Question: If we are presented with one of the "rubber stamp" subpoenas and the person it pertains to asks if he/she is under investigation, what should we do:
- lie and say no
- say we can't comment
- refer them to our campus Counsel?
David Stack, University of Wisconsin, Milwaukee
Answer: Mr. Stack: I would take the question up with campus counsel no matter what else is right, wrong, constitutional or not about these subpoenas. I will add as an attachment to this document the procedure and protocol we have published at Cornell University. You and any others are free to use it, so long as you cite Cornell. To address your question from a legal perspective, instead of an institutional procedural one, I will add that in time the constitutionality of this legislation will make its way through the courts, and we will know then whether it passes current Fourth Amendment muster, or whether history will have changed the perimeters of Fourth Amendment jurisprudence on the grounds for search and seizure under a pen trap register.
Question: Does the act allow for search warrants to be served from any DOJ order out of our local jurisdiction, (i.e. how do we respond to someone showing up demanding access to our records immediately, as opposed to subpoena)? Gedd Rigler, Embry-Riddle Aeronautical University
Answer: Mr. Rigler: Please don’t be either disappointed or surprised when I answer virtually every question, at least initially, by saying you should take it up with counsel! To elaborate on your questions, I will add that a search warrant allows law enforcement to come in immediately and do a physical search of areas prescribed in the warrant. A search warrant differs from a subpoena in that a subpoena expects the entity to supply law enforcement, or the court, certain information. The Patriot Act would appear to lower the standard for law enforcement to acquire a subpoena for pen registers; it does not change the standard of probable cause for a search. In short, if it is a subpoena, call counsel immediately, not merely for good procedure, but to buy counsel time to work with law enforcement. If it is a search warrant, I recommend not getting in the way of the officers, lest anyone find themselves in ‘cuffs for obstruction, and call your boss and counsel immediately.
Question: Under FISA, does the prohibition against disclosure of FBI action include notifying administrators (Univ. President or Chancellor) and attorney? Gedd Rigler, Embry-Riddle Aeronautical University
Answer: Mr Rigler: No, it does not prohibit that contact at all; in fact, I would imagine it contemplates those internal connections completely. Non-disclosure is aimed primarily at the individual about whom records have been requested, on the theory that if it is a bona fide terrorist investigation, notifying the individual would tip them off about the investigation. The question I raised was one in the case of potential abuse of this avenue, how could one blow the whistle without contemplating institutional, or even personal, liability?
Question: My question is what should we tell the community about the implications of the Patriot Act as it relates to their use of the academy's information technology? The academy has an acceptable use policy and all members of the community know that the academy reserves the right to monitor all electronic communications, that an e-mail is like a post card, etc. But the community has not been put on notice about the rights of the FBI and federal government to access the same information (without even telling the party being investigated that they have been there.) Susan Stott, Phillips Academy Andover
Answer: Ms. Stott: Please do take a look at the attachment of the protocol we have adopted at Cornell. If that does not do the trick, just as a starter to the conversation suited to Phillips, then perhaps you and other IT folks want to consult with counsel and those administrators who have responsibility over policy at your institution and work out a policy/procedure with you and for your office.
Question: We are most interested in the guidelines that Tracy is developing for IT staff in the event that they are approached by law enforcement. When will this be available to ACUTA members? Elizabeth Rodier, Johns Hopkins University
Answer: Ms. Rodier: They are attached, and also available on a current web site, and will be posted on a new web site devoted to the Patriot Act coming out of my office in a week or so.
Question: Our Security Director did have a question about the "no tell" rule of a terrorist investigation. Is there a penalty to the College in the event that a student finds out that he or she is the subject of an investigation? Jane Robertson, Colby College
Answer: Ms. Robertson, either I have not read the legislation deeply enough (always a possibility!) or it is not clear on the penalty for telling under FISA. FISA is essentially a criminal statute, and as such penalties usually involve jail; it would strike me as extremely unusual to have a college administrator jailed or even personally fined under this rule, however, unless that individual demonstrated particular willfulness against the court issuing the order. Under FERPA, the traditional penalty is a restriction of federal funds, although the Supreme Court is currently reviewing two cases that ask whether there is a private right of action under FERPA as well. And of course, most colleges and universities, especially those receiving federal grant monies or Department of Defense funding, don’t like to be on the opposite side of the government in these kinds of cases unless they had a situation that called on first principles and a principled person at the helm.
