the context of three network tech- nologies-the Internet, the telephone system, and the postal system-this Part demonstrates that similar surveillance issues arise in each network in- tly of the technology involved. Different technologies may merit different answers to these questions, of course, but the basic questions main the same. 6 The analysis starts with the "what, "moves next to the who. turns to the "when " and then concludes with the "how A. Envelope Information Versus Content Information("What") The fundamental purpose of a communications network is to send and receive communications. As a result, every communications network fea tures two types of information: the contents of communications, and the ddressing and routing information that the networks use to deliver the con- tents of communications The former is"content information and the lat ter is"envelope information The essential distinction between content and envelope information remains constant across different technologies, from postal mail to email With postal mail, the content information is the letter itself, stored safely in side its envelope. The envelope information is the information derived from the outside of the envelope, including the mailing and return ad dresses, the stamp and postmark, and the size and weight of the envelope when sealed 17 Similar distinctions exist for telephone conversations. The content in- formation for a telephone call is the actual conversation between partici pants that can be captured by an audio recording of the call. 8 The envelope information includes the number the caller dials the number from which the caller dials, the time of the call, and its duration. This calling informa- tion is not visible in the same way that the envelope of a letter is, but it equates roughly with the information derived from the envelope of a letter In both cases, the envelope information contains to-and-from addressin data about the time the communication was sent and information about th I7 See 39.F R.8 233.3(ck1)(2002)(articulating an administrative procedure for obtaining cover, which is defined as"the process by which a nonconsensual record is made of any data on the outside cover of any sealed or unsealed class of mail matter, or by which a record is ma contents of any unsealed class of mail matter as allowed by law) See 18 U.S.C.A.$ 2510(8)(West Supp. 2002)(defining the"contents"of a on"as"any information concerning the substance, purport, or meaning of that communication") 611

97:607 (2003) Internet Surveillance Law After the USA Patriot Act 611 ent networks. As the framework illustrates, the basic contours of surveil￾lance law for any communications network involves only a small number of questions, which correspond to the “what,” “who,” “when,” and “how” of collecting evidence from the network. What kind of information exists in the network? Who collects it, how, and under what circumstances? By illustrating these principles in the context of three network tech￾nologies—the Internet, the telephone system, and the postal system—this Part demonstrates that similar surveillance issues arise in each network in￾dependently of the technology involved. Different technologies may merit different answers to these questions, of course, but the basic questions re￾main the same.16 The analysis starts with the “what,” moves next to the “who,” turns to the “when,” and then concludes with the “how.” A. Envelope Information Versus Content Information (“What”) The fundamental purpose of a communications network is to send and receive communications. As a result, every communications network fea￾tures two types of information: the contents of communications, and the addressing and routing information that the networks use to deliver the con￾tents of communications. The former is “content information,” and the lat￾ter is “envelope information.” The essential distinction between content and envelope information remains constant across different technologies, from postal mail to email. With postal mail, the content information is the letter itself, stored safely in￾side its envelope. The envelope information is the information derived from the outside of the envelope, including the mailing and return ad￾dresses, the stamp and postmark, and the size and weight of the envelope when sealed.17 Similar distinctions exist for telephone conversations. The content in￾formation for a telephone call is the actual conversation between partici￾pants that can be captured by an audio recording of the call.18 The envelope information includes the number the caller dials, the number from which the caller dials, the time of the call, and its duration. This calling informa￾tion is not visible in the same way that the envelope of a letter is, but it equates roughly with the information derived from the envelope of a letter. In both cases, the envelope information contains to-and-from addressing, data about the time the communication was sent, and information about the 16 See Joseph H. Sommer, Against Cyberlaw, 15 BERKELEY TECH. L.J. 1145, 1147 (2000). 17 See 39 C.F.R. § 233.3(c)(1) (2002) (articulating an administrative procedure for obtaining a “mail cover,” which is defined as “the process by which a nonconsensual record is made of any data appearing on the outside cover of any sealed or unsealed class of mail matter, or by which a record is made of the contents of any unsealed class of mail matter as allowed by law”). 18 See 18 U.S.C.A. § 2510(8) (West Supp. 2002) (defining the “contents” of a “wire communica￾tion” as “any information concerning the substance, purport, or meaning of that communication”)

