SPEAKERS       CONTENTS       INSERTS    
 Page 1       TOP OF DOC
66–503

2000
FOURTH AMENDMENT AND THE INTERNET

HEARING

BEFORE THE

SUBCOMMITTEE ON THE CONSTITUTION

OF THE
COMMITTEE ON THE JUDICIARY
HOUSE OF REPRESENTATIVES

ONE HUNDRED SIXTH CONGRESS

SECOND SESSION

APRIL 6 2000

Serial No. 135

Printed for the use of the Committee on the Judiciary

 Page 2       PREV PAGE       TOP OF DOC
For sale by the U.S. Government Printing Office
Superintendent of Documents, Congressional Sales Office, Washington, DC 20402

COMMITTEE ON THE JUDICIARY
HENRY J. HYDE, Illinois, Chairman
F. JAMES SENSENBRENNER, Jr., Wisconsin
BILL McCOLLUM, Florida
GEORGE W. GEKAS, Pennsylvania
HOWARD COBLE, North Carolina
LAMAR S. SMITH, Texas
ELTON GALLEGLY, California
CHARLES T. CANADY, Florida
BOB GOODLATTE, Virginia
STEVE CHABOT, Ohio
BOB BARR, Georgia
WILLIAM L. JENKINS, Tennessee
ASA HUTCHINSON, Arkansas
EDWARD A. PEASE, Indiana
CHRIS CANNON, Utah
JAMES E. ROGAN, California
LINDSEY O. GRAHAM, South Carolina
MARY BONO, California
SPENCER BACHUS, Alabama
JOE SCARBOROUGH, Florida
DAVID VITTER, Louisiana
 Page 3       PREV PAGE       TOP OF DOC

JOHN CONYERS, Jr., Michigan
BARNEY FRANK, Massachusetts
HOWARD L. BERMAN, California
RICK BOUCHER, Virginia
JERROLD NADLER, New York
ROBERT C. SCOTT, Virginia
MELVIN L. WATT, North Carolina
ZOE LOFGREN, California
SHEILA JACKSON LEE, Texas
MAXINE WATERS, California
MARTIN T. MEEHAN, Massachusetts
WILLIAM D. DELAHUNT, Massachusetts
ROBERT WEXLER, Florida
STEVEN R. ROTHMAN, New Jersey
TAMMY BALDWIN, Wisconsin
ANTHONY D. WEINER, New York

THOMAS E. MOONEY, SR., General Counsel-Chief of Staff
JULIAN EPSTEIN, Minority Chief Counsel and Staff Director

Subcommittee on the Constitution
CHARLES T. CANADY, Florida, Chairman
HENRY J. HYDE, Illinois
ASA HUTCHINSON, Arkansas
 Page 4       PREV PAGE       TOP OF DOC
SPENCER BACHUS, Alabama
BOB GOODLATTE, Virginia
BOB BARR, Georgia
WILLIAM L. JENKINS, Tennessee
LINDSEY O. GRAHAM, South Carolina

MELVIN L. WATT, North Carolina
MAXINE WATERS, California
BARNEY FRANK, Massachusetts
JOHN CONYERS, Jr., Michigan
JERROLD NADLER, New York

CATHLEEN CLEAVER, Chief Counsel
BRADLEY S. CLANTON, Counsel
JONATHAN A. VOGEL, Counsel
PAUL B. TAYLOR, Counsel

C O N T E N T S

HEARING DATE
    April 6, 2000

OPENING STATEMENT

    Canady, Hon. Charles T., a Representative in Congress From the State of Florida, and chairman, Subcommittee on the Constitution
 Page 5       PREV PAGE       TOP OF DOC

WITNESSES

    Baker, Frederick Juergens, chairman, Internet Engineering Task Force

    Baker, Stewart, Steptoe & Johnson

    Corn-Revere, Robert, Hogan & Hartson L.L.P.

    Dempsey, James X., senior staff counsel, The Center for Democracy and Technology

    Di Gregory, Kevin V., Deputy Associate Attorney General, Department of Justice

    Fishman, Clifford S., professor of law, Columbus School of Law, Catholic University of America

    Nojeim, Gregory, legislative counsel, American Civil Liberties Union

    Richards, Jeff B., executive director, Internet Alliance

    Rosen, Jeffrey, associate professor of law, the George Washington University Law School

 Page 6       PREV PAGE       TOP OF DOC
    Wong, Nicole, executive director, Perkins Coie

LETTERS, STATEMENTS, ETC., SUBMITTED FOR THE HEARING

    Baker, Frederick Juergens, chairman, Internet Engineering Task Force: Prepared statement

    Corn-Revere, Robert, Hogan & Hartson L.L.P.: Prepared statement

    Dempsey, James X., senior staff counsel, The Center for Democracy and Technology: Prepared statement

    Di Gregory, Kevin V., Deputy Associate Attorney General, Department of Justice: Prepared statement

    Fishman, Clifford S., professor of law, Columbus School of Law, Catholic University of America: Prepared statement

    Nojeim, Gregory, legislative counsel, American Civil Liberties Union: Prepared statement

    Richards, Jeff B., executive director, Internet Alliance: Prepared statement

    Rosen, Jeffrey, associate professor of law, the George Washington University Law School: Prepared statement
 Page 7       PREV PAGE       TOP OF DOC

    Wong, Nicole, executive director, Perkins Coie: Prepared statement

FOURTH AMENDMENT AND THE INTERNET

THURSDAY, APRIL 6, 2000

House of Representatives,
Subcommittee on the Constitution,
Committee on the Judiciary,
Washington, DC.

    The subcommittee met, pursuant to call, at 2:45 p.m., in Room 2226, Rayburn House Office Building, Hon. Charles Canady [chairman of the subcommittee] presiding.

    Present: Representatives Charles T. Canady, Bob Goodlatte, Bob Barr, William L. Jenkins, and Melvin L. Watt.

    Staff present: Jonathan A. Vogel, counsel; Paul B. Taylor, counsel; Susana Gutierrez, clerk; and Anthony Foxx, minority counsel.

OPENING STATEMENT OF CHAIRMAN CANADY

    Mr. CANADY. The subcommittee will be in order.
 Page 8       PREV PAGE       TOP OF DOC

    The dramatic development of the Internet has transformed methods of gathering, processing and sharing information. In 1981, fewer than 300 computers were linked to the Internet. This number has grown dramatically in recent years, and I guess that is an understatement.

    In a recent report by the White House working group it states that the Internet has grown from 65 million users in 1998 to over 100 million users in the U.S. in 1999, or half the country's adult population. The number of Internet users in the U.S. is projected to reach 177 million by the end of 2003 and the number of Internet users worldwide is estimated to reach 502 million by 2003.

    The Internet is not like the telephone system or the mail or other mass media because it combines a much broader range of functions serving not only the one-on-one functions of the telephone and the mail but also a wide variety of informational, artistic, political and sales and marketing functions. The development of the Internet as a network global communications medium, the expansion in the range of transactions that occur on line and the amount of information now stored with third party Internet companies and Internet service providers have produced a qualitative change in the nature of communications and accordingly in the nature and amount of information that may be exposed to interception by the Government.

    In light of these recent developments, the question arises as to whether existing protections for citizens from unreasonable searches and seizures under the fourth amendment appropriately balance the concerns of law enforcement—namely, the concern that the information they need in order to keep the public safe is available to them—with individuals' concerns that a sufficient degree of privacy and the integrity of personal information are maintained.
 Page 9       PREV PAGE       TOP OF DOC

    As much of the same information individuals formerly kept in their homes, file cabinets, wallets and purses gravitates toward new locations on the Internet's landscape, Congress must consider whether the Government adequately protects fourth amendment values and whether additional legislation or oversight is necessary to ensure that a legal protection of personally sensitive information keeps pace with rapidly advancing technology related to electronic communication and information storage.

    I am hopeful that this hearing today exploring these questions will help illuminate the important constitutional issues at stake, and I look forward to hearing the testimony of the witnesses. I want to thank Mr. Barr and his staff for their work with the members of the subcommittee staff in formulating the agenda for today's hearing.

    I will now move to the introduction of the members of our first panel of witnesses, if you will come forward, and I will now recognize other members who wish to make opening statements as you are coming forward before I introduce you. Mr. Goodlatte.

    Mr. GOODLATTE. I want to thank you for holding this hearing today. This is a very important issue and one that I share some of the concerns expressed by my colleagues from Georgia. I want to make absolutely sure that the Internet is secure, that people are protected from criminal activities on the Internet, but that we do so in such a way that it is very sensitive to the privacy rights of individuals.

    The Speaker has appointed a committee to look into this matter. On Monday we had a very good series of meetings with some of the technology companies in northern Virginia. I think there are a great many technological solutions to protect and solve some of the problems that exist in this area, but it concerns me when it is said, as has been said by some very prominent people in this country, that we need a new fourth amendment for the Information Age. That raises my eyebrows.
 Page 10       PREV PAGE       TOP OF DOC

    I think the fourth amendment is a wonderful part of our Bill of Rights and something we need to protect in this process as we protect the people who engage in all kinds of activities on the Internet.

    So I look forward to hearing from our experts today and asking questions of them. Thank you.

    Mr. CANADY. Thank you, Mr. Goodlatte.

    Mr. Barr.

    Mr. BARR. Thank you, Mr. Chairman. I appreciate your leadership and that of the gentleman from Virginia, Mr. Goodlatte, on this issue. The Internet is something that touches every American directly or indirectly in ways that most citizens hardly even realize yet. The experts that we are going to have with us here today and the members of this subcommittee in particular understand full well. That is why it is of concern to many of us, including many of our witnesses and at least the three of us here today when we almost on a regular basis now pick up the newspaper or read a wire service story or an Internet story as it were on a new Government proposal to vacuum in more and more information off the Internet, to massage that information, to manipulate it, to store it, to do things with this, and perhaps the fear is to abuse it.

    We look at the way the prevalence of the Internet and other forms of electronic communication have exploded in recent years and we stack that up and the ability and the willingness of Government agencies to use new technology to sift through virtually any communication, electronic communication that is, in a country or indeed around the world and we are very concerned because stacked up against that in that very careful constitutional balance, particularly as reflected in the fourth amendment, we see laws that have not been updated for many years.
 Page 11       PREV PAGE       TOP OF DOC

    The most recent permutation of course was in 1986 with the Electronic Communications Privacy Act, which addresses some of these issues but certainly not fully because even back then the scope of the Internet and the way electronic communications have blossomed really could not have been anticipated, and yet still much of what the Government does falls within the ambit of laws that are even older than that, the title III laws going back to the late 1960's.

    So I think, Mr. Chairman, it is very appropriate today that we begin what I hope will be a series of important hearings, not just in this subcommittee but maybe in the full committee and other committees as well, to really try and get a handle on this matter of electronic communications, the Bill of Rights and whether or not Federal statutes, which I believe are not really being used in a way or as contemplated to be used in a way that really protects the privacy of American citizens within the confines of the fourth amendment.

    And even today in one of the newspapers, there is a story about something rather strangely called a Digital Storm. I guess patterned after Desert Storm for some reason. Somebody ought to have a talk with whoever came up with that name, but Digital Storm, a new FBI proposal. Just last week we saw reports surface that the SEC is engaged in what seems to be a predisposition now for almost every Government agency to get involved in some sort of vacuum operation simply because the tools are there to gather, manipulate, sift out key words in electronic communications.

    So thank you very much, Mr. Chairman, for taking a leadership role on starting to trying to get a handle on this very, very important issue. I think it is important for law enforcement that we look at this as well. This is not something that is anti-law enforcement. Law enforcement has very much a concern I believe and a legitimate interest in making sure that our laws which reflect the fourth amendment are appropriate to address the needs of law enforcement but to do it in a way so that the court cases that are down the road developed through the interception of electronic communications can withstand constitutional challenge and do as I know the vast majority of our law enforcement officials want to do, are respectful of fourth amendment and other constitutional concerns.
 Page 12       PREV PAGE       TOP OF DOC

    So this is the first of again what I hope will be future hearings on this, Mr. Chairman, and I appreciate and applaud your leadership in starting this very important process.

    Mr. CANADY. Thank you, Mr. Barr. We now will move to our first panel. The witnesses on our first panel will address the concerns of Federal law enforcement in the digital age. We are very pleased to have with us today Kevin V. Di Gregory. Mr. Di Gregory is Deputy Associate Attorney General of the United States, and at the Department of Justice members of the Justice Department's Computer Crimes Unit report to Mr. Di Gregory.

    Joining Mr. Di Gregory at the table today is David Green, the Deputy Chief of the Computer Crime and Intellectual Property Section at the Department of Justice.

    We thank you, Mr. Di Gregory. We understand you have some scheduling constraints this afternoon. We would ask that you do your best to confine your spoken comments to no more than 5 minutes, although I don't think any of us are going to insist on strict adherence to the 5-minute rule. Without objection, your full written statement as well as the full written statements of all the other witnesses testifying this afternoon will be made a part of the record.

    Mr. Di Gregory.

STATEMENT OF KEVIN V. DI GREGORY, DEPUTY ASSOCIATE ATTORNEY GENERAL, DEPARTMENT OF JUSTICE

 Page 13       PREV PAGE       TOP OF DOC
    Mr. DI GREGORY. Thank you, Mr. Chairman. Good afternoon, Mr. Barr, Mr. Goodlatte, and thank you again Mr. Chairman, for the accommodation this afternoon. I thank you also and of course for this opportunity to testify on the topic of the fourth amendment and the Internet.

    Throughout the proud history of this Nation, the fourth amendment has stood as the cornerstone of protecting individual privacy from unwarranted governmental intrusion. Just as the fourth amendment protects the rights of Americans in their homes, on their phones and in their cars, so too it protects them while on line.

    One of the themes that will no doubt be repeated throughout this hearing is the challenge of protecting privacy while also protecting public safety. Recognizing the tension that sometimes exists between privacy and public safety, the founders adopted the fourth amendment to the Constitution which by its very terms strikes an important balance. Under the fourth amendment, the Government must satisfy the probable cause standard before obtaining a search warrant, arrest warrant or other significant intrusion on privacy.

    Congress and the courts have also recognized that lesser intrusions on privacy should be permitted under a less exacting threshold. In the computer context the Electronic Communications Privacy Act establishes a three-tier system by which the Government can obtain stored information from electronic service providers. In general the Government needs a search warrant to obtain the content of unopened communications like e-mail, a court order to obtain transactional records and a subpoena to obtain mere subscriber information.

    Because of the privacy values it protects, the wiretap statute, commonly known as title III, places an even higher burden on the real-time interception of oral, wire and electronic communications than the fourth amendment requires. In the absence of a statutory exception, the Government needs a court order meeting stringent standards in order to wiretap communications.
 Page 14       PREV PAGE       TOP OF DOC

    The safeguards to privacy represented by the fourth amendment and statutory restrictions on Government provide boundaries for law enforcement, clarifying what is acceptable evidence gathering and what is not. At the same time, those who care deeply about protecting individual privacy must also acknowledge that when law enforcement successfully investigates, apprehends and prosecutes a criminal who has stolen a citizen's personal information from a computer system, law enforcement is undeniably working to protect privacy and deter further privacy violations.

    As we move into the 21st century, we must ensure that the needs of privacy and safety remain in balance and are appropriately applied to the new and emerging technologies that are changing the face of communications. Attorney General Reno and the entire Department understand and share the legitimate concerns of all Americans with regard to personal privacy. The Department has been and will remain committed to protecting the privacy rights of individuals.

    Mr. Chairman, the Internet has resulted, as you mentioned earlier, in new and exciting ways for people to communicate, transfer information, engage in commerce and expand their educational opportunities, but as has been the case with every major technological advance in our history, we are seeing individuals and groups use this technology to commit criminal acts. As Deputy Attorney General Eric Holder told the Crime Subcommittee in February, our vulnerability to computer crimes is astonishingly high and threatens not only our financial well-being and our privacy but also this Nation's critical infrastructure.

    There are, as the Deputy Attorney General recently stated, essentially three categories of major challenges facing law enforcement in cyberspace today. These are, first, technical challenges that hamper law enforcement's ability to locate and prosecute criminals that operate on line; second, certain substantive and procedural laws that have not kept pace with the changing technology, creating significant legal challenges to effective investigation and prosecution of crimes in cyberspace; and three, resource needs that must be addressed to ensure that law enforcement can keep pace with changing technology and has the ability to hire and train people to fight cyber crime.
 Page 15       PREV PAGE       TOP OF DOC

    While we are proud of the successes we have had in stopping cyber criminals, such as capturing the creator of the Melissa virus, we still face significant challenges as on-line criminals become more and more sophisticated. In nearly every on-line case tracking the on-line criminal requires law enforcement to attempt to trace the electronic trail from the victim back to the perpetrator. In effect, this electronic trail is the fingerprint of the 21st century, only much harder to find and not as permanent as its more traditional predecessor.

    The technical challenges for law enforcement on the Internet were made clear in the recently released report of the President's Working Group on Unlawful Conduct on the Internet entitled, ''The Electronic Frontier, the Challenge of Unlawful Conduct Involving the Use of the Internet.'' As the report states, the needs and challenges confronting law enforcement are neither critical nor theoretical, and the report goes on to outline a three-pronged approach for responding to this unlawful activity on the Internet.

    First, conduct on the Internet should be treated in the same manner as conduct off-line, in a technology neutral manner.

    Second, the needs and challenges of law enforcement posed by the Internet, including the need for resources, up-to-date investigative tools and enhanced multijurisdictional cooperation are significant.

    And finally, continued support for private sector leadership in developing tools and methods to help Internet users prevent and minimize the risks of unlawful conduct on line.
 Page 16       PREV PAGE       TOP OF DOC

    I would encourage anyone with an interest in this important topic to review carefully the report of the working group, and that report can be found at the Computer Crime and Intellectual Property Section's Website located at www.cybercrime.gov. The report is on the Website, and the Website also contains other useful information on a wide array of Internet related issues, including the topic of today's hearing, privacy.

    In order to effectively deter and punish computer criminals, it takes more than just dedicated investigators and prosecutors. A legal structure that will support detection and prosecution of offenders is essential. However, for example, the Computer Fraud and Abuse Act, one of the primary statutes used to prosecute computer criminals, arguably does not reach a hacker who causes a significant amount of damage to a network of computers if no one computer sustains over $5,000 in damage.

    In addition to modest adjustments to the substantive laws, the tools used by investigators to track on-line criminals generally written in language reflecting the pre-Internet telephone technology need to be updated. For instance, the trap and trace and pen register statutes used to identify the destination and origin of telephone calls and computer communications needs to be recalibrated. Under current law, law enforcement may have to obtain court orders in multiple jurisdictions to trace a single communication.

    Obtaining court orders in multiple jurisdictions does not advance, we submit, any legitimate or reasonable privacy safeguard and serves as a substantial impediment to an investigation that must move quickly to have any chance at success.

 Page 17       PREV PAGE       TOP OF DOC
    As both the Attorney General and the Deputy Attorney General have told Congress recently, the ability to provide nationwide effect for trap and trace orders would help computer crime investigations without impacting personal privacy.

    Mr. Chairman and members of this subcommittee, as this debate moves forward it is important to note the distinction between computer security and responding to computer crime. In our view, enhancing computer security, like designing locks on doors, is primarily the responsibility of the private sector, not Government. The Department of Justice applauds and supports the efforts of the private sector to develop and implement secure computer systems. However, when a crime does occur on-line, when the locks are broken and a person or a company is victimized, law enforcement, whether local, State or Federal, has an obligation to respond. Enhanced computer security is vital, but ultimately it will take the combined efforts of the private sector, law enforcement and the on-line public to make cyberspace secure.