Question: Could you also ask Dr. Mitrano if she would be willing to share Cornell's policy/procedure for responding to law enforcement requests, once it is complete? Jane Robertson, Colby College
Answer: You got it! (See OIT Procedure and Protocols under the "USA-Patriot Act" Exceptions to the Electronic Communications Privacy Act).
Question: Ms. Mitrano indicated that a clearance policy for requests (and orders) was being developed where she is employed. I would like to receive a copy of that policy.
Also, the Act seems to reference requests from the government and government officials. Does this power extend from the Federal request, all the way down to the level of a city government? Stephen J. Mahler, University of Louisiana At Lafayette
Answer: Good question, Mr. Mahler. Given that the intent of the Patriot Act is to address terrorism, and is therefore a federal matter, I believe that it contemplates federal courts and jurisdiction. For example, the "national subpoena" could only derive from a federal court. A subpoena for a pen register under this legislation would also come from a federal court. Please note, however, that a search warrant or a subpoena apart from those specifically detailed in the Patriot Act can come from any court of competent jurisdiction, and so one should not ignore such authorization from a state or local court. It may be about another matter apart from terrorism entirely, and entirely legal.
Question: During the final Q&A period Ms. Mitrano mentioned something to the effect that ECPA does not apply (or applies differently) to private entities. Could she elaborate on what that means to private verses public institutions? Glenn T. Schneider, Samford University
Answer: Mr. Schneider: In a case colloquially known as Andersen Consulting, the court found that the network of a private company of the case’s name did not fall under the rubric of ECPA for failure to be an "internet service provider to the public" [my italics]. Whether a court in another circuit would disagree is open to question, although one has not to date done so. Moreover, other cases and laws regarding employees’ right to privacy — or absence thereof — in electronic communications seem to correspond to that aspect of the decision, namely that private networks offer no rights. How this question would play out in an academic environment is worthy of much fascination and little factual information at this time. I have proffered the idea that courts could divide ECPA like they do DMCA, that is decide that if the case is about an employee, then it is a private network; if it is about a student, it is a public network, and therefore ECPA would apply. And if it is about a faculty member, my guess would be that the court would look to any university policy with respect to faculty and faculty rights before tipping naturally to any one side. And then, of course, there is the private verses public university split that could, or could not (depending on how a judge interprets different institutional and legal notions of "public" and "private" in two different contexts!) also influence a court’s decision on this matter. I usually eschew being so wishy-washy, but ultimately what I am trying to suggest is that your guess is as good as mine on that point!
Question: I'd like to get some clarification on the question brought up by two of the callers, because it sounded as if one of your answers contradicted the other, related slide 14 and the issue of "FISA ...prohibits record keeper discloser of FBI action".
In one answer, you stated that what this prohibition means is that if the FBI, for example, requests records about a student from Amherst College, no one at Amherst (the record keeper or anyone else) can reveal that that request was made to anyone else, such as the student themselves, the media, etc. However, you also said that an institution should establish its own internal policies for how these kinds of things are handled when an initial call comes in -- as an example you suggested that the FBI be redirected to the head of IT or some other high-ranking College official, who could involve the college's lawyers and so forth. So my question is how does this prohibition of disclosure relate to the internal operation of the College's policies?
For example, suppose I oversee many of the E-mail and network systems on campus, but decisions about what to do in response to a subpoena would be made by someone above me, like the head of IT or a dean. If I get a call from the FBI asking for records, am I or am I not allowed to tell the head of IT or a dean that such a request was made as part of handing off the decision process to him? Put more concisely, if a University employee gets a call from law enforcement asking for records, but that employee is not, as a matter of institutional policy, allowed to give out such information without approval from higher administration University officers, what should that employee do? Tell law enforcement they need to call one of those officers directly? Can an employee at least tell their superiors that the FBI called to ask for the records? Could law enforcement insist that the person they call produce the records without authorization even though institutional policy forbids it? John W. Manly, Amherst College
Answer: Hi John! This legislation, like any other requiring non-disclosure, would almost certainly contemplate internal "chain of custody" and requisite authority disclosure. Having said that I would caution such communications be kept tight. Remember: loose lips sink ships!