NORTHWESTERN UNIVERSITY LAW REVIEW communication's size and length. i9 These principles translate to the Internet quite readily in the case of email. The content information for an email is the message in the body of the email itself, much like the phone conversation or the letter in the enve ope. The email also carries addressing information in a"mail header. Mail headers are digital postmarks that accompany every email and carry information about the delivery of the mail. 20 Many email programs show users only some of this information by default, but can be configured to veal the full mail header. A full mail header looks something like this FIGURE 1: FULL MAIL HEADER Received: from SpoolDir by NLCMAIN (Mercury 1. 48): 25 Oct 01 20: 56: 41 EST/EDT Return-path: Received: from mail2 panix com(166.84.0.213)by main. nIc.gwu.edu(Mer cury 1.48)with ESMTP 25 Oct 01 20: 56: 40 EST/EDT Receivedfrompanix3.panix.com(panix3.panix.com[166.84.1.3d by mail2 panix com(Postfix)with ESMTP id 272278F14 for To: oker @main. nIc. gwu. edu(Kerr, Orin) Date:Thu,25Oct200120:51:01-0400(EDT) In-Reply-To:fror Kerr. Orin"'at Oct 25. 08: 47: 28 PM X-Mailer: ELM [version 2.5 PL61 MIME- Version: 1.0 Content-Transfer-Encoding: 7bit X-PMFLAGS: 3512742401 Y08B38 CNM his information is generally known as"pen register"and"trap and trace"information. See infra no 20 See ADAM GAFFIN, THE BIG DUMMY's GUIDE TO THE INTERNET ch 6("Just as the postal service es99-104 puts its marks on every piece of mail it handles, so do Net postal systems. Only it's called a " header steadofapostmark.),athttp://www.cs.indiana.edu/docproject/bdgtti/bdgtti6.html(lastvisitedFeb 612

N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W 612 communication’s size and length.19 These principles translate to the Internet quite readily in the case of email. The content information for an email is the message in the body of the email itself, much like the phone conversation or the letter in the enve￾lope. The email also carries addressing information in a “mail header.” Mail headers are digital postmarks that accompany every email and carry information about the delivery of the mail.20 Many email programs show users only some of this information by default, but can be configured to re￾veal the full mail header.21 A full mail header looks something like this: FIGURE 1: FULL MAIL HEADER Received: from SpoolDir by NLCMAIN (Mercury 1.48); 25 Oct 01 20:56:41 EST/EDT Return-path: Received: from mail2.panix.com (166.84.0.213) by main.nlc.gwu.edu (Mer￾cury 1.48) with ESMTP; 25 Oct 01 20:56:40 EST/EDT Received: from panix3.panix.com (panix3.panix.com [166.84.1.3]) by mail2.panix.com (Postfix) with ESMTP id 272278F14 for ; Thu, 25 Oct 2001 20:56:01 -0400 (EDT) Received: (from eck@localhost) by panix3.panix.com (8.11.3nb1/8.8.8/PanixN1.0) id f9Q0u1d15137 for okerr@main.nlc.gwu.edu; Thu, 25 Oct 2001 20:56:01 -0400 (EDT) From: Message-Id: Subject: To: okerr@main.nlc.gwu.edu (Kerr, Orin) Date: Thu, 25 Oct 2001 20:51:01 -0400 (EDT) In-Reply-To: from “Kerr, Orin” at Oct 25, 2001 08:47:28 PM X-Mailer: ELM [version 2.5 PL6] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-PMFLAGS: 35127424 0 1 Y08B38.CNM 19 This information is generally known as “pen register” and “trap and trace” information. See infra notes 99–104. 20 See ADAM GAFFIN, THE BIG DUMMY’S GUIDE TO THE INTERNET ch. 6 (“Just as the postal service puts its marks on every piece of mail it handles, so do Net postal systems. Only it’s called a ‘header’ instead of a postmark.”), at http://www.cs.indiana.edu/docproject/bdgtti/bdgtti_6.html (last visited Feb. 4, 2003). 21 See id