    [The prepared statement of Mr. Di Gregory follows:]

PREPARED STATEMENT OF KEVIN V. DI GREGORY, DEPUTY ASSOCIATE ATTORNEY GENERAL, DEPARTMENT OF JUSTICE

    Mr. Chairman, Congressman Watt, and Members of the Subcommittee, I thank you for this opportunity to testify on the topic of the Fourth Amendment and the Internet. Throughout the proud history of this nation, the Fourth Amendment has stood as the cornerstone of protecting individual privacy from unwarranted governmental intrusion. This basic and vitally important protection is no less applicable in cyberspace than anywhere else in this nation. Just as the Fourth Amendment protects the rights of Americans in their homes, on their phones, and in their cars, so too it protects them while online. This point is beyond dispute. As this nation and Congress continue to consider the appropriate parameters of governmental conduct in cyberspace, the Department of Justice is pleased to participate in the discussion today.
 Page 18       PREV PAGE       TOP OF DOC

PRIVACY AND PUBLIC SAFETY

    One of the themes that will no doubt be repeated throughout this hearing and in the discussion in the months ahead is the challenge of protecting privacy while also protecting public safety. The founders of this nation, while concerned about the government's disregard and abuse of privacy in England, recognized that in order for our democratic society to remain safe and free, law enforcement must have the ability to investigate, apprehend, and prosecute people for criminal conduct. Recognizing the tension between privacy and public safety, the founders adopted the Fourth Amendment to the Constitution, which by its very terms strikes a balance. Under the Fourth Amendment, the government must satisfy the probable cause standard before obtaining a warrant for a search, arrest, or other significant intrusion on privacy.

    Congress and the courts have also recognized that lesser intrusions on privacy should be permitted under a less exacting threshold. In the computer context, the Electronic Communications Privacy Act (''ECPA'') establishes a three-tier system by which the government can obtain stored information from electronic service providers. In general, the government needs a search warrant to obtain the content of unopened communications (like e-mail), a court order to obtain transactional records, and a subpoena to obtain subscriber information. See 18 U.S.C. §2701–11.

    Because of the privacy values it protects, the wiretap statute, 18 U.S.C. §2510–22, commonly known as Title III, places a higher burden on the real-time interception of oral, wire and electronic communications than the Fourth Amendment requires. In the absence of a statutory exception, the government needs a court order to wiretap communications, including a showing that normal investigative techniques for obtaining the information have or are likely to fail and that any interception will be conducted to ensure that the intrusion is minimized.
 Page 19       PREV PAGE       TOP OF DOC

    The safeguards to privacy represented by the Fourth Amendment and statutory restrictions on government access to information do not prevent effective law enforcement. Instead, they provide boundaries for law enforcement—clarifying what is acceptable evidence gathering and what is not. At the same time, those who care deeply about protecting individual privacy must also acknowledge that law enforcement has a critical role to play in this vital function. When law enforcement successfully investigates, apprehends, and prosecutes a criminal who has stolen a citizen's personal information from a computer system, law enforcement is undeniably working to protect privacy and deter further privacy violations. The same is true when law enforcement apprehends a hacker who compromised the financial records of a bank customer.

    As we move into the 21st century, we must ensure that the needs of privacy and public safety remain in balance and are appropriately reflected in the new and emergency technologies that are changing the face of communications. Although the primary mission of the Department of Justice is law enforcement, Attorney General Reno and the entire Department understand and share the legitimate concerns of all Americans with regard to personal privacy. The Department has been and will remain committed to protecting the privacy rights of individuals. We look forward to working with Congress and other concerned individuals to address these important matters in the months ahead.

LAW ENFORCEMENT CHALLENGES IN CYBERSPACE:

    While the Fourth Amendment is over 200 years old, the Internet, relatively speaking, is still in its infancy. Yet the technological advances of the past five to fifteen years have changed forever the landscape of society, not just in America, but worldwide. The Internet has resulted in new and exciting ways for people to communicate, transfer information, engage in commerce, and expand their educational opportunities. These are but a few of the wonderful benefits of this rapidly changing technology. But as has been the case with every major technological advance in our history, we are seeing individuals and groups use this technology to commit criminal acts. As Deputy Attorney General Eric Holder told the Crime Subcommittee of this Committee in February, our vulnerability to computer crime is astonishingly high and threatens not only our financial well-being and our privacy, but also this nation's critical infrastructure.
 Page 20       PREV PAGE       TOP OF DOC

    Many of the crimes that we confront everyday in the physical world are beginning to appear in the online world. Crimes like threats, extortion, fraud, identity theft, and child pornography are migrating to the Internet. The Fourth Amendment and laws addressing privacy and public safety serve as a framework for law enforcement to respond to this new forum for criminal activity. If law enforcement fails to properly respect individual privacy in its investigative techniques, the public's confidence in government will be eroded, evidence will be suppressed, and criminals will elude successful prosecution. If law enforcement is too timid in responding to cybercrime, however, we will, in effect, render cyberspace a safe haven for criminals and terrorists to communicate and carry out crime, without fear of authorized government surveillance. If we fail to make the Internet safe, people's confidence in using the Internet and e-commerce will decline, endangering the very benefits brought by the Information Age. Proper balance is the key.

    In this vein, it is important to note the distinction between computer security and responding to computer crime. As the President made clear during the Cyber-security summit he held with Internet leaders in February, enhancing computer security—like designing locks on doors—is primarily, though not entirely, the responsibility of the private sector, not the government. The reason is straightforward—most networks and computer systems are in private hands. With private sector cooperation, a ''full-court press'' by the Government would end installing only a few locks on the cyber-doors of our Nation.

    When a crime does occur online—when the locks are broken and a person or company is victimized—law enforcement, whether local, state or federal, has an obligation to respond. Enhanced computer security is vital, but ultimately it will take the combined efforts of the private sector, law enforcement, and the online public to make cyberspace secure. Indeed, just yesterday, the Attorney General and numerous representatives from United States Attorneys Offices and law enforcement met with industry leaders in California to discuss issues related to Internet security, particularly matters of mutual concern that arise after an intrusion has occurred.
 Page 21       PREV PAGE       TOP OF DOC

    I would also note that although my testimony primarily focuses upon the technical and legal challenges faced today, the third challenge—resources—also bears directly on preserving individual privacy. The ability to recruit, train, equip, and retain law enforcement in all aspects of combating cybercrime is essential to our success. The Department of Justice believes that any comprehensive training program must include education on the privacy-related aspects of online investigation.

    In developing a response to crime online, there are a number of factors that must be given careful consideration. There are, as the Deputy Attorney General recently stated, essentially three categories of major challenges facing law enforcement in cyberspace today. These are:

1. Technical challenges that hamper law enforcement's ability to locate and prosecute criminals that operate online;

2. Certain substantive and procedural laws that have not kept pace with the changing technology, creating significant legal challenges to effective investigation and prosecution of crime in cyberspace; and

3. Resource needs that must be addressed to ensure that law enforcement can keep pace with changing technology and has the ability to hire and train people to fight cybercrime.

For purposes of this hearing—the Fourth Amendment and the Internet—my testimony will focus primarily on the first two challenges: the technical barriers to investigation and the need to update existing laws to fully account for emerging technologies.
 Page 22       PREV PAGE       TOP OF DOC

Technical Challenges:

    Recent history has shown that tracking a criminal online is not always an impossible task. For example, last year federal and state law enforcement combined to successfully apprehend the creator of the Melissa virus and the individual who created a fraudulent Bloomberg News Service website in order to artificially drive up the stock price of PairGain, a telecommunications company based in California. While we are proud of these important successes, we still face significant challenges as online criminals become more and more sophisticated.

    In nearly every online case, tracking the online criminal requires law enforcement to attempt to trace the ''electronic trail'' from the victim back to the perpetrator. In effect, this ''electronic trail'' is the fingerprint of the twenty-first century—only much harder to find and not as permanent as its more traditional predecessor. In the physical world, a criminal and his victim are generally in the same location. But cybercriminals do not have to physically visit the crime scene. Instead they cloak their illegal activity by weaving communications through a series of anonymous remailers, by creating forged e-mail headers with powerful point and click tools readily downloadable from hacker websites, or by using a ''free-trial'' account or two—and then are often able to ''wipe clean'' the logging records that would be evidence of their activity.

    In some cases, the criminal may not even be in the same country as the victim. The global nature of the Internet, while one of the greatest assets of the Internet to law-abiding citizens, allows criminals to conduct their illegal activity from across the globe. In these cases, the need to respond quickly and track the criminal is increasingly complicated and often frustrated by the fact that the activity takes place throughout different countries. With more than 190 countries connected to the Internet, it is easy to understand the coordination challenges that face law enforcement. Furthermore, in these cases, time is of the essence and the victim may not even realize they have been victimized until the criminal has long since signed-off. Clearly, the technical challenges for law enforcement are real and profound.
 Page 23       PREV PAGE       TOP OF DOC

    This fact was made clear in the findings and conclusions reached in the recently released report of the President's Working Group on Unlawful Conduct on the Internet, entitled, ''The Electronic Frontier: The Challenge of Unlawful Conduct Involving the Use of the Internet.'' This extensive report highlights in detail the significant challenges facing law enforcement in cyberspace. As the report states, the needs and challenges confronting law enforcement, ''are neither trivial nor theoretical.'' The Report outlines a three-pronged approach for responding to unlawful activity on the Internet:

1. Conduct on the Internet should be treated in the same manner as similar conduct offline, in a technology neutral manner.

2. The needs and challenges of law enforcement posed by the Internet—including the need for resources, up-to date investigative tools and enhanced multi-jurisdictional cooperation—are significant.

3. Finally, continued support for private sector leadership in developing tools and methods to help Internet users to prevent and minimize the risks of unlawful conduct online.

    I would encourage anyone with an interest in this important topic to review carefully the report of the Working Group. The report can be found on the Internet by visiting the website of the Department of Justice's Computer Crime and Intellectual Property Section, located at www.cybercrime.gov. In addition to the report, www.cybercrime.gov also contains other useful information on a wide array of Internet related issues, including the topic of today's hearing—privacy.
 Page 24       PREV PAGE       TOP OF DOC

    Despite the type of difficulties outlined in the Unlawful Conduct Report and discussed today, the Justice Department and law enforcement across this nation are committed to continuing to work together and with their counterparts in other countries to develop and implement investigative strategies to successfully track, apprehend, and prosecute individuals who conduct criminal activity on the Internet. In so doing, the same privacy standards that apply in the physical world remain effective online.

    Mr. Chairman, the Department of Justice has taken a proactive leadership role in making cyberspace safer for all Americans. The cornerstone of our cybercrime prosecutor program is the Criminal Division's Computer Crime and Intellectual Property Section, known as CCIPS. CCIPS was founded in 1991 as the Computer Crime Unit, and became a Section in 1996. CCIPS has grown from five attorneys in 1996 to twenty today—and we need more to keep pace with the demand for their expertise. The attorneys in CCIPS work closely on computer crime cases with Assistant United States Attorneys known as ''Computer and Telecommunications Coordinators,'' or CTC's, in U.S. Attorney's Offices around the nation. Each CTC receives special training and equipment and serves as the district's expert on computer crime cases. CCIPS and the CTC's work together in prosecuting cases, spearheading training for local, state and federal law enforcement, working with international counterparts to address difficult international challenges, and providing legal and technical instruction to assist in the protection of this nation's critical infrastructures. We are very proud of the work these people do and we will continue to work diligently to help stop criminals from victimizing people online.

Legal Challenges:

 Page 25       PREV PAGE       TOP OF DOC
    In order to effectively deter and punish computer criminals it takes more than just dedicated investigators and prosecutors. A legal structure that will support detection and prosecution of offenders is essential. However, the laws defining computer offenses and the legal tools needed to investigate criminals using the Internet have lagged behind the technological and social changes of recent years and the effect on law enforcement has been significant.

    For example, the Computer Fraud and Abuse Act, 18 U.S.C. §1030, one of the primary statutes used to prosecute computer criminals, arguably does not reach a computer hacker who causes a significant amount of damage to a network of computers if no one computer sustains over $5,000 in damage. The Department of Justice has encountered several instances in which an intruder has gained unauthorized access to both private and publicly owned protected computers used in critical infrastructure systems, such as those used by hospitals to store private and sensitive information, or those used by the military to defend this nation. However, in many of these instances, proof of damage in excess of $5,000 to any one computer has been difficult to attain. This loophole needs to be closed.

    Another emerging concern is the growing problem of online threats or harassment—serious harassment that amounts to cyberstalking. Current law does not clearly address situations where a cyberstalker uses unwitting third parties to bombard a victim with messages, or transmit private personal data about that person, such as the route the victim's children take to school, in order to place the victim or their family in fear of injury.

    One particularly harrowing example involves a California woman who was awakened repeatedly during the night to find men knocking on her door ''offering'' to rape her. The woman later discovered that a man whose romantic overtures she had rejected had posted personal advertisements on the Internet pretending to be her. The advertisements contained her home address and telephone number and claimed that she fantasized about being raped. This is criminal activity occurring online. Law enforcement has a responsibility to respond, and the American people have the right to expect that in responding, law enforcement will have the tools necessary to bring this criminal to justice. The fact that this criminal used the Internet rather than the telephone should not enable him to elude prosecution.
 Page 26       PREV PAGE       TOP OF DOC

    In addition to modest adjustments to the substantive laws, the tools used by investigators to track online criminals—generally written in language reflecting the pre-Internet telephone technology—need to be updated. For instance, the trap and trace and pen register statutes, 18 U.S.C. §3121–27, used to identify the destination and origin telephone calls and computer communications, needs to be recalibrated. Under current law, law enforcement may have to obtain court orders in multiple jurisdictions to trace a single communication. Obtaining court orders in multiple jurisdictions does not advance any legitimate or reasonable privacy safeguard and serves as a substantial impediment to an investigation that must move quickly to have any chance at success. As both the Attorney General and the Deputy Attorney General have told Congress recently, the ability to provide nationwide effect for trap and trace orders would help computer crime investigations without impacting personal privacy.

Privacy in cyberspace:

    Mr. Chairman, Members of the Subcommittee, I offer these few examples of the challenges posed by the migration to online crime for two reasons. First, it is important to understand the difficulty that law enforcement faces in cyberspace. Second, we must recognize that crime in cyberspace is real and occurring everyday. Law enforcement has an obligation to respond.

    In that regard, I note that public education is an important component of the Attorney General's strategy on combating computer crime. As she often notes, the same children who recognize that it is wrong to steal a neighbor's mail or shoplift do not seem to understand that it is equally wrong to steal a neighbor's e-mail or copy a proprietary software or music file without paying for it. To remedy this problem, the Department of Justice, together with the Information Technology Association of America (ITAA), has embarked upon a national campaign to educate and raise awareness of computer responsibility and to provide resources to empower concerned citizens. The ''Cybercitizen Awareness Program'' seeks to engage children, young adults, and others on the basics of critical information protection and security and on the limits of acceptable online behavior. The objectives of the program are to give children an understanding of cyberspace benefits and responsibilities, an awareness of consequences resulting from the misuse of the medium and an understanding of the personal dangers that exist on the Internet and techniques to avoid being harmed.
 Page 27       PREV PAGE       TOP OF DOC

Conclusion:

    Mr. Chairman, I want to thank you again for this opportunity to testify today. This issue is an important one. Ultimately, the decision as to the appropriate parameters of law enforcement activity lies squarely within the Constitution and the elected representatives of the people, the Congress. The need to protect the privacy of the American people—not just from the government but also from criminals—is a paramount consideration, not just in the context of the Internet, but in general. The Department of Justice stands ready to work with this Subcommittee and others to achieve the proper balance between the important need for protecting privacy and the need to respond to the growing threat of crime in cyberspace.

    Mr. Chairman, that concludes my prepared statement. I would be pleased to attempt to answer any questions that you may have at this time.

    Mr. CANADY. Thank you, Mr. Di Gregory. I apologize if you are not finished. We are going to have to recess. A series of votes will be taking place on the floor of the House. So the subcommittee will stand in recess now, and we will return immediately after the series of votes to continue with the hearing.

    [Recess.]

    Mr. CANADY. The subcommittee will be in order. Mr. Di Gregory, were you finished with your presentation?

 Page 28       PREV PAGE       TOP OF DOC
    Mr. DI GREGORY. There is only one other point that I wanted to make, Mr. Chairman, with your permission——

    Mr. CANADY. Please proceed.

    Mr. DI GREGORY [continuing]. Aside from thanking you again first for your accomodation and then allowing me to testify today.

    Mr. CANADY. I am afraid our accomodation hasn't been much.

    Mr. DI GREGORY. We'll be fine.

    Just to stress it again, we believe this issue is an important one, but ultimately the decision with respect to the appropriate parameters within which law enforcement activity will take place lies squarely within the Constitution and within your province as the elected representatives of the people. We will enforce the laws of the land in accordance with the Constitution and in accordance with your intent.

    Mr. CANADY. Thank you, Mr. Di Gregory.

    Mr. Watt, do you have any questions?

    Mr. WATT. I don't think I will ask any questions.

    I just wanted to take the opportunity to apologize to the chairman and to the members of the first panel and, I presume, at least half of the second panel for missing their testimony. I had a meeting that started at 1:30 that I anticipated would be over by 2:30, and it just went longer than I expected it to.
 Page 29       PREV PAGE       TOP OF DOC

    My apologies. Be assured that I will read your testimony and ponder it. I appreciate your being here.

    Mr. DI GREGORY. Thank you.

    Mr. CANADY. Mr. Barr, would you like to ask some questions or would you prefer for me to go first?

    Mr. BARR. Why don't you go first, Mr. Chairman.

    Mr. CANADY. Why don't I do that.

    Mr. Di Gregory, I do want to thank you for taking the time to be here. Let me go through some issues to get your views and the department's views on the application of the current law. In your view, is a website an electronic communications service as defined in the Electronic Communications Privacy Act?

    Mr. DI GREGORY. It is very——

    Mr. CANADY. If you want Mr. Green to join in, that is fine.

    Mr. DI GREGORY. I would reintroduce David again. David Green is the Deputy Chief of the Computer Crime Intellectual Property Section. I thank you again for giving me the opportunity to bring my lifeline along with me today, as opposed to having to make a phone call in order to make sure that my answer is a final one. And David is far more steeped in the Electronic Communications Privacy Act than I am, and I would defer to his expertise on that particular statute.
 Page 30       PREV PAGE       TOP OF DOC

    Mr. GREEN. A Website certainly could be an electronic communication service provider as that term is defined under the Electronic Communications Privacy Act if it allows for electronic communications. For example, the Yahoo site where you can get an e-mail address through Yahoo, would serve as an electronic communications service that is open to the public.

    The answer is, in some circumstances, yes, a Website could be.

    Mr. CANADY. Let me further ask you, is a Website a remote computing service as defined in that same law?

    Mr. GREEN. A Website could also be a remote computing service if it stores information. For example, when you open up your America Online and find out you got mail, it is acting as an electronic communication service in providing you with that information. If you decide not to delete that e-mail, but allow it to be stored on America Online after you have opened it, it is then acting as a remote computing service and storing that information, and in those cases it is treated as a remote computing service.

