Information Today, Inc. Corporate Site KMWorld CRM Media Streaming Media Faulkner Speech Technology Unisphere/DBTA
Other ITI Websites
American Library Directory Boardwalk Empire Database Trends and Applications DestinationCRM Faulkner Information Services Fulltext Sources Online InfoToday Europe KMWorld Literary Market Place Plexus Publishing Smart Customer Service Speech Technology Streaming Media Streaming Media Europe Streaming Media Producer Unisphere Research

News & Events > NewsBreaks
Back Index Forward
Twitter RSS Feed

New U.S. Laws Impact Information Gathering and Security
Posted On February 3, 2015
In a flurry of preholiday activity, the 113th Congress enacted several dozen pieces of legislation during the final week of its lame duck session. While many of the bills represent routine or ceremonial legislation (including the Newborn Screening Saves Lives Reauthorization Act and a law declaring a section of Interstate Route 35 in Minnesota as the James L. Oberstar Memorial Highway), a few are generating interest—and in some cases, controversy—for their possible impact on privacy, information security, and other areas of interest to the information industry.

Intelligence Authorization Act for Fiscal Year 2015

Among the more controversial bills of late 2014 was the Intelligence Authorization Act for Fiscal Year 2015 (Public Law 113-293). It passed the Senate by a voice vote on Dec. 9 and was approved by the House of Representatives in a vote of 325 to 100 on Dec. 10. The president signed the bill into law—along with a number of other end-of-session bills—on Dec. 19. The primary purpose of the act is to provide appropriations for various intelligence agencies and activities. However, one section buried within the act is being claimed to expand government spying by authorizing the “acquisition, retention, and dissemination” of “any nonpublic telephone or electronic communication acquired without the consent of a person who is a party to the communication.”

Known as Section 309 of the act, and titled “Procedures for the Retention of Incidentally Acquired Communications,” it appears to apply to “any intelligence collection activity not otherwise authorized by court order, … subpoena, or similar legal process. …” The act requires intelligence agencies to adopt rules covering these activities and has limits on how long the information can be retained, but does not address any limitations on these activities. The section was added by the Senate just prior to its voice vote and was not specifically debated in the House.

In a brief skirmish prior to the House vote, Rep. Justin Amash (R-Mich.) sent a letter to his colleagues lambasting Section 309, describing it as “one of the most egregious sections of law I’ve encountered during my time as a representative: It grants the executive branch virtually unlimited access to the communications of every American.” In response, the United States House Permanent Select Committee on Intelligence issued a fact sheet on the act indicating that Amash’s assertion is a “myth” and that “Section 309 provides no authority to collect any communications whatsoever. Instead, Section 309 protects privacy rights by requiring the government to adopt procedures to destroy communications collected outside the United States after five years. …”

Legislative language is often very convoluted and nuanced. Reading the legislation, it appears that there may be some truth to both positions. The language about acquiring communications without consent or other authorization can be read as applying to activities that are already underway as part of various programs already in place. (Whether those programs are legal or meritorious are separate questions.) Or it could be read as placing no restrictions on additional communications-interception activities. Similarly, the 5-year retention rule is very specific, yet there are several exceptions to the rule, including one that allows for retention when a communication is “reasonably believed to constitute evidence of a crime.” Under the Constitution, gathering criminal evidence is subject to the Fourth Amendment’s prohibitions against unreasonable searches. However, intelligence gathering is generally not subject to those prohibitions. Information gathered for intelligence purposes, but used for criminal investigation purposes, may violate the subject’s constitutional rights.

Federal Information Security Modernization Act of 2014

Less controversial was the Federal Information Security Modernization Act of 2014 (Public Law 113-283), also enacted in the final days of the 113th Congress. This law will support increased coordination among federal agencies for protecting federal information sources from hacking and other cyberthreats. It provides for shared oversight of information security operations between the Office of Management and Budget and the Department of Homeland Security; increased support from the Director of National Intelligence and the National Institute of Standards and Technology; and improved sharing of intelligence about cyberthreats, vulnerabilities, and risk assessment. The law is being cited as “bringing federal agency information security into the new millennium.”