97:607(2003) Internet Surveillance Law After the Usa Patriot Act This gobbledygook is a mail header that was generated from an email sent to my George Washington University email account on October 25, 2001 from theemailaddresseck@panix.com.Eachofthelinesinthemailheaderhas d together, tells a story about the how it was processed, and how and when the network directed it from its ori- to the routing information in other communication network acs tain a in to its destination 22 notice that the mail header above does not contain a subject line: although subject lines appear in the mail header, they are gener ally recognized as content. 23 Viewed as a whole, the email header subject line) provides information about the email that is roughly analogous However there is much more to Internet surveillance than email. In fact, only a small fraction of the Internets traffic involves human-to-human communications such as email messages. most Internet communications are communications between humans and computers, such as World-Wide-Web pages in transit, commands sent to remote servers, and file transfers. 24 Many others are computer-to-computer communications, such as network adminis- trative traffic that keeps the Internet running smoothly. These communica tions can provide evidence of crime in the same manner as email. For example, the government may wish to monitor a computer hacker by watch- ng and recording the commands he sends to the computers he has hacked These commands do not involve email. but instead consist of commands sent directly to the victim computer. A complete understanding of Internet sur- veillance must go beyond email surveillance to encompass the surveillance of human-to-computer and computer-to-computer communications To understand how the envelope-content distinction applies to human- to-computer and computer-to-computer communications, it helps to under stand a few details about how the Internet works. The Internet is a"packet switched"network, which means that every communication sent over the Internet is broken down into individual packets. These packets are the cy ber equivalent of letters between two computers, each containing about one page of information and are sent across the Internet to their destination. of information across the Internet, 2g other by sending and receiving packets For example, the email was sent at 8: 51 p. m and was received at 8: 56 p. m. For more on how to reademailheaderssee,forexampleReadingEmailHeadersathttp://www.stopspam.org/emai headers/headers. html (last visited Feb. 4, 2003). 23 See CCIPS MANUAL, supra note 15, at 148 See PRESTON GRALLA, How THE INTERNET WORks( Greg Wiegand et al. eds, 1999) See id. at 13 device can be used to monitor commands entered by a computer hacker unauthorized to use a network). See GRALLA, supra note 24, at 13 See id at 14-15(explaining the packet-based nature of Internet communications). Consider web surfing. When an Internet user types in a website address into a browser, the computer sends out pack- 613

97:607 (2003) Internet Surveillance Law After the USA Patriot Act 613 This gobbledygook is a mail header that was generated from an email sent to my George Washington University email account on October 25, 2001 from the email address “eck@panix.com.” Each of the lines in the mail header has specific meaning, and when read together, tells a story about the message, how it was processed, and how and when the network directed it from its ori￾gin to its destination.22 Notice that the mail header above does not contain a subject line: although subject lines appear in the mail header, they are gener￾ally recognized as content.23 Viewed as a whole, the email header (minus the subject line) provides information about the email that is roughly analogous to the routing information in other communication networks. However, there is much more to Internet surveillance than email. In fact, only a small fraction of the Internet’s traffic involves human-to-human communications such as email messages. Most Internet communications are communications between humans and computers, such as World-Wide-Web pages in transit, commands sent to remote servers, and file transfers.24 Many others are computer-to-computer communications, such as network adminis￾trative traffic that keeps the Internet running smoothly.25 These communica￾tions can provide evidence of crime in the same manner as email. For example, the government may wish to monitor a computer hacker by watch￾ing and recording the commands he sends to the computers he has hacked. These commands do not involve email, but instead consist of commands sent directly to the victim computer.26 A complete understanding of Internet sur￾veillance must go beyond email surveillance to encompass the surveillance of human-to-computer and computer-to-computer communications. To understand how the envelope-content distinction applies to human￾to-computer and computer-to-computer communications, it helps to under￾stand a few details about how the Internet works. The Internet is a “packet switched” network, which means that every communication sent over the Internet is broken down into individual packets.27 These packets are the cy￾ber equivalent of letters between two computers, each containing about one page of information and are sent across the Internet to their destination.28 Computers communicate with each other by sending and receiving packets of information across the Internet.29 22 For example, the email was sent at 8:51 p.m. and was received at 8:56 p.m. For more on how to read email headers, see, for example, Reading Email Headers, at http://www.stopspam.org/email/ headers/headers.html (last visited Feb. 4, 2003). 23 See CCIPS MANUAL, supra note 15, at 148. 24 See PRESTON GRALLA, HOW THE INTERNET WORKS (Greg Wiegand et al. eds., 1999). 25 See id. at 13. 26 See, e.g., United States v. Seidlitz, 589 F.2d 152, 154–55 (4th Cir. 1978) (explaining how a recording device can be used to monitor commands entered by a computer hacker unauthorized to use a network). 27 See GRALLA, supra note 24, at 13. 28 See id. 29 See id. at 14–15 (explaining the packet-based nature of Internet communications). Consider web surfing. When an Internet user types in a website address into a browser, the computer sends out pack-