    So a lot of the ISPs can be, at the same time, an electronic communication service provider and a remote computing service equally.

    Mr. CANADY. Let me ask you this. If a Website sells goods through credit card transactions, are those credit card transactions communications that are accessible through a subpoena rather than through a search warrant?
 Page 31       PREV PAGE       TOP OF DOC

    Mr. GREEN. If a Website had credit card information——

    Mr. CANADY. Amazon.com, I order books from—I order books from others, but one example. Amazon.com I order books. I send in my credit card information. Is that information accessible through a subpoena rather than through a warrant?

    Mr. GREEN. That information, I believe, would be accessible through a subpoena, just like the information from Hecht's. We could get a subpoena to get your credit card information for spending at Hecht's because that information is in the hands of a third party—credit information.

    Mr. CANADY. Let me ask you one further question. Are click stream data communications accessible through a subpoena rather than a warrant? Is the answer to that question the same as the previous question?

    Mr. GREEN. Just to make sure that I understand your question, what kind of information are you talking about?

    Mr. CANADY. Well, I think click stream data means anything that you send out by clicking the computer. I profess no great expertise on that. My limited understanding, I think that is what is meant by click stream data.

    Mr. GREEN. In most—there are sort of three tiers.

 Page 32       PREV PAGE       TOP OF DOC
    Mr. CANADY. Perhaps I should turn to my lifeline to see if I am right or wrong on that.

    Mr. GREEN. As Mr. Di Gregory pointed out, there are three levels at which we can get information. To get content we need a search warrant essentially. The subpoena will give us basic subscriber information. This is when we are talking about electronic communications service. And to get other kinds of information, transactional information, information—sort of what you are referring to, the click stream kind of information—we would need what is called an articulable facts order under 18 United States Code 2703(d), where we would have to show that the information was relevant and material to an ongoing criminal investigation.

    Mr. CANADY. You would get a court order?

    Mr. GREEN. We would need to get a court order.

    Mr. CANADY. My time has expired, so I will now turn to Mr. Barr.

    Mr. BARR. I think it was Mr. Green, in response to the chairman's question: Exactly what was the comparison you were making between a Hecht's charge account—is that what you were talking about—and use of the Internet?

    Mr. GREEN. As I understood the question, it was, if we wanted to get credit card information from Amazon, could we get it with a subpoena; and the answer is, yes, we could get it with a subpoena to find out who has been using a credit card or what purchases have been made.
 Page 33       PREV PAGE       TOP OF DOC

    Mr. BARR. That was just in response to a question about a credit card purchase over the Internet?

    Mr. GREEN. That is correct.

    Mr. BARR. How about a noncredit-card purchase communication over the Internet, just an Internet communication that goes through a server or some storehouse, while it is parked there? Before the person on the receiving end picks it up, is that a communication with an expectation of privacy, in your view?

    Mr. GREEN. Yes, that would be a communication that is protected under 2703(a) and we would essentially need a search warrant to get at the content of that conversation. That is while it is unopened, while it is sitting at America Online waiting for your computer to open it up and for you to download it. At that point, it is protected and we need a search warrant to get that.

    Mr. BARR. It is protected at all points? Is there any point at which it would not be, in your view?

    Mr. GREEN. After it is opened and you choose to store it on America Online, then it would be protected as a remote computing service and we would be able to get it through a court order. We would be able to get it through a search warrant or through a subpoena with notice.

 Page 34       PREV PAGE       TOP OF DOC
    Mr. BARR. Does a person choose to have it stored somewhere? You have to have some sort of service, like America Online, I suppose, or Yahoo or something. Two people can't just sit down at computers and decide between themselves we are going to send stuff back and forth; that is unrealistic.

    It is my understanding that once you send that e-mail through your service, it is stored somewhere. We all know of examples where people have been able to retrieve them, except for the White House; they don't seem to be able to do it. But somewhere at all points along the line, it is going to be stored somewhere.

    You are saying, simply the act of the receiving person taking it off and reading it, that then it becomes fair game and you don't need a search warrant? You can simply do it by way of a subpoena, for example?

    Mr. GREEN. Once the person downloads the information, they can—they generally have a choice. They can delete it from the America Online system, for example.

    Mr. BARR. Can you?

    Mr. GREEN. Yes, you would be able to do that.

    Mr. BARR. For example, you are sitting at your computer and you take an e-mail off and you hit the delete button. It hasn't deleted it for all time from all places. It is still there somewhere. Does that mean it is fair game at that point simply because you have taken it off of your storehouse or your—whatever you call it on your personal computer?
 Page 35       PREV PAGE       TOP OF DOC

    Mr. GREEN. If you saved it, you can save it on your personal computer. If you have deleted it and chosen not to use America Online to keep storing that e-mail, then in order to get it, you would have to go to the person's personal computer and use a search warrant. However, while it is being stored on America Online under the terms of ECPA, it is a remote computing service, and therefore, we have different methods of obtaining opened e-mails, which are, again, through a court order, through a search warrant, or through a subpoena with notice, which notice can be delayed.

    Mr. BARR. So you view it—and I apologize, I forget the court case—the court case where—that is a seminal case where the phone conversations were on the cassette tape in the car. Do you remember which case that was?

    Mr. Nojeim, do you remember what case? Was it Katz?

    Mr. GREEN. I know the interception case out of the fifth circuit.

    Mr. BARR. What concerns me, that is taking a very, very narrow view of the degree to which there is an expectation of privacy, and I am not sure that comports with the intent of the underlying legislation, which was passed, as you know, long before the Internet came into the usage that it enjoys today. So I would have some concerns about that.

    In your testimony, Mr. Di Gregory——

 Page 36       PREV PAGE       TOP OF DOC
    Mr. CANADY. The gentleman's time has expired. Without objection, the gentleman will have 5 additional minutes.

    Mr. BARR. Thank you, Mr. Chairman.

    You use the term on page 4 in a ''technology-neutral manner;'' what does that mean? Your entire quote there was, ''The report outlines a three-pronged approach for responding to unlawful activity on the Internet: One, conduct on the Internet should be treated in the same manner as similar conduct offline, in a technologically neutral manner.''

    What do you mean by that?

    Mr. DI GREGORY. It means that the conduct—that the focus of any criminal prohibitions, for example, should be on conduct and not on the manner in which the particular act that you are trying to prohibit is perpetrated.

    As an example, we have been before—I have been before a Subcommittee on Crime with respect to the issue of Internet gambling. One of the things that we have been touting with respect to that issue is that the prohibitions with respect to gambling, should Congress decide that there should be such prohibitions, should be the same on the Internet as they are on the telephone.

    Mr. BARR. But a conversation is treated very differently in terms of the burden on the Government to intercept it, depending on how it is transmitted.

 Page 37       PREV PAGE       TOP OF DOC
    Mr. DI GREGORY. That is correct. I was just trying to give you an example of this technology-neutral approach that we wish to take.

    Mr. BARR. Shouldn't conduct on the Internet, which is communication—that is the only thing you do on the Internet is you communicate on the Internet—shouldn't communication on the Internet be treated the same as other communications for purposes of the burden on the Government? In other words, if there is a legitimate expectation of privacy, should not those communications be treated the same as communications over a phone line?

    Mr. DI GREGORY. In terms of the burden on the Government, I know that one of the issues that has been discussed at the department, one of the issues that Mr. Holder discussed in previous testimony, I believe it was before a joint committee—Joint Oversight Committee, was the issue of harmonization of wire oral and electronic communications and that harmonization, in terms of what the burden must be on the Government in terms of intercepting those conversations, might be something that we should consider. And I would reiterate that that is something that we should consider, but we should consider it in the overall context of any legislation that—any legislation, we should consider it in the overall context of trying to balance public safety with individual privacy concerns.

    Mr. BARR. So this is still a work in progress in terms of how the Department deals with Internet communications?

    Mr. DI GREGORY. Well, we deal with Internet communications based on the tools——
 Page 38       PREV PAGE       TOP OF DOC

    Mr. BARR. You would be open perhaps to looking at some legislation that might provide guidance and yet provide a little more balance?

    Mr. DI GREGORY. As Mr. Holder said, we would be open to looking at such legislation as part of an overall package which would look in a big-picture way at balancing most effectively the concerns for public safety with the concerns for individual privacy.

    So you can't—all I am saying, Mr. Barr, is, you can't just look at harmonizing alone and not look at other issues that touch upon public safety and touch upon individual privacy.

    Mr. BARR. I am not looking at harmonization; that is not exactly the term I would use. I am just saying that for purposes of the fourth amendment and court decisions going back to Katz and many, many other cases, that communications on the Internet ought to be treated the same as other electronic communications, such as the telephone, in my view.

    That is not harmonization per se. That is more of a procedural thing about how the Government treats it.

    Thank you.

    Thank you, Mr. Chairman.
 Page 39       PREV PAGE       TOP OF DOC

    Mr. CANADY. Thank you, Mr. Barr.

    Mr. Hutchinson.

    Mr. HUTCHINSON. I yield my question time and wait for the next panel. Thank you, Mr. Chairman.

    Mr. BARR. Could the gentleman yield then for one final question?

    Mr. CANADY. Sure. Yield to Mr. Barr.

    Mr. BARR. I mentioned earlier during my opening statement two news articles that I have seen recently, one regarding the FCC and the other in today's ''Washington Post'' with, I think, the very unfortunate misnomer ''digital storm.'' You might suggest that they change the name of that or maybe not. Maybe it is good to draw attention to it.

    The FCC seems to be taking the position that the Internet is a newspaper and that it is entirely appropriate for the Government, in this case the FCC, to look at the Internet and the communications going back and forth as a newspaper.

    In their view, then, anybody has a right to read the newspaper. Therefore, they can take out, in much the same way we might underline in a newspaper and take key words out.

 Page 40       PREV PAGE       TOP OF DOC
    Do you adopt a similar view that the Internet is similar to a newspaper and therefore the Government can take from it whatever it wants, manipulate it, store it and so forth without limitation?

    Mr. DI GREGORY. I can't offer you any comment on the specific FCC activity. They are an independent agency. They have a different character and a different scope of responsibility.

    Mr. BARR. But they are subject to the fourth amendment?

    Mr. DI GREGORY. No question about that, they are.

    We have not received any briefing from them on this subject. As you described their program, the FCC is only reviewing messages that are publicly available and messages that are readily accessible to the general public. And those messages that are generally accessible—that are readily accessible to the general public are ones that are specifically exempted from the wiretap statute.

    I can tell you, though, that Federal law enforcement agencies, including the FBI, are not adopting new rules and policies to govern agents' conduct on the Internet. Rather, we are advising agents that the same policies and procedures that govern their activity in the physical world apply to any analogous activities in which they engage on the Internet.

    Mr. BARR. Does that mean they are being instructed to treat communications over the Internet the same as they treat communications over telephone lines?
 Page 41       PREV PAGE       TOP OF DOC

    Mr. DI GREGORY. They are being instructed to treat communications over the Internet consistent with the statutory frameworks provided by Congress in title III and in 18 United States Code 2703.

    Mr. BARR. Which means there is still a lot of gray area in there?

    Mr. DI GREGORY. I don't know that I would call it ''gray area,'' but there are differences, as David explained, with respect to certain kinds of communications and their treatment under 2703 as opposed to title III.

    Mr. BARR. Thank you.

    Thank you, Mr. Chairman.

    Mr. CANADY. I would like to ask just one final question of Mr. Di Gregory and Mr. Green.

    Does the Pen Register Act apply to e-mail or other Web-based communications? Let me go on from that. If so, what are the things to be recorded that identify the numbers dialed—that is, language from the Pen Register Act—or identify the originating number of the device from which communication is transmitted?

    Mr. GREEN. We do view e-mail as subject to a pen register and trap and trace. In fact, we use it all the time in investigation of hacking cases, child porn cases, Internet fraud cases. Just as on a telephone, the numbers dialed are the pen register and the numbers coming in are the trap and trace.
 Page 42       PREV PAGE       TOP OF DOC

    On e-mail, the pen register would get the e-mails going out. I am sending an e-mail from David.green to Kevin.DiGregory, so that would measure the e-mail and the destination of the e-mail. The trap and trace measures from the destination to the origination.

    For example, if a computer is hacked into and attacked, we use the trap and trace order to try and find, where did that communication, that sending of program, that sending of code originate from. The courts have upheld the use of those statutes in the analogous circumstance of e-mail as in the phone circumstance. It would certainly look, though, as Mr. Di Gregory mentioned, in terms of looking at what needs to be updated and in the many years that have passed since ECPA, to clarify that the same tools should be available to trap and trace and use pen registers in the on-line environment as there are in the physical world.

    Mr. CANADY. That last comment, I am not sure.

    Do you think the Pen Register Act is sufficient to deal with the current technology or not?

    Mr. GREEN. There would be two parts. One, the—certainly the language of the Pen Register——

    Mr. CANADY. Identify the number dialed?

    Mr. GREEN. Right.

 Page 43       PREV PAGE       TOP OF DOC
    Mr. CANADY. You are extrapolating from that to the e-mail address?

    Mr. GREEN. And that has raised litigation concerns and certainly if the law is amended, we would want that to be clarified.

    The other kind of area we are looking at is trying to update, for example, the trap and trace laws for nationwide service of process. We find a lot of times the communication is—a hacker will weave from site to site in order to get to the final location or even when he doesn't, it is carried by a lot of different carriers, Bell Atlantic, MCI, ISPs. So now, when we are trying to trap and trace an e-mail communication, like in these recent denial of service attacks or in other kinds of ongoing attacks, we would have to trace it from the victim's site back to where that came from, which might be an ISP. We would then serve that order on an ISP and they would say, gee, it is coming in from MCI. We would then have to go to a court in the jurisdiction in which MCI is located and get an order from there and hand it to MCI and say, gee, it is coming from some other place. And in this slow hippity-hop, generally we can't trace it back to its source.

    So one of the things we are looking at in this sort of recalibration would be a nationwide trap and trace that would allow us, with one order, to trace the communication back to its source in the on-line world, just as we can do so in the telephone world.

    Mr. CANADY. Thank you very much.

    Mr. Di Gregory, we appreciate your being here along with Mr. Green. Your answers have been helpful to us. We appreciate your testimony. Mr. Barr, I think may have another question.
 Page 44       PREV PAGE       TOP OF DOC

    Mr. BARR. Not another question, Mr. Chairman. I would just like to state for the record the case that I was thinking of earlier wasn't the Katz case, K–A–T–Z. It is the Turk case from 1976 where the court—the fifth circuit—took a very narrow view of what an intercept is. That is the case where they had the cassette recording that was found in the car. The question was whether or not listening in on that was an intercept, and they took a very narrow view of it. I would just like that on the record, U.S. v. Turk, which is found at 526 F. 2nd 654 (5th Cir. 1976).

    Mr. GREEN. When we intercept e-mails live, real time, which is the definition of intercept in that statute, we obviously obtain a court order in order to be able to do that.

    Mr. BARR. Right. The question is, with the Internet where you necessarily have to park it somewhere, there is no other way of communicating on the Internet. Is it analogous to that? I don't think it is to the Turk case.

    Thank you.

    Mr. CANADY. Thank you very much.

    Mr. DI GREGORY. Thank you again.

    Mr. CANADY. In the interest of completing the hearing before darkness comes upon us all, I am going to ask that the second and third panels, which we had planned be combined—and staff is just now hearing this from me for the first time; the staff will have to move forward——
 Page 45       PREV PAGE       TOP OF DOC

    Mr. WATT. I apologized to all those first people on the first panel thinking they had already testified and they hadn't?

    Mr. CANADY. We have had a musical chairs of panels here today. We have been moving everybody around.

    Mr. WATT. I will just withdraw my apology.

    Mr. CANADY. I think this will help ensure that there are more people sitting here to hear the testimony of all the witnesses than what might otherwise be the case, due to our schedules and the fact the last vote of the day has been cast and there are no votes tomorrow.

    I want to thank all of you for your patience with us and your participation today.

    On this panel, as we are getting the names displayed, our first witness will be James Dempsey. Mr. Dempsey is senior staff counsel for the Center for Democracy and Technology. He works on fourth amendment electronic surveillance issues. Prior to joining the Center, Mr. Dempsey was assistant counsel to the House Judiciary Subcommittee on Civil and Constitutional Rights from 1985 to 1994. That was the predecessor subcommittee to this subcommittee on the Constitution. His primary areas of responsibility for the subcommittee were oversight of the FBI, privacy and civil liberties.

 Page 46       PREV PAGE       TOP OF DOC
    Next we will hear from Gregory Nojeim. Mr. Nojeim is legislative counsel for the American Civil Liberties Union where he specializes in Internet privacy issues.

    Our next witness will be Jeffrey Rosen. Mr. Rosen is an associate professor of the George Washington University Law School where he teaches constitutional law, criminal procedure, and law of privacy. He is also the legal affairs editor of the New Republic and the author of The Unwanted Gaze: The Destruction of Privacy in America, which will be published by Random House in May.

    Next on this panel we will here from Frederick Juergens Baker. Mr. Baker has chaired the Internet Engineering Task Force since 1996. That task force is a private body of network designers, operators, vendors, and researchers concerned with the evolution of the Internet's architecture and its smooth operation.

    We will then hear from Stewart Baker. Mr. Baker is a partner at Steptoe & Johnson. His practice includes issues related to digital commerce, privacy, electronic surveillance and national security. Mr. Baker represents major telecommunications equipment manufacturers and carriers in connection with the Communication Assistance for Law Enforcement Act, affectionately known as CALEA, and law enforcement intercept requirements. Mr. Baker was general counsel of the National Security Agency from 1992 to 1994.

    Our next witness will be Clifford Fishman. Mr. Fishman is professor of law at the Columbus School of Law at the Catholic University of America. Professor Fishman is a leading expert on electronic surveillance and search and seizure. He is the coauthor of Wiretapping and Eavesdropping and numerous scholarly articles about various aspects of search and seizure, electronic surveillance and evidence.
 Page 47       PREV PAGE       TOP OF DOC

    Next we will hear from Robert Corn-Revere. Mr. Corn-Revere is a partner in the Washington, DC, office of Hogan & Hartson, specializing in first amendment Internet and communications law. Before joining Hogan & Hartson in 1994, Mr. Corn-Revere served as chief counsel to Interim Chairman James H. Quello of the Federal Communications Commission.

    Our next witness will be Jeff B. Richards, who is executive director of the Internet Alliance, a leading organization of Internet policy professionals representing the Internet on-line industry at the State, Federal and international levels. Current members of the Internet Alliance include America Online, AT&T, Bell Atlantic, Citibank, eBay, Hewlett Packard, IBM, Microsoft, Netscape and Prodigy.

    Next and I think last, we will hear from Nicole Wong. Ms. Wong is an associate at Perkins Coie in San Francisco. Ms. Wong specializes in media and Internet law. In addition to her practice, Ms. Wong teaches media law at the University of San Francisco. She is a member of the board of editors for the E-commerce Law Report and a contributor to Cyberspace Lawyer magazine. Ms. Wong in working with clients such as Yahoo and Go2Net frequently addresses issues relating to information requests by Government.

    Again, I want to thank all of you for being with us here today. I will ask that you do your very best to confine your remarks to no more than 5 minutes, and the 5 minutes will be indicated when the light is red. Yellow means start summing up. Your full written statements will be made a part of the record of the hearing.