National Cybersecurity Protection Act of 2014/Cybersecurity Enhancement Act of 2014

Looking more broadly at information security, Congress also passed the related National Cybersecurity Protection Act of 2014 (Public Law 113-282) and the Cybersecurity Enhancement Act of 2014 (Public Law 113-274). The two laws are intended to provide for a more integrated government and private sector response to cyberthreats by the creation of a “national cybersecurity and communications integration center” within the Department of Homeland Security. This center will be an “interface for the … sharing of information related to cybersecurity risks, incidents, analysis, and warnings” for both federal and nonfederal entities and companies (National Cybersecurity Protection Act). In addition, the National Institute of Standards and Technology is directed to work with government and private sector entities to establish an “industry-led set of standards, guidelines, best practices, methodologies, procedures, and processes to cost-effectively reduce cyber risks to critical infrastructure …” (Cybersecurity Enhancement Act).

No Vote on FOIA

Unfortunately, some bills did not get a vote in the final, hectic days of the 113th Congress, including the proposed Freedom of Information Act (FOIA) Improvement Act of 2014. This legislation would have addressed a number of criticisms and loopholes of FOIA by reducing costs for requests, penalizing agencies for slow responses, closing loopholes, and providing that frequently requested information be posted on agency websites. While the bill passed the Senate and was expected to pass in the House, it never made it to the floor of that chamber. At least one source speculates that some last-minute pushback from the Department of Justice and other agencies stalled the vote to a point at which it never happened. (For more on FOIA, see POLITICO’s coverage of new bills introduced in Congress that “would place a presumption of openness in the FOIA statute and require agencies to justify withholding of information by showing a specific harm that is foreseeable from disclosure.”)

Congress has not been the only branch of government acting in ways that could impact the information industry. The Supreme Court is continuing its recent trend of increased attention to patent and copyright issues by scheduling a number of such cases for argument in upcoming months. One case includes a question about whether royalties being paid under a patent licensing agreement continue after the patent has expired. Another involves the level of copyright protection for software, which is considered critical since the Supreme Court restricted patent protection for software in a summer 2014 decision. The court’s decisions for these cases are expected in late spring or early summer.

George H. Pike is the director of the Pritzker Legal Research Center and a senior lecturer at the Northwestern University School of Law. He teaches legal research, intellectual property, and privacy courses at the School of Law in both the J.D. and Northwestern’s innovative Master of Science in Law program. Prof. Pike is a frequent lecturer on issues of First Amendment, copyright, and Internet law for library and information professionals. He is also a regular columnist and writer for Information Today, publishing a monthly column on legal issues confronting information producers and consumers. Previously, Prof. Pike was director of the Law Library at the University of Pittsburgh School of Law, and held professional positions at the Lewis and Clark Law School and at the University of Idaho School of Law, and was a practicing attorney in Idaho Falls, Idaho. Prof. Pike received his B.A. degree from the College of Idaho, his law degree from the University of Idaho, and his Masters in Library Science from the University of Washington. He is a member of the American and Idaho State Bar Associations, the American Association of Law Libraries, and the American Intellectual Property Lawyers Association.

Email George H. Pike

Related Articles

8/6/2012Cybersecurity and Privacy Concerns at the Highest Levels of Government
11/7/2013U.S. Government Releases Proposed Cybersecurity Framework
1/21/2014Government Reforms Intelligence Collection Policies
12/9/2014FOIA Reform Gets Key Senate Endorsement
4/21/2015May 1 Named National Day of PACER Protest
5/12/2015Supreme Court to Address Standing to Sue for Data Breaches and Privacy Violations
6/16/2015The FCC's New Open Internet Order Faces the Realities of Implementation
10/20/2015The Federal Government Turns To Silicon Valley for Tech Support
11/10/2015Design Standards Take Federal Websites to New Levels of Usability
5/3/2016Congress Approves Federal Protection for Trade Secrets
4/17/2018PACER Faces Continuing Troubles
9/11/2018EfficientIP Studies Cyberthreats in Higher Education

Comments Add A Comment

              Back to top