Features - The USA PATRIOT Act and Patron Privacy on Library Internet TerminalsBy Mary Minow, Published on February 15, 2002
Mary Minow is a library law consultant with librarylaw.com. She is currently writing a book on library law for the American Library Association with Tomas Lipinski. This librarylaw.com column is not intended to replace legal advice. For a particular fact situation, consult an attorney.
Within hours after the September 11 attacks, the FBI began serving search warrants to major Internet Service Providers to get information about suspected electronic communications.2 Within a week, police and FBI agents received tips that some suspects used libraries in Hollywood Beach and Delray Beach, Florida. FBI agents have since requested computer sign-in lists from other libraries. President Bush signed the USA PATRIOT Act into law on October 26, 2001. This law is expected to greatly increase the number of requests for sign-in lists at libraries.
What is the USA PATRIOT Act?
The USA PATRIOT Act stands for the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001. The legislation is broad and changes immigration laws, tightens controls on money laundering, and greatly expands the legal use of electronic surveillance.
The Act greatly expands the use of "roving wiretaps." This means that a wiretap order targeted to a person is no longer confined to a particular computer or telephone. Instead, it may “rove” wherever the target goes, which may include library computers. The new law allows a court to issue an order that is valid anywhere in the U.S. This greatly increases a library's exposure to court orders. Further, the use of pen/trap orders is now "technology neutral" and applies to the Internet as well as telephones. Whereas incoming and outgoing phone numbers have long been available upon the mere showing that they are relevant to an ongoing investigation, now email headers and URLs visited are available under the same low standard. Civil liberties advocates argued that such information is not analogous to phone numbers, but far more revealing (including, for example, the keywords used in Google searches such as http://www.google.com/search?hl=en&q=mary+minow).
Much of the Act expands the Foreign Intelligence Surveillance Act (FISA), in which the standards for courts to approve surveillance of foreign intelligence gathering are far less demanding than those required for approval of a criminal wiretap, which requires a showing of probable cause.
Librarians can get a good sense of the legal requirements by reading the guidance just issued to federal agents by the Department of Justice.3
What does the USA PATRIOT Act mean for libraries?
The upshot is that there will be a great many more surveillance orders, everywhere in the country, and in turn there will be more requests for library records, including Internet use records. Think of law enforcement as needing to enter two doors to apprehend a suspect.
Door One leads to the computer server. Law enforcement can find electronic tracks through email or Internet history logs. They may have intercepted messages through surveillance or other means. This leads to a particular computer terminal, date and time.
Door Two leads to the individual. This person could be someone using the Internet in a library, particularly someone who wishes to remain anonymous. The FBI (or others) will want to see a library record of who was using the library’s terminal(s) at a particular date and time. If the library keeps sign-up records, law enforcement will want to see those records.
Will the FBI (or other law enforcement) ask to put surveillance technology on library computers?
In many cases, the surveillance technology will be placed elsewhere, and lead law enforcement directly to Door Two. However, it is possible that the FBI will approach the library and ask to place software (such as the controversial DCS1000 (also known as Carnivore) on library servers.4 Libraries should be sure to insist on a court order before complying. Note that libraries that share servers with cities or others may not be directly approached.
Should a library cooperate with the FBI (or other law enforcement) in giving library Internet sign up lists?
Yes, but advisedly with a court order. This is where the library’s individual policies and procedures will become increasingly important. Does the library require sign-ups? If there are no sign-up lists, the inquiry essentially halts. Does the library allow first names only, or made-up names? Does it require identification? Library cards with addresses? Does it keep sign-up records, and if so, for how long? Does it use an automated system that ties library card numbers (tied to registration information) to Internet use? Is such information electronically disengaged after use and electronically shredded? Is it backed up on computer tapes? How long are backup tapes kept?
Search warrants are court orders, signed by a magistrate or a judge. Libraries are explicitly barred under Calif. Gov't. Code §6267 from disclosing patron registration or circulation records, excepting staff administrative use, written consent by the patron, or an order from the appropriate superior court.5
Whether or not the law protects Internet use records from disclosure without a court order (this includes search warrants) is not entirely clear. Many libraries consider these records as an extension of registration/circulation records, in that personally identifying information linking patron names with content is involved. Additionally, another section of the law known as the "personal privacy" exemption, provides that certain types of information may be kept confidential by a public agency where the disclosure would constitute an unwarranted invasion of personal privacy.6 Finally, library policies that protect such records, if well drafted, might protect Internet use records. For an argument that the state law should be updated to reflect the use of Internet in California libraries, see my article in California Libraries April 4, 1999.7
Should my library use sign-ups for Internet terminals? If we use sign-up records, are they subject to the California Public Records Act, making us at risk if we destroy them?