    So we will now begin with Mr. Dempsey.
 Page 48       PREV PAGE       TOP OF DOC

STATEMENT OF JAMES X. DEMPSEY, SENIOR STAFF COUNSEL, THE CENTER FOR DEMOCRACY AND TECHNOLOGY

    Mr. DEMPSEY. Mr. Chairman, Mr. Watt, members of the subcommittee, thank you for holding this hearing today. Thank you also for remaining here through what has been a crazy day like most of the days that you have.

    To move things along, I won't refer much at all to my written statement, which is made part of the record. I also have an additional memo, specifically focusing on the pen register and trap and trace statute, which has already been the subject of some conversation. I would like to ask that that memo be added to my testimony and made part of the record as well.

    Mr. CANADY. Without objection, it will be.

    Mr. DEMPSEY. Mr. Chairman, you and Congressman Barr, in your questions, were sorting through some of the very complicated questions that exist here, and it is striking that we have such complexity.

    In 1967, the Supreme Court said that the fourth amendment protects people, not places, and that the constitutional privacy right should not be dependent on the nature of the technology. In 1986, Congress enacted the Electronic Communications Privacy Act and tried to establish the principle that our privacy rights should not depend upon the kind of technology that is used.

 Page 49       PREV PAGE       TOP OF DOC
    And yet the Justice Department sat here and explained to you, in response to your questions, that an e-mail while it is in transit over the telephone wire is covered by one standard under title III, requiring a probable cause order and some, although not all, of the additional protections of title III. While it is in storage at the ISP, waiting for you to open it, that same e-mail is subject to a different standard, a probable cause standard, but without any of the additional protections of title III, including, for example, no statutory suppression rule for improper Government access.

    After you open the e-mail and read it, but leave it on the server of your ISP, or the server in your office, it is protected by yet a third standard. And if you print it out and put it into a file, it is protected by a fourth standard, and that standard is the true standard of the fourth amendment under which, if the Government wants to come and get papers from your office or from your home, they need to get a court order based upon probable cause and give you contemporaneous notice: They serve that order at the time they are seizing that or they give you a subpoena, but they give you the opportunity to oppose that subpoena.

    Four different standards, same piece of information. And I think it is important to scratch the surface a little bit on some of these standards, and we see how outdated they are and how limited they are.

    Take the Pen Register statute. The Justice Department has several proposals in which they would like to expand the reach of that. On the one hand, they claim the statute already covers e-mail addresses, but meanwhile they want legislation to make that clear. They want nationwide service of process on pen registers. But what is the underlying standard?

 Page 50       PREV PAGE       TOP OF DOC
    The underlying standard of the Pen Register statute says that if a prosecutor, State or Federal, signs a piece of paper saying, ''I want this information,'' the judge shall approve the order. The judge can't ask, ''Explain to me what is this all about, where is this case going, what does this amount to.'' No judge has any discretion to turn down any pen register request, and yet this transactional information, which is supposedly so narrow in scope, now can provide a full profile of a person's life, their associations, where they are calling. That is in the telephone world.

    When you translate that over to the e-mail and Internet world, not only can that transactional information show where you are calling, it can show the specific person that you are communicating with. In the 1970's, when the Supreme Court issued its pen register decision, it said you can't tell from a pen register the identities of the parties. Obviously, with e-mail you can. So that information in the electronic Internet environment has become more revealing, and yet the Government says, we want to be able to get that upon just the request of a prosecutor saying that it is relevant to a case, which no judge can deny.

    In sum, I want to respond to one point that the Government always stresses. They are always claiming how difficult the digital revolution and the Internet makes it to carry out investigations. In some respects, there are challenges posed by the new technology. But if you look at the sweep of this technology, you have to conclude that there is far more information available to the Government than ever before, in many cases under minimal legal standards. The FBI Director testified a month ago in the Senate that in one case alone, the Justice Department seized in one case computer evidence that, if printed out, would be enough to fill the Library of Congress nearly twice over. That is the kind of information that is available to the Government in storage, on-line, in transmission—huge volumes of information. In that context, it is incumbent upon us to raise the legal standards for access to that information.
 Page 51       PREV PAGE       TOP OF DOC

    Thank you.

    Mr. CANADY. Thank you, Mr. Dempsey.

    [The prepared statement of Mr. Dempsey follows:]

PREPARED STATEMENT OF JAMES X. DEMPSEY, SENIOR STAFF COUNSEL, THE CENTER FOR DEMOCRACY AND TECHNOLOGY

    Mr. Chairman and Subcommittee Members, thank you for calling this hearing and affording CDT the opportunity to testify about Fourth Amendment protections in cyberspace. Our nation is at a point where revolutionary changes in communications and computer technology have outpaced the privacy protections in our laws. Far more information than ever before is available to the government under minimal or inadequate legal standards. It is time for Congress to strengthen the privacy laws to restore a balance between government surveillance and personal privacy, to build user trust and confidence in these economically vital new media, and to afford both law enforcement agencies and online service providers the clear guidance they deserve.

    The Center for Democracy and Technology is a non-profit, public interest organization dedicated to promoting civil liberties and democratic values on the Internet. Our core goals include ensuring that the Constitution's protections extend to the Internet and other digital information technologies. CDT also coordinates the Digital Privacy and Security Working Group (DPSWG), a forum for more than 50 computer, communications, and public interest organizations, companies and associations working on information privacy and security issues.
 Page 52       PREV PAGE       TOP OF DOC

    The Internet is a wonderfully transformative medium. Consequently, it has become a necessity in most workplaces and a fixture in most schools and libraries. According to a December 1999 Harris poll, 56% of American adults are online, 6 times higher than 4 years ago. But as more and more of our lives are conducted online and more and more personal information is transmitted and stored electronically, the result has been a massive increase in the amount of sensitive data available to government investigators.

    While the Justice Department frequently emphasizes the ways in which digital technologies pose new challenges to law enforcement, the fact is that, on balance, the digital revolution has been a boon to government surveillance and collection of information. The FBI estimates that over the next decade, given planned improvements in the digital collection and analysis of communications, the number of wiretaps will increase 300 per cent. Computer files are a rich source of evidence: in a single case last year, the FBI seized enough computer evidence to nearly fill the Library of Congress twice. As most people sense with growing unease, everywhere we go on the Internet we leave digital fingerprints, which can be tracked by marketers and government agencies alike. The FBI in its budget request for FY 2001 seeks additional funds to ''data mine'' these public and private sources of digital information for their intelligence value. Yet the computer and communications privacy laws were last updated in 1986.

    Recently, following a series of hacker attacks on e-commerce web sites, the Justice Department has proposed changes to the electronic surveillance laws to enhance law enforcement authorities. (In fact, the changes are not directly responsive to the recent attacks, but have been on the Justice Department's agenda for some time.) But surely, before enacting any enhancements to government power, we should ensure that current laws adequately protect privacy. As I will explain, the standards for government access to information are not high enough to protect the privacy of ordinary citizens. We must tighten the standards for government surveillance and access to information. CDT is prepared to work with the Congress and the Justice Department to flesh out the needed privacy enhancements, and to convene DPSWG as a forum for building consensus.
 Page 53       PREV PAGE       TOP OF DOC

BACKGROUND: FOURTH AMENDMENT PRIVACY PRINCIPLES

    To understand how far current privacy protections diverge from the principles of the Constitution, we should start with the protections accorded by the Fourth Amendment. If the government wants access to your papers or effects in your home or office, it has to meet a high standard:

 The government must obtain a warrant from a judge based on a showing of probable cause to believe that a crime has been, is being or is about to be committed and that the search will uncover evidence of the crime. The warrant must ''particularly'' describe the place to be searched and the things to be seized.

 The government must provide you with contemporaneous notice of the search and an inventory of items taken. Richards v. Wisconsin, 520 U.S. 385 (1997); Wilson v. Arkansas, 514 U.S. 927 (1995). The notice and inventory requirements provide protections that are crucial notwithstanding the existence of a judicial warrant. In the case where police have come to the wrong address, you can try to point that out to them and they may withdraw. If you are the subject of a lawful search, you can observe the police to ensure that they confine their search to the scope of the warrant. In the case of a prolonged search, you can even rush to the courthouse and ask a judge to stop or narrow the search. And the inventory allows you to seek return of your property and tells you what information is in the hands of the government, so that you can respond and defend yourself against the government's suspicions or allegations.

 Page 54       PREV PAGE       TOP OF DOC
These rules apply in the computer age, so long as you keep information stored on your hard drive or disks in your home or office.

    The Supreme Court held in 1967 that wiretapping is a search and seizure and that telephone conversations are entitled to protection under the Fourth Amendment. Katz v. United States, 389 U.S. 347 (1967), Berger v. New York, 388 U.S. 41 (1967). Congress responded by adopting Title III of the Omnibus Crime Control and Safe Streets Act of 1968, requiring a court order based on a finding of probable cause to intercept wire or oral (i.e., face-to-face) communications. 18 U.S.C. §2510 et seq. However, Congress did not require the contemporaneous notice normally accorded at the time of a search and seizure. This was a fateful decision, but, the government argued, to give contemporaneous notice would defeat the effectiveness of the surveillance technique. In part to make up for the absence of notice, and recognizing the other uniquely intrusive aspects of wiretapping, Congress added to Title III requirements that go beyond the protections of the Fourth Amendment. These additional protections included: permitting the use wiretaps only for investigations of a short list of very serious crimes; requiring high level Justice Department approval before court authorization can be sought; requiring law enforcement agencies to exhaust other, less intrusive techniques before turning to eavesdropping; directing them to minimize the interception of innocent conversations; providing for periodic judicial oversight of the progress of a wiretap; establishing a statutory suppression rule; and requiring detailed annual reports to be published on the number and nature of wiretaps.

    Over time, though, many of these additional protections have been substantially watered down. The list of crimes has been expanded, from the initial 26 to nearly 100 today and more are added every Congress. Minimization is rarely enforced by the courts. The exhaustion requirement has been weakened. Evidence is rarely excluded for violations of the statute. Almost every year, the number of wiretaps goes up—12% in 1998 alone. Judicial denials are rare—only 3 in the last 10 years. The average duration of wiretaps has doubled since 1988. So even in the world of plain old telephone service we have seen an erosion of privacy protections. The fragility of these standards is even more disconcerting when paired with the FBI's ''Digital Storm'' plans for digital collection, voice recognition and key word searching, which will reduce if not eliminate the practical constraints that have up to now limited the volume of information that the government can intercept.
 Page 55       PREV PAGE       TOP OF DOC

    After it ruled that there was an expectation of privacy in communications, the Supreme Court took a step that had serious adverse consequences for privacy: It held that personal information given to a third party loses its Fourth Amendment protection. This rule was stated first in a case involving bank records, United States v. Miller, 425 U.S. 435 (1976), but it is wide-ranging and now serves as the basis for government access to all of the records that together constitute a profile of our lives, both online and offline: credit, medical, purchasing, travel, car rental, etc. In the absence of a specific statute, these records are available to law enforcement for the asking and can be compelled with a mere subpoena issued without meaningful judicial control. The implications of this ''third party record'' rule are seen most recently in the Administration's proposed Cyberspace Electronic Security Act (CESA), which would allow the government to obtain encryption ''keys'' or other decryption information from third parties under a court order procedure that would provide neither the probable cause nor the notice protections of the Fourth Amendment.

    In 1979, a third piece of the privacy scheme was put in place when the Supreme Court held that there is no constitutionally-protected privacy interest in the numbers one dials to initiate a telephone call, data collected under a device known as a pen register. Smith v. Maryland, 442 U.S. 735, 742 (1979). While the Court was careful to limit the scope of its decision, and emphasized subsequently that pen registers collect only a very narrow range of information, the view has grown up that transactional data concerning communications is not constitutionally protected. Yet, in an increasingly connected world, a recording of every telephone number dialed and the source of every call received can provide a very complete picture—a profile—of a person's associations, habits, contacts, interests and activities. (Extending this to email and other electronic communications can, as I explain below, be even more revealing.)
 Page 56       PREV PAGE       TOP OF DOC

    In 1986, as cellular telephones service became available and email and other computer-to-computer communications were developing, Congress recognized that the privacy law was woefully out of date. Title III anachronistically protected only wire and voice communications: it did not clearly cover wireless phone conversations or email. In response, Congress adopted the Electronic Communications Privacy Act of 1986 (ECPA). ECPA did several things: it made it clear that wireless voice communications were covered to the same degree as wireline voice communications. It extended some but not all of Title III's privacy protections to electronic communications intercepted in real-time.

    ECPA also set standards for access to stored email and other electronic communications and transactional records (subscriber identifying information, logs, toll records). 18 USC §2701 et seq. And it adopted the pen register and trap and trace statute, 18 USC §3121 et seq., governing real-time interception of ''the numbers dialed or otherwise transmitted on a telephone line.'' (A pen register collects the ''electronic or other impulses'' that identify ''the numbers dialed'' for outgoing calls and a trap and trace device collects ''the originating number'' for incoming calls.) To obtain such an order, the government need merely certify that ''the information likely to be obtained is relevant to an ongoing criminal investigation.'' 18 USC §3122-23. (There is no constitutional or statutory threshold for opening a criminal investigation.) The law states that the judge ''shall'' approve any request signed by a prosecutor.

    ECPA did not, however, extend full Title III protections to email sitting on the server of an ISP. Instead, it set up a two-tiered rule: email in ''electronic storage'' with a service provider for 180 days or less may be obtained only pursuant to a search warrant, which requires a finding of probable cause, but the additional protections of Title III—limited number of crimes, high level approval, judicial supervision—do not apply. Email in storage for more than 180 days may be obtained with a warrant or a mere subpoena. In no case is the user entitled to contemporaneous notice. The email portions of ECPA also do not include a statutory suppression rule for government violations and do not allow for public or congressional oversight through annual reports.
 Page 57       PREV PAGE       TOP OF DOC

MAPPING THE FOURTH AMENDMENT ONTO CYBERSPACE

    Remarkably, ECPA was the last significant update to the privacy standards of the electronic surveillance laws. Astonishing and unanticipated changes have occurred since then:

 the development of the Internet and the World Wide Web as mass media;

 the convergence of voice, data, video, and fax over wire, cable and wireless systems;

 the proliferation of service providers in a decentralized, competitive communications market;

 the movement of information out of people's homes or offices and onto networks controlled by third parties;

 the increasing power of hand-held computers and other mobile devices that access the Internet and data stored on networks.

    As a result of these changes, personal data is moving out of the desk drawer and off of the desktop computer and out onto the Internet. Does this mean that information is being stored more and more in configurations not protected by the Fourth Amendment? The government argues that this is a choice people make—you can keep the data on your own server and you can stay off the Internet if you care about privacy. But isn't this a little like arguing that you lose your privacy rights when you choose to communicate using the services of a telephone company, and if you want to preserve your privacy you should visit the person and have a face-to-face conversation? To say that people are choosing to let go of their data and stop there would leave the Fourth Amendment protections available in the home when increasingly information is not stored there anymore. Rather, it is necessary to adopt legislative protections that map Fourth Amendment principles onto the new technology.
 Page 58       PREV PAGE       TOP OF DOC

    It is clear that the surveillance laws' protections are too weak:

 The standard for pen registers is minimal—judges must rubber stamp any application presented to them.

 Many of the protections in the wiretap law, including the special approval requirements and the statutory rule against use of illegally obtained evidence, do not apply to email and other Internet communications.

 Data stored on networks is not afforded full privacy protection.

 ISP customers are not entitled to notice when personal information is subpoenaed in civil lawsuits; notice of government requests can be delayed until it is too late to object.

 And inconsistent standards apply to government access to information about one's activities depending on the type of technology used. For example, watching the same movie via satellite, cable TV, Internet cable modem and video rental is subject to four different privacy standards.

    In addition, there are many ambiguities, some of which have existed since ECPA was enacted, others caused by technology's continuing evolution since 1986. For example, does the pen register statute apply to email or Web communications? If so, what are ''the numbers dialed or otherwise transmitted''? To get email addresses and Web addresses (URLs), can the government serve a pen register order on the ISP or must it use an order under ECPA? What information is collected under a pen register order and from whom in the case of a person who is using the Internet for voice communications? What standard applies if the person has a cable modem? Is an Internet portal an electronic communications service under ECPA? Are search terms covered by ECPA? Does ECPA cover government access to information about one's activity at an e-commerce site? Do people have a constitutionally protected privacy interest in their calendars stored on Internet Web sites? At best, the answers are unclear.
 Page 59       PREV PAGE       TOP OF DOC

    The importance of these questions is heightened by the fact that transactional or addressing data for electronic communications like email and Web browsing can be much more revealing than telephone numbers dialed. First, email addresses are more personally revealing than phone numbers because email addresses are unique to individual users. Furthermore, if the pen register authority applies to URLs or the names of files transmitted under a file transfer protocol, then the addressing information can actually convey the substance or purport of a communication.

OUTLINING THE NECESSARY PRIVACY ENHANCEMENTS

    To update the privacy laws, Congress could start with the following issues:

 Increase the standard for pen registers. Under current law, a court order is required but the judge is a mere rubber stamp—the statute presently says that the judge ''shall'' approve any application signed by a prosecutor saying that the information sought is relevant to an investigation. Instead, the government should be required to justify its request and the order should issue only if the judge affirmatively finds that the government has shown that the information sought is relevant and material.

 Define and limit what personal information is disclosed to the government under a pen register or trap and trace order served on Internet service providers.

 Add electronic communications to the Title III exclusionary rule in 18 USC §2515 and add a similar rule to the section 2703 authority. This would prohibit the government from using improperly obtained information about electronic communications.
 Page 60       PREV PAGE       TOP OF DOC

 Require notice and an opportunity to object when civil subpoenas seek personal information about Internet usage.

 Improve the notice requirement under ECPA to ensure that consumers receive notice whenever the government obtains information about their Internet transactions.

 Require statistical reports for §2703 disclosures, similar to the reports required under Title III.

 Make it clear that Internet queries are content, which cannot be disclosed without consent or a probable cause order.

 Provide enhanced protection for information on networks: probable cause for seizure without prior notice, opportunity to object for subpoena access.

CONCLUSION

    We do not need a new Fourth Amendment for cyberspace. The one we have is good enough. But we need to recognize that people are conducting more and more of their lives online. They are storing increasing amounts of sensitive data on networks. They are using technology that can paint a full profile of their personal lives. The pricetag for this technology should not include a loss of privacy. It should not be the end of the privacy debate to say that technological change takes information outside the protection of the Fourth Amendment as interpreted by the courts 25 years ago. Nor is it adequate to say that individuals are voluntarily surrendering their privacy by using new computer and communications technologies. What we need is to translate the Fourth Amendment's vision of limited government power and personal privacy to the global, decentralized, networked environment of the Internet.
 Page 61       PREV PAGE       TOP OF DOC

Attachment:

AMENDING THE PEN REGISTER AND TRAP AND TRACE STATUTE IN RESPONSE TO RECENT INTERNET DENIAL OF SERVICE ATTACKS—AND TO ESTABLISH MEANINGFUL PRIVACY PROTECTIONS

    Pen registers are surveillance devices that capture the phone numbers dialed on outgoing telephone calls; trap and trace devices capture the numbers identifying incoming calls. They are not supposed to reveal the content of communications. They are not even supposed to identify the parties to a communication or whether a call was connected, only that one phone dialed another phone. Nonetheless, in an increasingly connected world, a recording of every telephone number dialed and the source of every call received can provide a very complete picture—a profile—of a person's associations, habits, contacts, interests and activities. For that reason, pen registers and trap and trace devices are very helpful to law enforcement and pose significant privacy concerns. Much of the current debate over surveillance standards relates to the collection of transactional data by these devices and by other means.