Question: It was stated that if a University individual was served a subpoena, court order, search warrant, letter from Attorney General or was requested verbally for communication records the individual could not talk to any body about this request. In another part of the presentation it was stated that this individual could talk to University Legal and possibly negotiate with the requestor of this information. Traditionally in a University environment the person who was served this document would tell his/her supervisor and the supervisor would tell possibly the V.P. and President then the legal people would become involved.
Who can the university individual tell and/or discuss the information requested with? Please be specific and give examples. If no one - WHY. If you can't tell anyone then will the university hold the individual harmless from any legal action that may ensue? Richard Bull, East Stroudsburg University
Answer: Mr. Bull: As you can see from above, you are not alone in your raising this question, and I would mention that it comes up frequently in presentations on this topic. I think I should add a slide to the presentation on this point. You have also provided me with the opportunity to encourage that IT folks proactively have a conversation about procedure and protocol in this area, so everyone involved knows whom to contact, what the chain of information and command is on such matters, and precisely how to handle this delicate matter of disclosure. I make this suggestion as an attorney, but also as a historian. Should government and/or law enforcement ever abuse this avenue, and should there be a hero in the making (a whistle blower), that person would want to have as much institutional information about such requests, how they are handled, in order to lay a sound foundation for their reasons to disclose against theirs and their institution’s interest. Intuition may be critical in a moment like that, but it is definitely not all. Full documentation of cases and a history of prudent management would go a long way in establishing validity of an extraordinary claim.
Question: Are there any Universities that have or are developing University policies that will address the Patriot Act of 2001 issues? If so can we be given a copy of those documents? Richard Bull, East Stroudsburg University
Answer: Sure! (See OIT Procedure and Protocols under the "USA-Patriot Act" Exceptions to the Electronic Communications Privacy Act).
Question: We would like to get a copy of the document she said she was working on for Cornell, regarding policy and procedure for IT staff to respond to FBI and law enforcement requests for information. Can she distribute that policy to other schools so we can use it also? Marj Minnigh, Tufts University
Answer: Yes, but please do cite Cornell University, Office of Information Technologies, as the source.
Question: Are there any funding or grants available to assist us in our security compliance efforts? Randy Crawford, University of Texas Medical Branch at Galveston
Answer: Mr. Crawford: Oh yes. The Patriot Act clearly contemplates, echoing other legislation, that federal law enforcement will compensate "reasonable expenses for reasonable measures" taken to comply with their orders. Two tricks here: First, I am not yet apprised of any school that has received such compensation, and I am yet unclear how to go about it exactly. Please, reders, if you have information on this matter, I would appreciate enormously if you could contact me. Second, the distinction between computer trespass (owner/operator authorizations) and law enforcement action may play out here in funny ways. Since it is at their behest, if owners and operators authorize, it would not appear that they could make a claim for reasonable compensation, at the same time that they may request in order for law enforcement to bring their expertise and/or software to bear on the problem. If law enforcement comes with authorization, then owners and operators are in a position to request compensation.
Question: In addition to criminal charges, it would now appear that we can also seek a civil remedy for computer abuse. Can you provide additional details? Randy Crawford, University of Texas Medical Branch at Galveston
Answer: Please take note of Section 814 of the Patriot Act, the minimum is $5,000 in damage.
Question: There was a definition shared for "pen registers" that was not included within the handout, could that be provided? Randy Crawford, University of Texas Medical Branch at Galveston
Answer: I did not supply that definition so I regret that I cannot supply it now; the gentleman who did, or if others want to send one in, please do.
Question: There was a broad definition given for "computer abuse" that was also not included in the handout, would like that as well. Randy Crawford, University of Texas Medical Branch at Galveston
Answer: Please refer to Title 18 of the U.S.C, section 1030 for legal definitions on this matter.
Thank you, everyone, I enjoyed the seminar very much.