Libraries generally decide on whether and how to use sign-up procedures based on the supply and demand of Internet terminals. Sometimes libraries want identification to afford a measure of accountability i.e. prevent hacking. Libraries should be aware, however, that the sign-up procedure has considerable privacy implications. If records are kept, it is best if precise information can be extracted (e.g., user at Terminal #2 on November 13, 2001 at 1 p.m.) without giving out other patron's data.
Under the California Public Records Act, the library is not required to create or maintain Internet use records, any more than numerous other temporary records libraries may keep, such as reference query logs. Once records are created and kept, however, they are subject to court orders, and possibly to open records requests. (Remember that it's possible these records have the same privacy safeguards as circulation and registration records described above.)
Although libraries are not required to create or maintain such records, it is definitely not advisable to destroy the records after a law enforcement or public request for disclosure. In a case in New Hampshire, a father requested a school's computer internet logs (in this case, the electronic records of sites visited). He was concerned that the school library’s acceptable use policy was inadequate. When the school did not turn over the logs, the father sued under the state's Right-To-Know law. The county superior court ordered the school to turn over the logs, with the user names and passwords omitted. In January 2001, however, the Court found that the school had intentionally deleted the logs after the father filed suit. It found the school to be in contempt of court, and ordered it to produce the remaining records and pay the father his costs and attorney’s fees.8
In addition, local ordinances may apply. Check with the library's attorney.
I read that the USA PATRIOT Act allows federal agents to get court orders for the production of “business records.” Does that include library records?
The Act states that the FBI may apply for an order requiring the "production of any tangible things (including books, records, papers, documents and other items) for an investigation to protect against international terrorism or clandestine intelligence activities, provided that such investigation of a United States person is not conducted solely upon the basis of activities protected by the first amendment..."9
This provision is designed to get ISP records of user billing information. Library patrons who are merely accessing information on Internet terminals should have strong First Amendment arguments. Nevertheless, it's not clear whether they would win. Senator Russ Feingold tried to get an amendment to clarify that the Act would not preempt existing federal and state privacy laws, by maintaining existing criteria for records, such as library records. This amendment failed. Also, it should be noted that this "business records" provision is an amendment of the FISA law, which means that court proceedings are not open and are sealed.
I read that a research librarian tipped off the police in Florida. Can I do that, or must I wait for them to come to me?
If you recognize a picture in the newspaper as one of your patrons, that is not divulging a library record. If, on the other hand, you recognize a suspect's names from library records, you should definitely check in with your attorney before deciding whether to call the police.
In Broward County, Florida, the library was issued an order by a federal grand jury to collect library records when a patron fitting the description of Mohamed Atta, an alleged terrorist leader, was seen using computers with Internet access.10 The order was given with specific instructions not to release information to anyone other than federal authorities.11
Recall that the vast majority of library patrons are not terrorists, and libraries should make all efforts to protect patron privacy.
Wasn't there an FBI program years ago that sent FBI agents into libraries asking for reading habits of suspicious looking people?
Yes. The FBI Library Awareness Program was a program that ran for about 25 years, in which FBI agents tried to enlist the assistance of librarians in monitoring the reading habits of "suspicious" individuals. Such individuals were variously defined as people with Eastern European or Russian-sounding names or accents, or coming from countries hostile to the U.S.12 During the Library Awareness Program, some FBI agents wrongly claimed that they were not subject to statutes protecting library records.13 The efforts were largely unsuccessful, due to the tremendous outrage and resistance from those in the library profession.
The most important lesson that libraries learned was the importance of training the "friendly front desk clerk" and even volunteers not to hand over the information, but to refer all inquiries, even by badged FBI agents, to the library director.
How is the library community responding to the anti-terrorism legislation?
The American Library Association joined with the Association of Research Libraries and the Association of American Law Libraries in issuing a statement on the proposed anti-terrorism measures. It says that libraries do not monitor information sought or read by library users. To the extent that libraries "capture" usage information of computer logs, libraries comply with court orders for law enforcement.