    A 1986 federal law requires a court order for use of such devices, but the standard for approval is so low as to be nearly worthless—a prosecutor does not have to justify the request and judges are required to approve every request.

    These orders apply to email and other Internet activity, but it is not clear what is the Internet equivalent of the dialing information that must be disclosed. In crucial respects, Internet addressing information can be far more revealing than telephone dialing information—not only does it reveal the precise parties who are communicating, but it can even reveal the meaning or content of communications.
 Page 62       PREV PAGE       TOP OF DOC

    Federal law enforcement agencies conduct roughly 10 times as many pen register and trap and trace surveillances as they do wiretaps. In 1996, the Justice Department components alone obtained 4,569 pen register and trap and trace orders. Most orders covered more than one line: in 1996, 10,520 lines were surveilled by pen registers or trap and trace devices. So much information is collected that Justice Department agencies have developed several generations of computer tools to enhance the analysis and linking of transactional data from pen registers and trap and trace devices.

    In response to a Justice Department proposal, legislation has been introduced to authorize judges in one jurisdiction to issue pen register and trap and trace orders to service providers anywhere in the country. S. 2092. Other provisions in the bill could have the effect of greatly expanding the scope of these supposedly limited surveillance devices, allowing the collection of more personally revealing information and imposing expensive burdens on ISPs, portals, and other service providers.

    Before the geographic reach of pen register and trap and trace orders is expanded, the privacy standards in the current law should be updated: some real substance should be put into the standard for issuing those orders and the scope of information they collect should be carefully limited.

The Framework of the Electronic Surveillance Laws

    There are three major laws setting privacy standards for government interception of communications and access to subscriber information:
 Page 63       PREV PAGE       TOP OF DOC

 The federal wiretap statute (''Title III''), 18 USC 2510 et seq., which requires a probable cause order from a judge for real-time interception of the content of voice and data communications. This legal standard is high.

 The Electronic Communications Privacy Act of 1986 (''ECPA''), 18 USC 2701 et seq., setting standards for access to stored email and other electronic communications and to transactional records (subscriber identifying information, logs, toll records). The standard for access to the contents of email is relatively high; the standards for access to transactional data are low.

 The pen register and trap and trace statute, enacted as part of ECPA, 18 USC 3121 et seq., governing real-time interception of ''the numbers dialed or otherwise transmitted on the telephone line to which such device is attached.'' The standard is that of a rubber stamp.

    Title III governs the interception of the ''contents'' of communications, which the statute defines as ''any information concerning the substance, purport, or meaning of that communication.'' 18 USC §2510(8). Since the Supreme Court has held that the content of communications is fully protected by the Fourth Amendment's limitations on searches and seizures, Title III imposes strict limitations on the ability of law enforcement to obtain call content—limitations that embody, and in some respects go beyond, the protections guaranteed by the Fourth Amendment. A law enforcement agency may intercept content only pursuant to a court order issued upon findings of probable cause to believe that an individual is committing one of a list of specifically enumerated crimes, that communications concerning the specified offense will be intercepted, and that the pertinent facilities are commonly used by the alleged offender or are being used in connection with the offense. 18 USC §2518(3).
 Page 64       PREV PAGE       TOP OF DOC

    On the other hand, the Supreme Court has held that there is no constitutionally-protected privacy interest in the numbers one dials to initiate a telephone call. Smith v. Maryland, 442 U.S. 735, 742 (1979). Accordingly, the pen register and trap and trace provisions in 18 USC §3121 et seq. establish minimum standards for court-approved law enforcement access to the ''electronic or other impulses'' that identify ''the numbers dialed'' for outgoing calls and ''the originating number'' for incoming calls. 18 USC §3127(3)–(4). To obtain such an order, the government need merely certify that ''the information likely to be obtained is relevant to an ongoing criminal investigation.'' 18 USC §3122–23. (There is no constitutional or statutory threshold for opening a criminal investigation.)

    The Supreme Court has stressed how limited is the information collected by pen registers. ''Neither the purport of any communication between the caller and the recipient of the call, their identities, nor whether the call was even completed is disclosed by pen registers.'' United States v. New York Tel. Co., 434 U.S. 159, 167 (1977) (emphasis added). Recent court decisions have reemphasized that such devices' ''only capability is to intercept'' the telephone numbers a person calls. Brown v. Waddell, 50 F.3d 285, 292 (4th Cir. 1995) (emphasis added).

    The pen register/trap and trace statute lacks many of the privacy protections found in the wiretap law. Not only is the standard for judicial approval so low as to be meaningless, but the government can use pen register evidence even if it is intercepted without complying with the law's minimal provisions: Unlike the wiretap statute, which has a statutory exclusion rule, the pen register/trap and trace law has no such provision, and the Fourth Amendment's exclusionary rule does not apply. There is little chance of after-the-fact oversight, since innocent citizens are unlikely to find out about abuses of the statute: Unlike the wiretap law, the pen register/trap and trace statute has no provision requiring notice to persons whose communications activities have been surveilled. Nor, in contrast to the wiretap law, is there any provision for judicial supervision of the conduct of pen registers: Judges are never informed of the progress or success of a pen register or trap and trace. There is also no minimization rule: Section 3121(c) requires the government to use technology reasonably available to it that restricts the recording or decoding of electronic or other impulses to the dialing and signaling information used in call processing, but the FBI has recently admitted that no such technology exists.
 Page 65       PREV PAGE       TOP OF DOC

Applying Pen Registers to the Internet

    The pen register and trap and trace statute was adopted before the Internet was widely available to ordinary citizens. The definition of pen register says that such devices capture only the ''numbers dialed or otherwise transmitted'' on the telephone line to which the device is attached. 18 USC 3127(3). The definition of trap and trace device refers only to ''the originating number of an instrument or device from which a wire or electronic communication was transmitted.'' 18 USC 3127(4).

    There are many questions posed by application of the pen register/trap and trace statute to the Internet. The statute almost certainly applies to email and the Web, for it refers to electronic communications. But what are ''the numbers dialed or otherwise transmitted''? Can the government serve a pen register order on an ISP or other service provider like Hotmail, to obtain the addresses of all incoming and outgoing emails for a certain account? Does the pen register /trap and trace authority encompass only numbers (Internet protocol addresses) or does it include email addresses or both? Can a pen register or trap and trace order be served on a portal or search engine? What does the statute mean when applied to URLs? Can the government serve a pen register or trap and trace order on CNN and get the address of everybody who has downloaded or viewed a certain article? What information is collected under a pen register order and from whom in the case of a person who is using the Internet for voice communications? What standard applies if the person has DSL or a cable modem?

    The importance of these questions is heightened by the fact that transactional or addressing data of electronic communications like email and Web browsing can be much more revealing than telephone numbers dialed.
 Page 66       PREV PAGE       TOP OF DOC

    First, email addresses are more personally revealing than phone numbers because email addresses are unique to individual users. In many offices, while there is only one phone number normally called from the outside, each person has an individual email address. So while a pen register on a phone line only shows the general number called, a pen register served on an ISP will likely identify the specific recipient of each message. Even in a household, each person online may have a separate email, and may have different email addresses for different purposes, making it more likely that the government can determine precisely who is contacting whom.

    Furthermore, if the pen register authority applies to URLs or the names of files transmitted under a file transfer protocol, then the addressing information can actually convey the substance or purport of a communication. If you call (202) 637–9800 on the phone and asks for a copy of our statement on cybercrime and Internet surveillance, a pen register shows only that you called the general CDT number. If you ''visit'' our website and read the statement, your computer transmits the URL http://www.cdt.org/security/000229judiciary.shtml, which precisely identifies the content of the communication. Does a pen register served on our ISP or our web hosting service require disclosure of that URL? If so, the government has no trouble knowing what you read, for typing in the same URL reveals the whole document.

    Such revealing information appears in other addresses:

    If you search Yahoo for information about ''FBI investigations of computer hacking,'' the addressing information you send to Yahoo includes your search terms. The URL looks like this: http://search.yahoo.com/bin/search?p=FBI+and+hacking+investigations.
 Page 67       PREV PAGE       TOP OF DOC

    If you search AltaVista for ''hacker tools,'' the ''addressing'' data looks like this: http://www.altavista.com/cgi-bin/query?pg=q&sc=on&hl=on&q=hacker+tools&kl=XX&stype=stext&search.x=25&s earch.y=11.

    If you send a message to Amazon.com to buy a book, this is what the URL looks like: http://www.amazon.com/exec/obidos/handle-buy-box=0962770523/book-glance/002–9953098–4097847, where 0962770523 is the standardized international catalogue (ISBN) number of the book you are buying.

    Computer security expert Richard Smith has identified numerous ways in which the URLs sent to DoubleClick include personal information about travel plans, health, and other matters. See attached memo and http://www.tiac.net/users/smiths/privacy/banads.htm. Can a pen register order be served on DoubleClick? Would it cover the detailed information found in URLs delivered to DoubleClick?

    These questions did not exist in 1986, when the pen register statute was enacted. They illustrate how outdated is the rubber-stamp standard of the current law. All of these questions should be addressed before the scope of the pen register statute is further extended.

Jurisdictional Expansion of the Pen Register/Trap and Trace Statute

 Page 68       PREV PAGE       TOP OF DOC
    18 USC 3123(a) currently states that a judge shall authorize the installation and use of a pen register or trap and trace device ''within the jurisdiction of the court.'' The Justice Department argues that this jurisdictional limitation (no different than the jurisdictional limitation that applies to search warrants or subpoenas in the ''real'' world) poses a burden to law enforcement conducting investigations in cyberspace, since a communication may jump from one computer to another.

    While there is some apparent logic to the government's argument for tracing computer data across jurisdictional lines, the proposed change would not be limited to computer communications—it would also apply to plain old telephones. Nor would it be limited to situations where it appeared that communications were passing through multiple service providers: it would allow a Miami judge to authorize the use of a pen register in New York on communications starting and ending in New York.

    Furthermore, orders issued under the proposed change as introduced would have no limits. A normal subpoena, even one with nationwide effect, is addressed to a specific custodian of the desired information. Fed. R. Crim. Proc. 17(c). This requirement does not appear in S. 209; instead, the government would receive a blank order, which it could presumably serve on multiple, unnamed service providers, with no limit as to time or how often the subpoena could be used.

    If the pen register and trap and trace provisions are given nationwide effect, it should not automatically apply to every such order. There should at least be some requirement that the applicant explain to the judge's satisfaction why authority is sought to conduct the investigation across jurisdictional lines: Section 3122(b) should be amended to require in the application, if an order with nationwide effect is sought, a full and complete statement as to the grounds for believing that some of the communications to be identified originate or will terminate outside the jurisdiction of the issuing court or are passing through multiple service providers and that the cooperation of multiple service providers or service providers in other jurisdictions will be necessary to identify their origin or destination. And 3123 should be amended to require the judge to specify to whom the subpoena is directed by name, as well as the geographic extent of the order and the time within which it is effective. (Limiting language on geographic extent already appears in the statute: 3123(b)(1)(C).)
 Page 69       PREV PAGE       TOP OF DOC

Establishing Meaningful Privacy Standards for Pen Registers

    Any territorial extension of the reach of trap and trace or pen register orders should also be coupled with a heightened standard for approval of such devices. Under current law, a court order is required but the judge is a mere rubber stamp—the statute presently says that the judge ''shall'' approve any application signed by a prosecutor saying that the information sought is relevant to an investigation. Currently, the judge cannot question the claim of relevance, and isn't even provided with an explanation of the reason for the application. Given the obvious importance of this ''profiling'' information, section 3122(b)(2) should be amended to require the government's application to include a specific description of the ongoing investigation and how the information sought would be relevant and material to such investigation, and section 3123(a) should be amended to state that an order may issue only if the court finds, based on a showing by the government of specific and articulable facts, that the information likely to be obtained by such installation and use is relevant and material to an ongoing criminal investigation.

    The second change needed is to define and limit what information is disclosed to the government under a pen register or trap and trace order, especially those served on an Internet service provider or in other packet networks. Unfortunately, S. 2092 goes in the opposite direction. It would amend the definition of pen register devices to include ''dialing, routing, addressing, or signalling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted.'' This completely looses the current sense of the statute, which is limited to information identifying the destination of a communication. The phrase ''dialing, routing, addressing or signalling information'' is very broad. It increases the amount of information that can be ordered disclosed/collected, in ways that are unclear but that are likely to increase the intrusiveness of these devices, which are not supposed to identify the parties to a communication and not even supposed to disclose whether the communication was completed. It goes well beyond merely eliminating the archaic reference to telephone lines.
 Page 70       PREV PAGE       TOP OF DOC

    A much better way to phrase the pen register definition would be: ''dialing, routing, addressing or signalling information that identifies the destination of a wire or electronic communication transmitted by the telephone line or other subscriber facility to which such device or process is attached or applied,''.

    Similarly, the trap and trace definition could be amended to read: ''a device or process that captures the dialing, routing, addressing or signalling information that identifies the originating instrument or device from which a wire or electronic communication was transmitted.'' These amendments should be coupled with statutory language or legislative history making it clear that pen registers do not authorize interception of search terms, URLs identifying certain documents, files or web pages, or other transactional information.

    As an oversight matter, it would be useful to include reporting requirements in the pen register statute that are closer to those applicable to wiretaps. Currently, the statute requires only reports for pen registers and trap and trace devices applied for by the Justice Department, so there is no way of knowing what is done by other federal law enforcement agencies or state and local authorities.

    Finally, it should be made clear that any changes to the statute do not expand the obligations on carriers under the Communications Assistance for Law Enforcement Act. Currently, a debate is underway over the meaning of CALEA. The government would almost certainly cite S. 2092's amendments to the definitions of pen register and trap and trace device as justification for requiring carriers to install additional surveillance features. It must be made clear, for example, that the pen register/trap and trace statute's reference to identifying the origin of communications does not imply a design mandate for identification or traceability.
 Page 71       PREV PAGE       TOP OF DOC

    Mr. CANADY. Mr. Nojeim.

STATEMENT OF GREGORY NOJEIM, LEGISLATIVE COUNSEL, AMERICAN CIVIL LIBERTIES UNION

    Mr. NOJEIM. Thank you for inviting me, Chairman Canady, Mr. Watt and other members. I am here to testify on behalf of the American Civil Liberties Union, an organization of 275,000 members dedicated to protecting the principles of freedom set forth in the Bill of Rights. And thank you for taking my full statement and putting it into the record.

    Electronic surveillance is increasingly a scattershot investigative tool. In the most recent 5-year period for wiretapping, only one-fifth of the communications intercepted in law enforcement electronic surveillance were incriminating conversations. In 1998, 1.9 million innocent conversations were intercepted. This is a tremendous loss of personal privacy.

    Surveillance of communications on the Internet poses many of the same problems and raises many of the same concerns as has wiretapping over the years. Our freedom against unreasonable searches depends upon crafting fourth amendment principles that make sense in the digital age. Congress first enacted legislation to govern electronic surveillance in 1968, but the scheme that was adopted grew outdated quickly. In part, this was because technology advanced, but in part, it was because the Supreme Court rendered key decisions calling into question the application of the fourth amendment to sensitive personal information held by third parties.

    Notwithstanding the Court's willingness to protect the contents of communications in general under the fourth amendment, it has been less protective of content stored with third parties and of other information relating to the communication that is revealing, but that it does not regard as content. This prompted Congress to revisit the statute and enact the Electronic Communications Privacy Act in 1986.
 Page 72       PREV PAGE       TOP OF DOC

    ECPA has a number of shortcomings that ought to be addressed. As has been pointed out, it is not as protective of e-mail and other electronic communications as is title III of voice communications. Under the scheme adopted in ECPA, real-time interception of e-mail messages is given greater protection than is acquisition of the message in storage. And storage happens virtually immediately. The message is sent and it arrives almost immediately. Once e-mail has been—let me skip ahead a little bit.

    It is against the backdrop of the more limited protection that is being afforded Internet communications that we ask you to evaluate some of the proposals that have been made and put before you. The Department of Justice has asked that judges be given authority to issue such orders—to issue pen register and trap and trace orders with nationwide coverage. We believe that before any additional authority is given, that the standard for granting a pen register or a trap and trace approval be increased.

    Under current law, the statute provides that the courts shall issue an order authorizing the installation of a pen register or a trap and trace device whenever any attorney for the Government or an investigative officer merely certifies in an ex parte proceeding that information likely to be obtained is relevant to an ongoing criminal investigation. No judicial finding of relevance is required. In fact, even if the court believes that only completely irrelevant information would be obtained, the plain language of the statute requires that the order be issued anyway.

    Before entertaining any proposal to allow for nationwide service, we ask you to tighten up the standards for pen registers and trap and trace devices. In addition, we urge you to reject proposals to reduce anonymity on the Internet. The Supreme Court has held that the Constitution grants people in the United States the right to speak anonymously. To eliminate Internet anonymity would be the rough equivalent of outlawing pen names in the real world. We also urge you to act to protect the privacy of pager communications and reject the clone pager provisions in the Senate version of the juvenile justice bill that is currently before a conference committee. A communication that conveys content by means of numbers should be no less protected than a communication that conveys content by means of letters.
 Page 73       PREV PAGE       TOP OF DOC

    We also urge additional oversight of intelligence-related interceptions. The Foreign Intelligence Surveillance Act was enacted in 1978, well before the advent of widespread use of e-mail. And it is worth taking a second look at the statute and to conduct oversight to determine whether the statute is effectively protecting the privacy of electronic communications such as e-mail.

    Recently, the FCC announced a plan to monitor public Websites, message boards and chat rooms for suspicious words. Such a communications over these mediums might not fall within the ambit of the fourth amendment, but the plan raises a larger quest. Should Internet communications in public areas be routinely monitored by Federal agencies with law enforcement responsibilities acting without a reasonable indication of criminality that is usually required for an investigation or even the receipt of information sufficient to trigger a preliminary inquiry into whether a full investigation is warranted?

    We think that this is something that the Congress ought to look at very closely and don't want to pass on a world where every Federal agency believes that it has to monitor and mind communications over the Internet just because they are made publicly.

    There is an urgent need for active congressional oversight in this area. To the extent that the courts have failed to extend fourth amendment principles of privacy to protect communications held by third parties, Congress must step in. It is important that legal structures to enhance privacy be put in place prior to any consideration of measures that would enhance surveillance capability also. Thank you.

 Page 74       PREV PAGE       TOP OF DOC
    Mr. CANADY. Thank you, Mr. Nojeim.

    [The prepared statement of Mr. Nojeim follows:]

PREPARED STATEMENT OF GREGORY NOJEIM, LEGISLATIVE COUNSEL, AMERICAN CIVIL LIBERTIES UNION

    Chairman Canady, Ranking Member Watt and members of the Subcommittee:

    I am pleased to testify before you today on behalf of the American Civil Liberties Union about the Fourth Amendment to the U.S. Constitution and the Internet. The ACLU is a nation-wide, non-profit, non-partisan organization consisting of over 275,000 members dedicated to preserving the principles of freedom set forth in the Bill of Rights. Neither ACLU nor myself has received any funding from the federal government in the past two years.

    As the 21st century begins, Americans have expressed overwhelming concern about their privacy. A Wall Street Journal poll conducted at the end of last year indicated that Americans were more concerned in the new millennium about loss of personal privacy than things like terrorism, crime or even the economy.