NORTHWESTERN UNIVERSITY LAW REVIEW Surveilling the Internet at the packet level provides a second way of conducting Internet surveillance that can be considered distinct from email surveillance. Like other forms of surveillance, packet surveillance divides into envelope information and content information. When a computer sends information across the Internet. it breaks the communication into ackets and creates a"packet header"30 to direct the packet to its destina- on. The packet header contains addressing information, such as the to and from Internet addresses of the two computers, often referred to as the Inter net Protocol addresses, or simply IP addresses, I as well as information it is(e.g, part of a web page, part of a pictur file). 3 When the packet arrives at its destination, the receiving computer discards the packet header and keeps the original message. At the packet level, this message is the content information in the packet, generally re- ferred to as the packets"payload. 33 Some communications, such as web pages in transit, typically are packetized only once: the host computer creates the packets, and the destination computer discards the packet head ers and reassembles the original file when the packets arrive. Other com- munications can be packetized several times over in the course of delivery For example, an email may be broken down into packets and reassembled into the original email a few times on its trip from sender to receiver While I don' t wish to lose technophobic readers, it helps to understand the basic relationship between email surveillance and packet surveillance Email surveillance is a subset of packet surveillance, in that while an email travels across the Internet, both the envelope and content information of emails travel across the Internet as payloads of individual packets. Obtaining content information at the packet level for a packet that happens to carry an email message may yield either envelope information for the email (the email header), or content information(the email itself), or both(in the case of short email that can fit the entire header and message on one packet). Con- sider a medium-length email that is divided into three packets. The first ets to the remote computer that hosts the website. These packets contain requests for the remote com- uter to send back the contents of the website. See id. at 140-45(explaining how web pages work) he remote computer then sends back several packets that together contain the contents of the web page, and the user's computer reassembles them and presents him with the web page requested. Although it appears to the user as though he is"visiting" the website, the computers achieve this appearance throug a complex exchange of packets across th 30 See id at 34-38 3I See BRENDAN P. KEHOE, ZEN AND THE ART OF THE INTERNET 5(4th ed. 1996)(explaining IP ad- dresses). IP addresses consist of a set of four numbers, each from 0 to 255, linked with a period IP address might be 123.9. 232.87. See id 32 See VINCENzo MEDILLO ET AL, A GUIDE TO TCP/IP NETWORKING (1996)( "lP's job is simply to find a route for the datagram and get it to the other end. In order to allow routers or other intermediate ystems to forward the datagram, it adds its own header. The main things in this header are the source http://www.ictp.triesteit/-radionet/nuc1996/ref/tcpip/(lastvisitedFeb.4,2003) 614