The statement is also concerned that the legislation, which makes it easier to access business records, may in some cases apply to library circulation records. It recommends that legislators keep high standard for court order regarding release of library records.14
Where should libraries go to get guidance on FBI search warrants?
The Freedom to Read Foundation is making some legal assistance available to librarians. Librarians are advised to call the ALA Office for Intellectual Freedom and request legal advice from Jenner & Block without disclosing the existence of a warrant. For more details, see the ALA's recently issued Alert: USA PATRIOT Act.15
1. This "bottom line" is dedicated to Thad Phillips, who said, "Mary, I know you're smart, but when I read your articles, I just want to get to the bottom line."
2. "FBI turns to Internet for terrorism clues," http://www.cnn.com/2001/TECH/internet/09/13/fbi.isps/ (visited November 15, 2001).
3. See United States. Department of Justice. Computer Crime and Intellectual Property Section. Field Guidance on New Authorities that Relate to Computer Crime and Electronic Evidence Enacted in the USA Patriot Act of 2001, http://www.usdoj.gov/criminal/cybercrime/PatriotAct.htm (visited November 13, 2001).
4. For more on current software/hardware surveillance technology, see Jack Karp, Chewing on Carnivore, TechTV, October 16, 2001 (visited November 13, 2001).
5. See Calif. Gov't. Code §6254 and §6267 (2001). The library may not disclose these records except to a) staff within the scope of administrative duties, b) with written consent from the patron, or c) by order of the appropriate superior court. Although California law refers to the “appropriate superior court,” the USA PATRIOT Act still requires court orders, but allows courts in any jurisdiction to issue orders. Federal law will supercede state law in this case (unless the Act is later found unconstitutional).
6. Calif. Gov't. Code, § 6254(c) (2001).
7. See Mary Minow, "Library patron internet records and freedom of information laws," California Libraries, April 4, 1999, pp. 8-9, reprinted at http://www.librarylaw.com/publicrecords.html (visited October 3, 2001).
8. James M. Knight v. School Administrative Unit #16 Docket No. 00-E-307, Rockingham, SS. Superior Court, New Hampshire. See “Exeter Internet Ruling, Complete Ruling,” Portsmouth Herald, January 8, 2001 at http://www.seacoastonline.com/news/1_8special.htm (visited November 15, 2001).
9. USA PATRIOT Act H.R. 3162, Title II Section 215, amending the Foreign Intelligence Surveillance Act (FISA), Title V, Section 501(a)(1) http://leahy.senate.gov/press/200110/USA.pdf (visited November 13, 2001)
10. Florida Statute 257.261 The Florida Statute is very similar to the Calif. Gov't Code §6254 and §6267.
11. John Holland, Paula McMahon, Fred Schulte and Jonathon King, "Library computers targeted in terrorism investigation, "Sun-Sentinel, September 18, 2001 at http://www.sun-sentinel.com/news/southflorida/sfl-culprits918.story (visited October 3, 2001).
12. See Herbert N. Foerstel, Surveillance in the Stacks: The FBI’s Library Awareness Program, (Greenwood Press 1991); Ulrika Ekman Ault, “Note: The FBI’s Library Awareness Program: Is Big Brother Reading Over Your Shoulder?” 65 N.Y.U.L. Rev. 1532 (December, 1990);
13. Senator Simon, Academic Libraries Must Oppose Federal Surveillance of Their Users, 100th Cong. 2nd Sess., 134 Cong Rec. S 4806 (1988)(republishing an article by Gerald R. Shields, Chronicle of Higher Education) cited in Mark Paley, The Library Awareness Program: The FBI in the Bookshelves at http://hometown.aol.com/paleymark/library.htm (visited October 1, 2001).
14. Library Community Statement on Proposed Anti-Terrorism Measures and Library Community Letter to Congress on Anti-Terrorism Legislation (pdf file) at http://www.ala.org/washoff/ (visited October 4, 2001).
15. American Library Association. Office for Intellectual Freedom Alert: USA Patriot Act http://www.ala.org/alaorg/oif/usapatriotact.html (Editor's noted (SP), this link changed after publication, and has been corrected).
Copyright © 2001-2002 Mary Minow.