    Today I will discuss the Fourth Amendment as it applies to certain Internet communications. I will explain that when it comes to protecting the privacy of communications on the Internet, the buck stops here, with Congress, and not in the courts through Fourth Amendment jurisprudence. I will also discuss pending proposals to expand electronic surveillance authority and encourage an examination of current law to ensure that as technology advances, a level of privacy in communications is maintained.
 Page 75       PREV PAGE       TOP OF DOC

THREATS TO CIVIL LIBERTIES POSED BY ELECTRONIC SURVEILLANCE

    Electronic surveillance of communications is conducted secretly and unlike most searches in the physical world, there is no simultaneous notice that a search is being conducted. Because electronic surveillance vacuums up both innocent and incriminating conversations, we believe it resembles the kind of general search warrant that the Fourth Amendment was adopted to preclude. Everyone would agree that law enforcement ought not search all of the houses on a street because it has probable cause that crime might be conducted in one of the houses on the street. This principle has not been carried forth into the world of electronic surveillance. In the search for incriminating evidence, electronic surveillance causes a great deal of collateral damage because so many innocent communications are also intercepted.

    Electronic surveillance is increasingly a scattershot investigative tool. For the first five year period for which statistics are available (1969–1973), more than half of the communications intercepted in law enforcement electronic surveillance were incriminating. However, over the most recent five-year period (1994–1998) only one-fifth of the communications intercepted in law enforcement electronic surveillance were incriminating conversations. Each time a federal or state electronic surveillance intercept is installed, on average, 1608 innocent conversations are intercepted. In 1998, the most recent year for which statistics are available in the Wiretap Report published annually by the Administrative Office of the U.S. Courts, a record number of electronic intercept applications were installed by federal and state law enforcement officials. At the same time, less than 19% of the millions of communications intercepted in 1998 were incriminating, and 1.9 million innocent communications were intercepted.
 Page 76       PREV PAGE       TOP OF DOC

    This is a tremendous loss of personal privacy. It is one of the reasons Americans overwhelmingly oppose wiretapping. Each year the Department of Justice asks Americans whether all things considered, they oppose or support wiretapping. Nearly 3/4th's of the respondents consistently indicate opposition. Because it is conducted secretly, electronic surveillance undermines trust in the government and trust between individuals. For some, it inhibits communication by putting them in fear that their words might be recorded and one day be used against them.

    Surveillance of communications on the Internet poses many of the same problems and raises many of the same concerns as has wiretapping over the years. Indeed, a lack of privacy in Internet communications is already cited by many as a reason why they do not engage in e-commerce, or do not communicate sensitive information over the Internet.

THE FOURTH AMENDMENT AND ELECTRONIC SURVEILLANCE

    The Fourth Amendment provides:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

    Our freedom against unreasonable searches depends on crafting Fourth Amendment principles that make sense in the digital age. It used to be the case that most of the information people wanted to be kept private was stored in their home. To the extent that third parties obtained a person's most private information, it was difficult to store and difficult to collate. Now, with the advent of the Internet, the World Wide Web and instantaneous electronic communication, an invasion of privacy is only a point and a click away.
 Page 77       PREV PAGE       TOP OF DOC

    Olmstead v. United States, 277 U.S. 438 (1928) is often cited as the Court's first foray into cyberspace. The Court held that a warrant is not required for a wiretap of a home or an office telephone because law enforcement officers had not physically entered the home or office, or any other place deemed constitutionally protected. The Court reasoned that since the language of the Fourth Amendment refers only to tangible things, such as houses, papers, effects and people, its reach extended only to physical intrusions.

    The Court reversed itself in Katz v. United States, 389 U.S. 347 (1967). It declared, ''the Fourth Amendment protects people, not places.'' It held that what a person seeks to preserve as private might be constitutionally protected even if it is in an area accessible to the public. In Katz, the Court held that a telephone conversation could not be intercepted without a warrant.

CONGRESS AND ELECTRONIC SURVEILLANCE.

    In response to the Court's decision in Katz, Congress enacted Title III of the Omnibus Crime Control and Safe Streets Act of 1968 (18 U.S.C. 2510–20). It established procedures for court-ordered wiretapping and bugging.

    Because Congress recognized that electronic surveillance was so invasive of privacy, it included a number of safeguards:

 It was permitted only for specified, mostly serious crimes.

 Page 78       PREV PAGE       TOP OF DOC
 Electronic surveillance was only authorized with a court order issued upon a showing of probable cause of crime

 It would be used only as a last resort, when other investigative techniques had already failed or were likely to fail.

 Procedures would be adopted to minimize eavesdropping on innocent conversations.

 A person whose conversations had been intercepted would be given notice when deemed necessary in the ''interests of justice.''

 Only a high-ranking DOJ official can approve a wiretap application.

 Prior to trial, a defendant would be given a chance to challenge the legality of the interception of his conversations.

 Illegal electronic surveillance triggers a fine or imprisonment for up to five years.

THE FOURTH AMENDMENT AND DATA STORED BY THIRD PARTIES

    This statutory scheme grew outdated quickly, in part because technology advanced, and in part because the Supreme Court rendered key decisions calling into question the application of the Fourth Amendment to sensitive personal information held by third parties. Notwithstanding the Court's willingness to protect the contents of communications in general under the Fourth Amendment, it has been less protective of content stored with third parties, and of other information relating to the communication that it does not regard as content.
 Page 79       PREV PAGE       TOP OF DOC

    In Smith v. Maryland, 442 U.S. 735 (1979) the Supreme Court ruled that the Fourth Amendment does not protect the privacy of numbers dialed on a telephone. It held that a person has no reasonable expectation of privacy in the numbers dialed from a telephone in part because telephone companies routinely record the numbers dialed for business purposes. The Court reasoned that the person making the call likely did not expect privacy because he was volunteering to the phone company information about the numbers he was dialing. The Court also distinguished the contents of the communication, which is protected by the Fourth Amendment, from the numbers the person dialed in order to make the phone call. Consequently, the reach of the Fourth Amendment in this area is likely to be determined by whether the Court views a particular electronic surveillance interception as one that involves content or something else, and whether the person making the communication had a reasonable expectation of privacy in the communication.

    Likewise, in U.S. v. Miller, 425 U.S. 435 (1976), the Court had held that individuals do not have a ''reasonable expectation of privacy'' cognizable under the Fourth Amendment in financial records pertaining to them but maintained by their bank in the normal course of business.

    Shortly after these decisions were rendered, new technology capable of conveying sensitive information stored with third parties at distant locations began to develop. Congress rightly feared that because the Court had ruled that information maintained by third parties did not enjoy Fourth Amendment protections in certain contexts, the privacy of electronic communications could not be guaranteed absent legislation.

 Page 80       PREV PAGE       TOP OF DOC
CONGRESS AND SURVEILLANCE OF COMMUNICATIONS ON THE INTERNET.

    The Electronic Communications Privacy Act of 1986 (Pub. L. No. 99–508) is the comprehensive legislation Congress enacted to protect the privacy of electronic communications such as e-mail. An individual's e-mail message stored by a third party was viewed as likely unprotected by the Fourth Amendment under the Court's reasoning in Smith v. Maryland. In ECPA, Congress made the term ''electronic communication'' very broad to ensure that the term was expansive enough to cover evolving technology. An ''electronic communication'' is defined as any transfer of signs, signals, writing, images sounds, data or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectonic or photooptical system, except for wire and aural communications, communications made through a ''tone only'' pager or by a tracking device and certain electronic funds transfers. This covers much more than e-mail.

    ECPA has a number of shortcomings that should be addressed. It is not as protective of e-mail and other electronic communications as Title III is of voice communications:

 Only a high-ranking DOJ official can authorize an application for wiretap order; ''any attorney for the Government'' may authorize an application for an order to intercept e-mail and other electronic communications;

 Wiretaps can be issued only upon a showing of probable cause that one of a list of enumerated offenses has been committed; e-mail and other electronic communications can be intercepted with a court order based on probable cause issued in connection with any federal felony; and
 Page 81       PREV PAGE       TOP OF DOC

 The statutory exclusionary rule that encourages law enforcement to comply with the proper procedures for electronic surveillance applies only to wiretaps and bugs, not to interception of e-mail and other electronic communications.

    Electronic communications ought to be afforded the same protections as voice communications because they are functionally similar.

    Second, under the scheme adopted in ECPA, real-time interception of e-mail messages is given greater protection than is acquisition of the message from a ''provider of electronic communications service'' after it has been stored. Under ECPA, real-time interception of e-mail messages and other electronic communications requires a court order based on probable cause of crime, interception is an investigative technique of the last resort, and continuing judicial oversight is required. 18 U.S.C. 2510–22. However, since real-time interception of electronic communications is not necessary in most cases, these provisions do not afford the protection for electronic communications that Congress likely intended. Instead, law enforcement need only wait until the provider stores the e-mail message; it is stored immediately upon delivery.

    Once in storage, law enforcement access is obtained more readily under 18 U.S.C. 2703. A search warrant based on probable cause issued by a federal magistrate (as opposed to a court order with the protections mentioned above) is all that is required to access e-mail in storage for less than 180 days. 18 U.S.C. 2703(a). In other words, by waiting an instant until the message is delivered and ''stored,'' the requirement of a court order with continuing judicial oversight, the statutory requirement for minimization procedures, the substantial fines and prison time for violating the statute, and the requirement that the communication be eavesdropped upon only as an investigative technique of last resort are all avoided.
 Page 82       PREV PAGE       TOP OF DOC

    This is what the Fifth Circuit concluded in Steve Jackson Games, Inc. v. U.S. Secret Service, 36 F.3d 457 (5th Cir. 1994). As a result, court orders are likely seldom sought to intercept e-mail; rather, it is simply accessed with a warrant when it is stored.

    What does this mean for a service like AOL's ''Instant Messaging?'' It resembles a phone conversation over the Internet. But if AOL stores the messages—even for an instant—the communication has lesser protection than would a phone conversation.

    Importantly, once the e-mail has been stored with the provider for over 180 days, it can be made available to law enforcement acting with only an administrative subpoena and delayed notice to the customer, or with a warrant without notice. 18 U.S.C. 2703(b). Most importantly, such e-mail can be obtained by law enforcement acting with a court order issued based upon a showing of only ''specific and articulable facts showing that there are reasonable grounds to believe'' that the contents of the communication are ''relevant'' to an ongoing investigation. ''Relevance'' is a far lower threshold for a search than is ''probable cause.'' In effect, the privacy of the contents of an e-mail message or other electronic communication diminishes just because a service provider retained the message an inordinately long time.

    It is tempting to assume that a person using the Internet has a reduced expectation of privacy. This assumption is very dangerous in an increasingly interconnected world, where transactions that we seek to keep private are increasingly conducted over the Internet. It triggers a downward spiral in the level of protection that is offered to communications. Rather than allow this, Congress should step in to bolster expectations of privacy and reject proposals that would diminish personal privacy.
 Page 83       PREV PAGE       TOP OF DOC

PROPOSALS REGARDING SURVEILLANCE OF INTERNET-RELATED COMMUNICATIONS.

    It is against this backdrop that we encourage you to examine proposals to expand law enforcement's electronic surveillance authority to combat crime facilitated by communications on the Internet.

    Nation-wide Pen Register and Trap and Trace Orders. A pen register is a device that records telephone numbers dialed from a telephone; a trap and trace device, like caller ID, records the phone numbers of incoming calls. 18 U.S.C. 3127. Under current law, the standard for obtaining a court order authorizing placement of a pen register or trap and trace device is extremely low. The statute provides that the court shall issue an order authorizing the installation of a pen register or trap and trace device whenever any attorney for the Government or an investigative officer merely certifies in an ex parte proceeding that information likely to be obtained is relevant to an ongoing criminal investigation. 18 U.S.C. 3123. No judicial finding of relevance is required. In fact, even if the court finds that only completely irrelevant information would be obtained, the plain language of the statute requires that the judge issue the order anyway. In other words, the court wields a rubber stamp. Pen registers and trap and trace devices are used much more often than electronic surveillance such as wiretaps.

    Pen registers and trap and trace orders are limited to the jurisdiction of the court issuing the order. 18 U.S.C. 3123. The Department of Justice has asked that judges be given authority to issue such orders with nationwide coverage. DOJ argues that to track computer intrusions over the Internet, law enforcement officials must often seek multiple orders because electronic communications jump from computer to computer and jurisdiction to jurisdiction. However, the DOJ's request extends not only to electronic communications, but also to any communications transmitted by telephone, which do not jump from computer to computer.
 Page 84       PREV PAGE       TOP OF DOC

    We urge you to reject this request because: (i) the standard for issuing a pen register or trap and trace order must first be strengthened substantially; (ii) steps must be taken to ensure that forum-shopping for a sympathetic judge is precluded; and (iii) it is unclear exactly what information the Government is currently obtaining with the low evidentiary standard for pen registers and trap and trace devices.

    The statute currently authorizes the interception of only numbers dialed to and from a telephone. The request for nationwide trap and trace and pen register orders is justified by a need to track computer intrusions back to the source. This likely involves ascertaining the suspect's e-mail address, as well as header information. Both of these include letters, not numbers dialed to and from a telephone. Under the language of the statute, neither a pen register nor a trap and trace order would cover such an interception. Moreover, it is not clear whether the Government can serve an order on an Internet service provider and obtain the e-mail addresses of incoming and outgoing messages for a particular subscriber. Further, it is not clear whether law enforcement agents use or should use authority under the pen register statute to access a variety of data, including Internet Protocol addresses, dialup numbers and e-mail logs. Before entertaining any request that trap and trace and pen register authority be expanded, law enforcement should be required to disclose the type of information it currently obtains with such orders in the digital world. Armed with that knowledge, Congress would be better positioned to evaluate a request that such authority be expended.

    Reducing Anonymity on the Internet. We view Internet anonymity as one of the primary attributes of this new communications medium. The Supreme Court has held that the Constitution grants people in the U.S. the right to speak anonymously. See McIntyre v. Ohio Elections Commission, 514 U.S. 334 (1995). With respect to anonymity and Internet communications, see also ACLU v. Johnson, 4 F.Supp.2d 1029 (D.N.M. 1998) and ACLU v. Miller, 977 F.Supp. 1228 (N.D. Ga. 1997). To eliminate Internet anonymity would be the rough equivalent of outlawing pen names in the real world. It would partially stifle many communications on the Internet.
 Page 85       PREV PAGE       TOP OF DOC

    Reducing the Privacy of Pager Communications. The clone pager provisions in Section 211 of the Senate's version of the juvenile justice bill, S. 254, would erode the protections that have traditionally accompanied the conveyance of content in numeric form. A clone pager is a device that intercepts communications intended for a numeric pager and makes those communications available to law enforcement. The numbers dialed to a pager are content because they are selected by the sender to convey a message. Sometimes the message is, ''call me at this number.'' At other times, the message is a code with meaning. For example, sending ''911'' might signal an emergency. Most courts agree that interception of the numbers sent to a pager is an interception of the contents of an electronic communication under ECPA that triggers Fourth Amendment scrutiny. See, e.g., Brown v. Waddell, 50 F.3d 285 (4th Cir. 1995).

    The clone pager provision would substitute a new standard—''probable cause of relevance'' to an on-going investigation for the current standard of probable cause to believe that a crime is being committed, in the case of content conveyed by numbers sent to a pager. Moreover, under the Senate bill, interception would be authorized under procedures more closely resembling those relating to pen registers and trap and trace devices, as opposed to those governing interception of the contents of an electronic communication. This may well be unconstitutional and in any event, sets a dangerous precedent.

    A communication that conveys content by means of numbers should be no less protected than a communication that conveys content by means of letters. Many electronic communications—including communications sent over the Internet—are digitized and consist only of 1's and 0's. Moreover, an encrypted communication might consist only of numbers. The Fourth Amendment requires that content be intercepted only under a probable cause of crime standard.
 Page 86       PREV PAGE       TOP OF DOC

    The Department of Justice deemed unconstitutional and unnecessary a similar provision in a bill, S. 170, in the last Congress. It said in a May 20, 1998 letter to Chairman Hyde that interception of content of communications to numeric pagers was probably protected under the Fourth Amendment. It also said that if communications sent to numeric pagers were given reduced protection, drug dealers and other criminals would simply switch to alphanumeric pagers. DOJ took no position on this modified version of the clone pager provision in the comments it submitted on the juvenile justice bills. We urge you to reject this proposal.

    Foreign Intelligence Surveillance of Internet Communications. The Foreign Intelligence Surveillance Act (FISA) 50 U.S.C. 1801 et seq. became law in 1978 well before widespread use of the Internet. Under FISA, a court consisting of Article III judges secretly authorizes electronic and physical surveillance without probable cause of crime for intelligence and national security reasons. In recent years, the FISA court has issued more electronic surveillance orders than all of the federal courts combined.

    Unlike Title III, which covers electronic surveillance for criminal purposes, the FISA statute was never updated to account for the new forms of electronic communications that are facilitated by the Internet. The FISA statute defines the ''electronic surveillance'' it regulates to include:

''. . . the installation or use of an electronic, mechanical, or other surveillance device in the United States for monitoring to acquire information, other than from a wire or radio communication, under circumstances in which a person has a reasonable expectation of privacy and a warrant would be required for law enforcement purposes.'' 50 U.S.C. 1801(f)(4).
 Page 87       PREV PAGE       TOP OF DOC

    Moreover, recent revelations in the European Parliament about eavesdropping by the National Security Agency working with the intelligence agencies of other English speaking nations in an operation known as ''Echelon'' has sparked concerns here that FISA's requirement of a court order might be circumvented. We have called for hearings open to the public that would clear up these matters and ensure that the contents of domestic communications involving a U.S. person are not intercepted except with a court order.

    Monitoring the Internet for Suspicious Words. Recently, the Securities and Exchange Commission announced a plan to monitor public websites, message boards and chat rooms for suspicious words. The SEC put out a request for proposals for an automated Internet search system that would flag words or phrases such as ''get rich quick,'' copy these communications into a database, attempt to match them with e-mail addresses and other identifying information, and use the results to bring civil proceedings against people suspected of wrong doing. Yesterday, the SEC issued a press release declaring that its monitoring plan is no different in manner and scope than ''finding a newspaper article with the aid of a tool that helps you to so more quickly and exactly.''

    Depending on the type of communication monitored and whether the parties involved have a ''reasonable expectation of privacy'' in the communication, such communications may not fall within the ambit of the Fourth Amendment. However, this plan raises a larger question. Should Internet communications in ''public'' areas be routinely monitored by federal agencies with law enforcement responsibilities acting without the ''reasonable indication of criminality'' usually required for an investigation, or even the receipt of information sufficient to trigger a preliminary inquiry into whether a full investigation is warranted? If so, what does this mean for the traditional investigative injunction against monitoring activities protected by the First Amendment?
 Page 88       PREV PAGE       TOP OF DOC

    When other federal agencies follow suit to enforce both civil and criminal laws, we might be left with George Orwell's America in which images of a snooping, all knowing ''Big Brother'' are both real and justified. The collection of data on the First Amendment activities of mostly innocent persons would also implicate the Privacy Act, which gives people an opportunity to access personally identifiable information in files the Government maintains on them.