N O R T H W E S T E R N U N I V E R S I T Y L A W R E V I E W 614 Surveilling the Internet at the packet level provides a second way of conducting Internet surveillance that can be considered distinct from email surveillance. Like other forms of surveillance, packet surveillance divides into envelope information and content information. When a computer sends information across the Internet, it breaks the communication into packets and creates a “packet header”30 to direct the packet to its destina￾tion. The packet header contains addressing information, such as the to and from Internet addresses of the two computers, often referred to as the Inter￾net Protocol addresses, or simply IP addresses,31 as well as information about what kind of packet it is (e.g., part of a web page, part of a picture file).32 When the packet arrives at its destination, the receiving computer discards the packet header and keeps the original message. At the packet level, this message is the content information in the packet, generally re￾ferred to as the packet’s “payload.”33 Some communications, such as web pages in transit, typically are “packetized” only once: the host computer creates the packets, and the destination computer discards the packet head￾ers and reassembles the original file when the packets arrive. Other com￾munications can be packetized several times over in the course of delivery. For example, an email may be broken down into packets and reassembled into the original email a few times on its trip from sender to receiver. While I don’t wish to lose technophobic readers, it helps to understand the basic relationship between email surveillance and packet surveillance. Email surveillance is a subset of packet surveillance, in that while an email travels across the Internet, both the envelope and content information of emails travel across the Internet as payloads of individual packets. Obtaining content information at the packet level for a packet that happens to carry an email message may yield either envelope information for the email (the email header), or content information (the email itself), or both (in the case of a short email that can fit the entire header and message on one packet). Con￾sider a medium-length email that is divided into three packets. The first ets to the remote computer that hosts the website. These packets contain requests for the remote com￾puter to send back the contents of the website. See id. at 140–45 (explaining how web pages work). The remote computer then sends back several packets that together contain the contents of the web page, and the user’s computer reassembles them and presents him with the web page requested. Although it appears to the user as though he is “visiting” the website, the computers achieve this appearance through a complex exchange of packets across the Internet. 30 See id. at 34–38. 31 See BRENDAN P. KEHOE, ZEN AND THE ART OF THE INTERNET 5 (4th ed. 1996) (explaining IP ad￾dresses). IP addresses consist of a set of four numbers, each from 0 to 255, linked with a period. So, for example, an IP address might be 123.9.232.87. See id. 32 See VINCENZO MEDILLO ET AL., A GUIDE TO TCP/IP NETWORKING (1996) (“IP’s job is simply to find a route for the datagram and get it to the other end. In order to allow routers or other intermediate systems to forward the datagram, it adds its own header. The main things in this header are the source and destination IP address, the protocol number, and another checksum.”), available at http://www.ictp.trieste.it/~radionet/nuc1996/ref/tcpip/ (last visited Feb. 4, 2003). 33 See id

97607(2003) Internet Surveillance Law After the Usa Patriot Act packet will start with the packet header, which is needed to deliver the packet to the recipients server, and then will contain a payload that consists of both the mail header and then the beginning of the email's contents. The second packet then starts with its own packet header, followed by a payload that con- sists of the next portion of the emails contents. The third packet comes last. and consists of a packet header and then the last portion of the email. When the email arrives at its destination, the server will shed the packet headers and reassemble the email into the mail header and the contents of the email The following table summarizes the envelope and content information for the four types of communications network surveillance TABLE 1: ENVELOPE AND CONTENT INFORMATION FOR POSTAL MAIL TELEPHONE CALLS. EMAILS AND INTERNET PACKETS SURVEILLANCE ENVELOPE CoNTENT TYPE INFORMATION INFORMATION Postal maill D)To, from mailing The contents of the letter 3)Color, size, weight of pa package Telephone )To, from telephone The contents of the numbers for a call ) To, from email The contents of the ress for 2)Mail header info (length of email digital postmarks) minus the subject line Internet Packets 1)To, from IP Payload of the packet (the contents of a 2)Remaining packet communication between header information two computers) (length of packet type of traffic) Notably, each packet includes its own number, so that the different packets can arrive at different times to their destination and the computer at the destination will be able to reassemble them into the original communication. See GRALLA, supra note 24, at 13 615

97:607 (2003) Internet Surveillance Law After the USA Patriot Act 615 packet will start with the packet header, which is needed to deliver the packet to the recipient’s server, and then will contain a payload that consists of both the mail header and then the beginning of the email’s contents. The second packet then starts with its own packet header, followed by a payload that con￾sists of the next portion of the email’s contents. The third packet comes last, and consists of a packet header and then the last portion of the email.34 When the email arrives at its destination, the server will shed the packet headers and reassemble the email into the mail header and the contents of the email. The following table summarizes the envelope and content information for the four types of communications network surveillance: TABLE 1: ENVELOPE AND CONTENT INFORMATION FOR POSTAL MAIL, TELEPHONE CALLS, EMAILS, AND INTERNET PACKETS 34 Notably, each packet includes its own number, so that the different packets can arrive at different times to their destination and the computer at the destination will be able to reassemble them into the original communication. See GRALLA, supra note 24, at 13. SURVEILLANCE TYPE ENVELOPE INFORMATION CONTENT INFORMATION Postal Mail 1) To, from mailing address of a letter 2) Postmark, stamp 3) Color, size, weight of package The contents of the letter Telephone 1) To, from telephone numbers for a call The contents of the telephone Email 1) To, from email address for an email 2) Mail header info (length of email, digital postmarks) minus the subject line The contents of the email, including the subject line Internet Packets 1) To, from IP addresses 2) Remaining packet header information (length of packet, type of traffic) Payload of the packet (the contents of any communication between two computers)