    Cyberspace Electronic Security Act (CESA): Last year, the Clinton Administration proposed legislation that purports to enhance privacy by requiring a court order before escrowed keys and passwords to encrypted communications could be disclosed to the government. But the privacy standards established in this so-called Cyberspace Electronic Security Act (CESA) would be inadequate to protect privacy.

    Under CESA, third parties would be legally compelled to disclose decryption information upon a finding that the information is ''reasonably necessary'' to allow access to the plaintext of the communication, and that there is no constitutionally protected expectation of privacy in such plaintext. This untested standard falls far short of the traditional probable cause standard. Also, the reference to ''constitutionally'' protected privacy interests would render irrelevant any statutory privacy interest; many privacy protections stem from laws passed by Congress rather than from the Constitution itself.

    CESA would also prohibit contemporaneous notice to the person whose decryption information is being given to the government, and would allow after-the-fact notice to be delayed indefinitely. Without notice, individuals would have no meaningful opportunity to contest the violation of their privacy until after it had occurred. In fact, at one time during internal Administration deliberations, the CESA proposal incorporated a provision authorizing secret searches of computer files by law enforcement agents. That very controversial idea was not included in the proposal ultimately transmitted to Congress, and we urge that it not be revived in any form.
 Page 89       PREV PAGE       TOP OF DOC

CONCLUSION

    There is an urgent need for active Congressional oversight in this area. To the extent that courts have failed to extend Fourth Amendment principles to protect the privacy of communications held by third parties, Congress must step in. Clear rules governing surveillance of communications on the Internet need to be established. One strange quirk of Fourth Amendment jurisprudence is that as a person's expectation of privacy in a communication diminishes, so does any Fourth Amendment protection afforded the communication. As Congress recognized when it enacted ECPA, ''. . . the law must advance with the technology to ensure the continued vitality of the Fourth Amendment . . . [Privacy] will gradually erode as technology advances.'' (S. Rep. No. 99–541, at 5 (1986), reprinted in 1986 U.S.C.C.A.N. 3555, 3559.) In such a world, it is important that legal structures to enhance privacy be put in place prior to any consideration of measures that would enhance surveillance capabilities.

    Mr. CANADY. Professor Rosen.

STATEMENT OF JEFFREY ROSEN, ASSOCIATE PROFESSOR OF LAW, THE GEORGE WASHINGTON UNIVERSITY LAW SCHOOL

    Mr. ROSEN. Thank you so much, Mr. Chairman, and thank you, Mr. Watt, Mr. Barr, thank you for inviting me. It is an honor to be here.

    Monica Lewinsky is an improbable spokesperson for the importance of privacy on the Internet and you will forgive me, gentlemen, for reintroducing that name in this august setting. But in her memoir, she confesses she was especially unsettled by the Independent Counsel's ability, with full legal authority, to subpoena her bookstore receipts to which Mr. Barr referred to earlier, her home computer, and to retrieve from her hard drive the e-mails that she tried unsuccessfully to delete, as well as the letters that she drafted to the President but never sent. ''It was such a violation,'' she complained in her memoir, ''I felt like I wasn't a citizen of this country anymore.''
 Page 90       PREV PAGE       TOP OF DOC

    At the beginning of the 21st century, many Americans are beginning to understand just how Ms. Lewinsky feels. For as thinking and writing increasingly take place in cyberspace rather than at home, many Americans are finding that their intimate e-mail, Internet browsing, and electronic papers, are similarly vulnerable to being monitored, searched, and exposed by public employers, Government agents, or private parties. But rather than adapting to new technological threats to privacy, fourth amendment protections for intimate personal information have been eroded by the courts in recent years.

    To appreciate just how dramatically privacy protections for private papers stored in real space and cyberspace have diminished, it is useful to recall that the search of private diaries and papers was the paradigm case, the quintessential example of an unreasonable search and seizure which the framers of the fourth amendment intended to forbid.

    The framers were especially moved by the case of John Wilkes, the English Whig whose diaries were seized by King George III's agents after he wrote a pamphlet criticizing the king. The king's agents broke into his house, opened his desk drawers, seized his diaries; and Wilkes sued the king's messengers for trespassing on his property, and a jury awarded him 1,000 pounds, ruinous damages in its day.

    The judge in the case, the celebrated Lord Camden, emphasized that English law at the time didn't permit Government agents to seize private papers for use as mere evidence in criminal cases. And he also said that it violated the fifth amendment to introduce intimate secrets against someone which was a form of self-incrimination. Wilkes' case was so galvanizing to the American colonists that the Sons of Liberty, a group that included Hancock and Adams, insisted that the fate of Wilkes and America, must stand or fall together. So I use this example, the search of private diaries, as the animating story behind the passage of the fourth amendment.
 Page 91       PREV PAGE       TOP OF DOC

    Fast forward two centuries later to the time when Bob Packwood, Republican of Oregon, tried to conceal his diaries from fellow legislators and he found that the legal protections for private papers had evaporated under his eyes. The committee subpoenaed all the diaries that Packwood had dictated for about 5 years. His lawyers contested the subpoena. They cited the famous Boyd case from 1886 in which the Supreme Court had recited the case of John Wilkes and announced that subpoenaing a defendant's private business papers—and Boyd wasn't even a diary, it was receipts for plate glass—but in 1886, the courts said subpoenaing business papers to use against someone was both an unreasonable search under the fourth amendment and a form of compelled self-incrimination under the fifth amendment.

    But unmoved by Packwood's citation of the Boyd case, Judge Thomas Penfield Jackson, who we have been hearing more of recently, ordered him to turn over his diaries to the Senate. The 19th century right to privacy, Jackson noted, had been chipped away by subsequent Supreme Court decisions.

    My fellow witnesses will review those decisions in detail. I won't trouble you with the details except to say that many of them were grounded in the legal tests that Justice Harlan proposed in the Katz case to which Mr. Barr referred earlier for determining what kind of surveillance activities should trigger the protection of the fourth amendment. The idea, we all know, is that a person has to have an actual or subjective expectation of privacy and the expectation must be one that society is prepared to accept as reasonable.

    Now, Harlan's test was applauded at the time as a victory for privacy, but it soon became clear that it was entirely circular. People's subjective expectations of privacy tend to reflect the amount of privacy that they subjectively experience and as advances in the technology of monitoring and searching have made ever more intrusive surveillance possible, expectations of privacy naturally have diminished with a corresponding reduction in constitutional protections.
 Page 92       PREV PAGE       TOP OF DOC

    In the age of cyberspace, when so many of our e-mail and other private papers are stored on third-party networks or outside of the home, the consequences of Harlan's test have been draconian. The court has created an incentive for public and private employers to search and monitor the most private areas of the workplace, including Internet browsing, computer files stored on hard drives, and e-mails sent, even from home, over company servers as regularly as possible in order to decrease their employees' expectations of privacy. The case law is in flux, but increasingly it suggests that by merely adopting a written policy that warns employees that the e-mail may be monitored or restricted, employers will lower expectation of privacy in a way that gives the broad discretion to monitor and restrict e-mail.

    Let me just, in closing, suggest a number of broad legal and technological approaches that you might think about in reviewing this fascinating subject. These hearings are really so important. The story of Wilkes suggests that in the 18th century, courts were willing to balance the seriousness of the crime against the intrusiveness of the search in deciding whether to authorize a search of private papers. To restore this balancing test, Congress could consider listing the crimes that are serious enough to justify a search of private papers and e-mails using the example of title III which recognizes that wiretapping is such an important threat to privacy that it can only be justified for especially serious crimes like espionage, treason and crimes of violence. Courts could also require some kind of filtering mechanisms to prevent prosecutors from rifling through a great deal of innocent in the search for potentially incriminating ones, even with a warrant or subpoena.

    Congressman Barr, you know that there is thin protection without notice. In civil cases involving the seizure of computer hard drives in which innocent and incriminating documents are hopelessly intermingled, some courts have suggested that officers should hold the computers until a neutral magistrate specifies the conditions under which they may be searched. Similar filtering mechanisms could be extended to more general searches of papers stored in cyberspace, such as special grand juries, for example, or special masters authorized to sift through subpoena materials and to separate relevant from irrelevant information.
 Page 93       PREV PAGE       TOP OF DOC

    I will close by saying there is no single solution to privacy in cyberspace, no single law that can be passed or technology that can be adopted to restore the fourth amendment protections that people took for granted in the 18th century. The battle has to be fought on many fronts—legal, technological, and political. There is nothing inevitable about the erosion of privacy in cyberspace, just as there is nothing inevitable about its reconstruction.

    We have the ability to rebuild some of the private spaces we have lost, but do we have the will?

    Thank you so much.

    Mr. CANADY. Thank you very much, Professor Rosen.

    [The prepared statement of Mr. Rosen follows:]

PREPARED STATEMENT OF JEFFREY ROSEN, ASSOCIATE PROFESSOR OF LAW, THE GEORGE WASHINGTON UNIVERSITY LAW SCHOOL

    My name is Jeffrey Rosen. I am an associate professor at the George Washington University Law School and legal affairs editor of The New Republic. It is an honor to submit to the Subcommittee on the Constitution this prepared testimony on ''the Fourth Amendment and Internet,'' which is adapted in part from my book, The Unwanted Gaze: The Destruction of Privacy in America (Random House.)
 Page 94       PREV PAGE       TOP OF DOC

    Monica Lewinsky is an improbable spokesperson for the importance of privacy on the Internet. But in her memoir, Monica's Story, Lewinsky confesses that she was especially unsettled by the Independent Counsel's decision to subpoena her bookstore receipts and her home computer, and too retrieved from her hard drive the e-mails she had tried unsuccessfully to delete and the letters she had drafted to the president but never sent. ''It was such a violation,'' she complained. ''I felt like I wasn't a citizen of this country anymore.''

    At the beginning of the twenty-first century, as thinking and writing increasingly take place in cyberspace rather than in the home, many Americans find that their intimate e-mail, Internet browsing, and electronic papers are similarly vulnerable to being monitored, searched and exposed by public employers, government agents, or private parties. But rather than adapting to new technological threats to privacy, the Fourth Amendment protections for intimate personal information have been eroded by the courts in recent years. The subpoenas issued by Kenneth Starr were perfectly legal, but for most of American history, many of them would have been suppressed as clear violations of the Fourth Amendment to the Constitution. I would like in my prepared testimony to explore some of the reasons that constitutional protections for private papers and diaries and computer files, stored in real space and cyberspace, have evaporated during the past few decades. I will also suggest ways that they might be resurrected.

    To appreciate how dramatically privacy protections for private papers have diminished, it's useful to recall that the search of private diaries and papers was the paradigm case of an unreasonable search or seizure, which the framers of the bill of Rights intended to forbid. The framers were especially moved by the case of John Wilkes, the English Whig whose diaries were seized by King George III's agents after he wrote North Briton 45, a pamphlet criticizing the King. Wilkes sued the King's messengers for trespassing on his property, and a jury awarded him one thousand pounds in damages—a ruinous amount in its day. The judge in his case, the celebrated Lord Camden, emphasized that English law didn't permit the government to seize private papers for use as ''mere evidence'' in criminal cases. State agents could seize contraband or other illegal goods, which a suspect had no right to possess in the first place, but mere evidence of guilt, such as letters or diaries, were the suspect's ''dearest property,'' and therefore immune from search. Wilkes's case was so galvanizing to the American colonists that the sons of liberty, a group that included John Hancock and John Adams, insisted that the fate of Wilkes and America must stand or fall together.
 Page 95       PREV PAGE       TOP OF DOC

    More than two centuries later, when Bob Packwood, Republican from Oregon, tried to conceal his diaries from his fellow-legislators, he found that the legal protections for private papers had evaporated. When the Senate Ethics subpoenaed all of the diaries that Packwood had dictated between 1989 and 1993, Packwood's lawyers contested the subpoenas, citing a famous opinion from 1886, Boyd v. U.S., in which the Supreme Court had recited the story of John Wilkes, and then announced that subpoenaing a defendant's private business papers in order to use them against him was both an unreasonable search and a form of compelled self-incrimination, violating both the Fourth and Fifth Amendments, which ''run almost into each other.'' In a stirring conclusion, Justice Bradley announced that ''any compulsory discovery by extorting the party's oath, or compelling the production of his private books and papers, to convict him of crime or to forfeit his property, is contrary to the principles of a free government. It is abhorrent to the instincts of an American.''(see footnote 1)

    Unmoved by Packwood's citation of the Boyd case, Judge Thomas Penfield Jackson of the U.S. District Court in Washington ordered him to turn over his diaries to the Senate. The nineteenth century right to privacy, Jackson noted, had been chipped away by subsequent Supreme Court decisions which were initially motivated by a single purpose: eradicating white collar crime. In the years leading up to the Progressive era, it became clear that if people could refuse to turn over their corporate records in response to grand jury subpoenas, then it would be impossible to enforce antitrust laws or railroad laws, and the regulatory state would come to a grinding halt. Well before the New Deal, the Court decided that the only way to investigate corporate crime would be to give prosecutors broad power to subpoena witnesses and to produce documents. And in 1948, the New Deal Court held that the Fifth Amendment wasn't violated by requiring someone to produce records that the government had ordered him to keep, no matter how incriminating or embarrassing the records might be.
 Page 96       PREV PAGE       TOP OF DOC

    But the Warren and Burger Court went further still, delivering the coup de grace for constitutional privacy protections. In the sexual privacy cases leading up to Roe v. Wade, the Court waxed grandiloquent about ''the sacred precincts of the marital bedroom.'' But the right to privacy in these cases turned out to be a confusing metaphor for a very different right to make personal decisions about procreation. Meanwhile, in a series of less familiar criminal procedure cases, the Court dramatically expanded the power of the police to conduct intrusive searches and, in the process, threatened the ability of innocent people to control the disclosure of personal information in an age when so many of our intimate papers are stored outside the home.

    These decisions were grounded on the legal test that Justice John Marshall Harlan proposed in the Katz case for determining what kind of surveillance activity should trigger the protections of the Fourth Amendment: a person must have an actual or subjective expectation of privacy, Harlan suggested, and the expectation must be one that society is prepared to accept as reasonable.

    Harlan's test was applauded as a victory for privacy, but it soon became clear that it was entirely circular. People's subjective expectations of privacy tend to reflect the amount of privacy they subjectively experience; and as advances in the technology of monitoring and searching have made ever more intrusive surveillance possible, expectations of privacy have naturally diminished, with a corresponding reduction in constitutional protections. In a series of related rulings, the Court held that if you share information with someone else, you relinquish all ''reasonable expectation of privacy'' that the information will remain confidential. In the 1971 case that made it possible for Kenneth Starr to wire Linda Tripp, four justices said that a government informer carrying a radio transmitter could secretly broadcast his conversation with a suspected drug dealer to an agent waiting in a nearby room, because all of us, when we confide in our friends, assume the risk that our friends may betray us. And, in the cases that laid the groundwork for Kenneth Starr's subpoenas of Monica Lewinsky's book store receipts, the Burger Court decided, in the nineteen seventies, that we have no expectation of privacy in information such as bank records and telephone logs that we voluntarily turn over to a third party. The Court insisted, again, that when we share information with other people, all of us assume the risk that those people may disclose the information to the government.
 Page 97       PREV PAGE       TOP OF DOC

    In the age of the Internet, when so much of our e-mail and other electronic papers are stored on third party networks outside the home, the consequences of Harlan's test have been draconian. The Court has created an incentive for public employers to search and monitor the most private areas of the workplace—including Internet browsing and computer files stored on hard drives—as regularly as possible, in order to decrease their employees' expectation of privacy. The caselaw suggests that merely by adopting a written policy that warns employees that their e-mail may be monitored and restricted, employers will lower expectations of privacy in a way that gives them even broader discretion to monitor and restrict their employees' e-mail.

    If employers were only permitted to monitor their employees' e-mail after clearly warning the employees in advance to expect monitoring, then the surveillance might be tolerated as an intrusive but freely accepted condition of employment. Unfortunately, judges today have adopted something like the opposite rule: even when employers promise to respect the privacy of e-mail, courts are upholding their right to break their promises without warning. In cases involving e-mail sent from work, courts are increasingly holding that employees have very little expectation of privacy, mostly because of the tautological ''expectation of privacy'' test. As long as network administrators have the technical ability to read their employees' e-mail, employees should have no reasonable expectation that their e-mails aren't being read. In 1996, for example, police officers from Reno objected that their Fourth Amendment rights were violated when e-mail messages they had sent over the department's internal message system were retrieved from a central computer. A court rejected their claim, quoting a commentator who noted that ''an employee's privacy interest in E-mail messages'' would likely ''fail the 'expectation of privacy' test since most users probably realize that a system administrator could have access to their E-mail.''(see footnote 2)
 Page 98       PREV PAGE       TOP OF DOC

    But the fact that e-mail can be physically intercepted doesn't mean that it should be treated, for legal purposes, as if it were a postcard. In colonial America, letters from Europe were left at local taverns by ship captains, open for public inspection until they were claimed. And at the end of the eighteenth century, around the time of the Framing of the American Constitution, the mail was so insecure that Postmaster-General Benjamin Franklin and, later, Thomas Jefferson, thought that their own mail was being opened. (Indeed, Jefferson invented an extraordinary early encryption machine to address this problem.) To alleviate similar concerns, Congress in 1825 passed the Postal Act, which prohibited prying into other people's mail.(see footnote 3) And in 1878, the Supreme Court held that government needed a search warrant to open first class mail, regardless of whether it was sent from the office or from home. Instead of being passive in the face of technological determinism, we should demand similar privacy for e-mail.

    The Court's reasoning—that a person who confides in someone else, or turns over information to a third party, abandons all expectations of privacy in intimate information—is simplistic at best: in the bank records case, the bank managers hadn't chosen to betray their confidences of their depositors. In fact, the government had ordered the bank to keep records of deposits and then forced the bank to disclose those records to a federal grand jury.(see footnote 4) If the Court meant what it said—''a person has no legitimate expectations of privacy in information he voluntarily turns over to third parties''(see footnote 5)—then it would have to reconsider its holding in the wiretapping case, where it said that a person does have a legitimate expectation of privacy in information shared with a friend on the telephone. But the real problem with the Supreme Court's test for invasions of privacy is not empirical but conceptual. In many cases, people have an objectively valid expectation of privacy that the Court, by judicial fiat, has deemed unjustifiable.
 Page 99       PREV PAGE       TOP OF DOC

    In an important dissent in the bank records case, Justice Thurgood Marshall noted that constitutional protections for privacy shouldn't turn on subjective expectations, which necessarily diminish as technologies of surveillance permit the state to invade privacy in more efficient, but less detectable, ways: ''Whether privacy expectations are legitimate,'' Marshall wrote, ''depends not on the risks an individual can be presumed to accept when imparting information to third parties, but on the risks he should be forced to assume in a free and open society.''(see footnote 6) A vision of privacy that took seriously the text of the Fourth Amendment might emphasize that there is an irreducible core of constitutional protection against unreasonable searches and seizures of persons, houses, electronic papers and effects that is necessary for freedom, regardless of how much or how little privacy people subjectively expect in these areas in the light of changing technologies of surveillance.(see footnote 7)

    When it comes to physical strip searches, courts today have no difficulty recognizing that invasions of privacy that might be reasonable in the investigation of serious crimes can be unreasonable in the investigation of less serious crimes. From 1952 until 1979, for example, police in Chicago routinely strip-searched female prisoners whom they arrested for minor traffic violations.(see footnote 8) Happily, times change: by 1986, the U.S. Court of Appeals in New York had no hesitation in concluding that it was unconstitutional for the police to subject a woman to a strip search after they arrested her for the misdemeanor of filing a false crime report.(see footnote 9) But when confronted with mental strip searches, judges have relinquished the tools to distinguish between violent crimes and thought crimes. The law no longer encourages them, as it should, to balance the intrusiveness of the search against the seriousness of the offense.
 Page 100       PREV PAGE       TOP OF DOC

    To restore this balancing test, Congress might consider listing the crimes that are serious enough to justify the search of private papers and e-mail, although congressional lists are hardly insulated from political pressure. In 1968, for example, Congress recognized that wiretapping posed such a serious threat to privacy that it could only be justified for especially serious crimes, such as espionage, treason, and crimes of violence. But although wiretapping was authorized for only 26 crimes in 1968, there were 95 crimes on the list in 1996. In that year, 71% of all the wiretaps authorized involved drug cases rather than crimes against the state.(see footnote 10)

    Another alternative might be for Congress to create new legal institutions for protecting privacy. Perhaps special grand juries could be empaneled to evaluate the reasonableness of subpoenas and warrants, balancing the intrusiveness of the search against the seriousness of the crime.

    Subpoenas are ordinarily considered less threatening to privacy than warrants, because they allow the recipient to surrender the specified items, rather than permitting an officer of the state to rummage freely through a home or office. But a broad subpoena that allows prosecutors to retrieve all the data on a suspect's hard drive looks uncomfortably like a general warrant, which authorizes an unconstrained fishing expedition without specifying the areas to be searched or the things to be seized. The fact that private information on computers is extremely hard to delete—in her grand jury testimony, Monica Lewinsky confessed that she had tried unsuccessfully to erase her private e-mails at home, without realizing that prosecutors could retrieve them—makes the threat to privacy in cases involving computer searches all the more acute.
 Page 101       PREV PAGE       TOP OF DOC

    Arguably, the courts could require some kind of filtering mechanism to prevent prosecutors from riffling through a great deal of innocent documents in search of potentially incriminating ones, even with a warrant or subpoena. Rather than allowing Kenneth Starr to scrutinize Lewinsky's computers, for example, Judge Norma Holloway Johnson could have insisted on reviewing the files herself, and disclosed to the prosecutors only material that was clearly relevant to their investigation and didn't unreasonably threaten Lewinsky's privacy. Or, if Judge Johnson didn't feel that she had the time to undertake such an extensive review, she could have appointed a special privacy master to play the role that Bob Packwood had asked Congress to assign to Kenneth Starr during the investigation of Packwood's diaries, sifting through the hard drive and separating relevant from irrelevant material.

    In civil cases involving the seizure of computer hard drives, in which innocent and potentially incriminating documents are hopelessly intermingled, some courts have suggested that the officers should hold the computers until a magistrate specifies the conditions under which they may be searched.(see footnote 11) When large quantities of information are seized, these courts have suggested, the officers should apply for a second warrant, to ensure that the search will be focused only on relevant documents.(see footnote 12) By ensuring that a neutral magistrate carefully monitors the scope of computer searches, this approach avoids the dangers of general rummaging through private papers that the Framers of the Fourth Amendment were determined to prohibit. Similar filtering mechanisms might be extended to more general searches of private papers stored in cyberspace.

    As for particular statutes, many proposals confront you, including the possibility of adopting general privacy protections, along the lines of the European Union, which holds that information gathered for one purpose shall not be disclosed for another without the consent of the individual concerned. I know that there is strong opposition to such a law, especially from e-commerce interests, and that it faces an uphill battle. But I would like to close by suggesting that law is not the only—or even the most effective—way of restoring in the age of the cyberspace the same privacy protections that citizens have long taken for granted in real space. Forms of technological self-help: including self-deleting e-mail, providers of anonymous browsing, and technology to erase postings in chat room, may be more effective than broad Congressional statutes.
 Page 102       PREV PAGE       TOP OF DOC

    There is no single solution to the erosion of privacy in cyberspace: no single law that can be passed or single technology that can be invented to restore Fourth Amendment protections in cyberspace. The battle for privacy must be fought on many fronts—legal, political, and technological—and each new assault must be vigilantly resisted as it occurs. There is nothing inevitable about the erosion of privacy in cyberspace, just as there is nothing inevitable about its reconstruction. We have the ability to rebuild some of the private spaces we have lost. But do we have the will?

    Mr. CANADY. Mr. Baker. I am sorry, Mr. Frederick Baker.

STATEMENT OF FREDERICK JUERGENS BAKER, CHAIRMAN, INTERNET ENGINEERING TASK FORCE

    Mr. FREDERICK BAKER. Thank you, Mr. Chairman. My expertise is not legal, it is technological; and what I expected to talk about today were the issues that the Internet Engineering Task Force uncovered in looking at privacy issues that were raised in that context.

    What we were concerned about, or what we are concerned about, as much as anything is the correlation between the law requiring us to come up with people that are sending messages and committing crimes and the taps or the information one would get from someplace, the costs that are involved in putting that technology into the Net. And then the question of once we have put that technology out there and enabled law enforcement to do the legitimate act of going out to catch a criminal, is there someone else who could hack into it, or in some other way abuse that and use that for, say, corporate espionage. We are concerned that a tool that was once made available tends to be used by anyone who can get access to it, and we are concerned frankly about the security of the Net.
 Page 103       PREV PAGE       TOP OF DOC

    So cost issues first; let me look at the cost issues. The Net clearly has ways to sort out information and get you particular sessions, this sort of thing. We have tools which we call traffic analyzers which will capture this information, so on and so forth. That is something that is generally used in a particular place at a particular time for a traffic management purpose.

    We are seeing something going on in trying to trace something back; to generalize, a router in order to provide that technology for kind of generalized trap and trace capabilities requires some redesign in the router and some additional functionality and, therefore, cost; and we are concerned that this would be prohibitive to try to deploy on a wide scale in short-order time. It is certainly something that could be done over a period of time, but to say all at once everybody has to be able to tap anything at any time, that would be a big cost.

    Concerning the amount of information that becomes available and the ability then to trace that back to a person, the problem that we have on the Internet is that the Internet technology does not mirror telephone technology, so you don't necessarily have a particular owner to a session except in the host that is originating it, the computer that is originating it.

    Somewhere there is a person who said, ''Send this e-mail,'' but as soon as that computer sent the e-mail and it is out somewhere in the network, it is merely a message which is coming from a computer. That computer may have many users simultaneously or many users serially, so it becomes very difficult in the middle of the Net to trace that back to a person. You can only get to that at a host.
 Page 104       PREV PAGE       TOP OF DOC

    In order to find out things—and we were talking earlier about trap and trace, being able to follow a telenet session or a mail session through several successive places on the Net, in order to be able to do that, therefore, you have to be able to get access to the host; and if you don't have an administrator who is willing to do that, then that ultimately becomes a matter of hacking into the host. And we are concerned that we are trying to improve the security of the Net, make it so that hackers can't get into your own computer, but in order to tap that computer, then we would have to allow law enforcement to hack into it; and do you really want me to reduce the security of the Net in that way at the very time we are trying very hard to increase the security? So there seems to be a problem there.

    And concerning the availability for other uses and considering the fact that hackers can, in fact, get into computers, we are trying to fix that. But they do. If we deploy technology which will allow tracking and logging the information relating to conversations going across the network, then presumably that is also available to other people.

    I was, last September, in the People's Republic of China, and I was told there that all of the different diagnostic features that are in the equipment that my employer makes, they believe are there basically so that the Department of Defense can shut down the Internet in China should a war start, which is preposterous, but that was their perception. And what I told them was well, if that was true, American service providers would be using that against each other to gain intelligence about each other's corporations and their networks. They said oh, I guess that makes sense, so these things couldn't possibly be that.

    Okay, now, putting tools in there to allow wire tap, to allow privacy invasion of one form or another, for law enforcement purposes that actually becomes available to anybody who can hack into the computer and gain access to it and gives rise to exactly that concern. So those are the things that we were concerned about.
 Page 105       PREV PAGE       TOP OF DOC

    Mr. CANADY. Thank you, Mr. Baker.

    [The prepared statement of Mr. Frederick Baker follows:]

PREPARED STATEMENT OF FREDERICK JUERGENS BAKER, CHAIRMAN, INTERNET ENGINEERING TASK FORCE

REPORT ON THE RAVEN PROCESS

Wiretap discussions

    With the publishing of RFC 2804, ''IETF Policy on Wiretapping'', it would be worthwhile to report and ruminate on the process and its conclusions. The reader should understand that these notes are the personal thoughts of their author, and not necessarily the opinion of anyone else. But they reflect that discussion as seen by one who participated in it. These ruminations should not surprise those who are familiar with the IETF and its processes, but others may find them interesting and useful to understand, as the process and outcome seemed to surprise others. The IETF is not a lobbying or political organization in that sense, but the discussion and outcome unavoidably have distinct political ramifications. The reasoning and outcome may therefore be useful inputs to those who engage in political discussion and debate.

    The IETF was approached, by engineers building equipment for Internet Telephony, with a suggestion that it should add features to a specific protocol to support what is known as ''legal intercept'', or wiretapping. This triggered a debate within the working group, which was reflected to IETF leadership, and ultimately became a discussion involving much of the IETF. At this point, it would appear that people whose primary interest was not in the Internet, but in Civil Liberties, also joined the debate and conducted much of it. The IETF received a fair bit of free advice, not all of which reflected an accurate knowledge of the relevant laws or the technical considerations. But in the end, the discussion resulted in a viewpoint that the IETF accepted, according to the rule of ''rough consensus.''
 Page 106       PREV PAGE       TOP OF DOC

    The IETF considered a number of legal theories and national laws. Much of the discussion centered on a US law known as the Communications Assistance to Law Enforcement Agencies (FCC doc. CC Docket No. 97–213), or CALEA, and some discussants tried to challenge viewpoints supporting wiretap in CALEA-centered language. This was helpful in understanding that particular law, which is complex, but also led the discussion to ignore the range of laws.

    Two examples suffice to demonstrate the range of laws concerning legal intercept. Most countries practice wiretap under some circumstances to gather evidence of criminal behavior. In Sweden, it is illegal to attribute a statement to a person in electronic mail, or to refer to him by name, without his consent, and in general wiretap is strongly supported in the law of the European Community. In the People's Republic of China, on the other hand, there is little or no inhibition on government surveillance of its citizens—or its visitors.

    If the IETF were to establish protocol procedures for the systematic interception of communications—regardless of whether done for valid law enforcement objectives or more sinister policing of free thought—it would have to do so in a way that met the specific requirements of law in every country the Internet is deployed in. This is obviously a complex and exacting requirement.

    The IETF has considered wiretap questions before, notably when it considered a procedure known as Key Escrow or Key Recovery. In that case, it documented the result of its discussion in RFC 1984, IAB and IESG Statement on Cryptographic Technology and the Internet, the number for which is indicative of the viewpoint it expresses. But in this case, the IETF leadership felt that it should have its final discussion, presenting a viewpoint that would guide it for the foreseeable future. The mailing list, and the discussion that took place on it, took its name from Poe's Raven, which said ''Nevermore!''.
 Page 107       PREV PAGE       TOP OF DOC

The issues in Wiretapping

    In any country, the government has two fundamental objectives: to make and enforce its laws, and to preserve and protect its citizens. To the extent that it fails in either objective, it is undermined; if it cannot enforce its laws, they are meaningless, and if it cannot protect its citizens, it is only a matter of time until it is replaced. It is common (although not universal) for the citizens to accept that the government must do some things, that no citizen would do, in pursuing those objectives, among which are the surveillance of its citizens.

    At the opposite extreme are criminals, which may view their activities as anything from a quick way to make a profit to a business that requires unusual protections. In general, they view their activities as deserving secrecy and protection.

    A problem that the citizen faces is that sometimes he is caught in government's net for criminals, or runs afoul of some other ''official purpose''. This is the reason we have courts—to evaluate evidence and determine whether law enforcement has successfully caught a criminal. The citizen's perspective tends to be that government has no legitimate reason to investigate him, as he is not knowingly in violation of any law. He quickly becomes concerned when the government approaches. In the words of Tevye's Rabbi's blessing on the Czar, ''May God bless and keep him, far away from us!''

    The problem at the heart of the Raven discussion was the limits on law enforcement, including both the investigative equivalent of drift net fishing and the unwarranted targeting of individuals, and the availability of the technology, once deployed, to extra-legal interests such as industrial espionage.
 Page 108       PREV PAGE       TOP OF DOC

The Proposals

    Several proposals have been made which enhance law enforcement's ability to gather intelligence and evidence on criminal activity in a world filled with computers. These include, at minimum, Key Escrow (also known as Key Recovery), Legal Intercept, banning or licensing of the export of encryption, and the outright ban of encryption.

Key Escrow

    The premise underlying Key Escrow is a simple and seductive line of reasoning. If a person uses encryption to secure his data or his communications, clearly he is doing little more than throwing away his information unless he manages to remember the encryption key. This being the case, it is in a business's interest to maintain a copy of its employee's keys in some way in order to avoid losing their work when the person leaves the company, and the key is available to a court's subpoena. Why not enforce their escrow in some place that the government potentially has access? If one does this, then the legitimate interests of government are supported, should encryption be used to hide a crime or plans to commit one.

    There are a number of issues that this raises. Some of them are business and technical issues; the key and the database that stores it are potentially expensive and sensitive resources. In the United States, where wiretapping is only legal for telephony, one wonders why the proposals suggested the escrow of keys for data, although in other countries, such as the United Kingdom, any information is essentially fair game. There are questions of the technology supporting the database. If every access of the data requires an access of the database to obtain the key, two problems result. The repeated key transfer itself creates an opportunity for the illicit recovery of the key by an unauthorized person, and the necessity for the key transfer slows down access to the protected data by the time required to access the key from the network database. The simple solution, of course, is to maintain the key locally, but then the database is defeated, because there is no assurance that every key is in the database.
 Page 109       PREV PAGE       TOP OF DOC

    Beyond that, once a key escrow database or key recovery procedure has been instituted, the key is potentially available to anyone, and once a key has been obtained it is permanently known and all documents it protects are permanently accessible. Legitimate government interests may obtain it with a warrant, of course. In so doing, they cannot but obtain overbroad results due to the fact that the key applies to more data than the warrant requires, or force the corporation to have a separate key for every communication and document, which is a costly and time consuming process. But corporate competitors and gangsters may also obtain it by corrupting or blackmailing the people who maintain the database, or by breaking into the computer that holds it. As a result, the information itself, theoretically secured by encryption, is no longer secure. Placing all the keys into one database, even a distributed one, makes the database all the more tempting (and insecure) a target for those who would violate it.

    This loss of security and availability of the key undermines the fundamental purpose for which law enforcement sought access to the key. Because the key has potentially become available to anyone willing to exercise himself to obtain it, it has again become possible for a forger to store data or send messages in the name of the user of the key. As a result, the use of the key to encrypt information is no longer prima facie evidence that the owner of the key is a criminal. But it is precisely this—to gain intelligence about criminals and criminal activity and in the end convict criminals—which motivated law enforcement to request the escrow of the key.

    There is one final question: a key issue is that Key Escrow demeans the society's view of the citizen. Consider what one does in building a home. One puts a door on the entry, and a lock on the door, because the owner of the home believes that there are some people who should knock on the door before entering the home. Does the owner then make a copy of the key to the lock and present it to the local magistrate, saying ''should you ever decide that I may be a criminal, here is the key so that you may search my home''? Of course he does not, and his reason is that no government views its citizens as criminals that have not been caught yet—it views them rather as members of its constituency which may occasionally become criminals. If this is true of the door on the home or place of business, why would it be less true of the computer located in the home or place of business? If our home and business are themselves increasingly found on the disk drive, to not extend it the protections of the fourth amendment borders on the bizarre.
 Page 110       PREV PAGE       TOP OF DOC

Legal Intercept

    Most, perhaps all, governments tap telephones to gather intelligence on criminals and criminal activity and other sanctioned purposes. An important part of the procedure is that the person being monitored has no knowledge of the tap; if he did, he might alter his behavior. Therefore that tap is invariably placed somewhere out of his control, usually in a telephone company office. This procedure has not always been universally accepted. In the United States, wiretap evidence was not acceptable to a court until the Telecommunications Act of 1967; prior to that wiretap was unregulated and was not accepted as evidence in court. However, in many countries, wiretap by law enforcement is a normal and accepted procedure. The extension to the Internet is obvious: if the modes of communication change, why would common procedures not be extended to the Internet?

    A fundamental problem is that the nations have not agreed to a common law concerning wiretap. Some tap everything, some tap only voice, and depending on the terms of a warrant one may get various kinds of information in different ways. As a result, in the worst case, multinational vendors are forced to consider wiretap law on a nation by nation basis, creating slightly different software and perhaps hardware for sale in each nation.

    The technical issues in wiretap are not in identifying or copying the information. While not free, this is relatively straightforward; the one question would be to what extent deployed equipment would have to be upgraded to support it and what the implications of that upgrade would be. The more substantive technical issues revolve around the fact that although tapping an Internet session is not fundamentally different than tapping a telephone session, Internet technology does not mirror telephone technology, around which procedures and laws for legal intercept are designed. The Internet equivalent of a pair of alligator clips involves a management action on a computer that is normally owned or operated by the person whose data one wants to intercept. This is because Internet data is a stream of messages addressed from a process on a computer to a process on another computer, but there is no concept of a personal owner of that data stream anywhere in the network other than on those two computers. Multi-user computers, are common, and even single user computers such as laptops and mobile telephones are frequently available to multiple users serially—the computer the author is writing this article on is occasionally used by his family to send electronic mail or look up material on the web. So if someone is tapping a data stream in order to find out what a person is thinking or saying, apart from access to the end systems in the conversation, he cannot determine which person originated the data stream. As a result, either Internet wiretap requires us to enable law enforcement to successfully hack any computer in the Internet (a fact that hackers would welcome), or results beyond those in any well-defined warrant are highly likely.
 Page 111       PREV PAGE       TOP OF DOC

    The most basic issue is one of intent. Security issues concerning Internet technology, which may be viewed as a research experiment that escaped the laboratory, have been raised in recent years. The engineering and business community that operates the Internet is working diligently to improve that security. This includes assuring that message switching equipment cannot be compromised, that end systems cannot be compromised by hackers and crackers, and that electronic commerce is supported by authentication and encryption technologies which incontrovertibly trace an exchange back to a source. Enabling random persons to gain management access to computers—whether corporately owned or privately owned—and message switching equipment, reroute or duplicate its data exchanges, and generally access its contents is clearly a direct weakening of that security infrastructure. As hackers have repeatedly demonstrated, it is possible for someone to gain control of sensitive computers, change financial records, modify web pages, forge messages, and even retarget military assets. Is it in the best interest of the state or of the Internet to deliberately weaken security and allow uncontrolled management access to computers? But this is precisely what is required to implement Legal Intercept, as currently defined, in the Internet.

Making encryption technology Illegal to sell to some countries

    The COCOM treaty has been invoked over the past thirty years to prevent the sale of encryption technology across certain borders and to generally license it. The theory is, of course, that the technology is a munition that does not exist in the targeted country, and by not selling products containing encryption to the country one denies the country access to it. In another century, when bodies of water and armed guards controlled borders and theorists had difficulty communicating, this was a reasonable theory. However, in computer technology and especially in the Information Age, this has become trivial to bypass. The technology may be developed or redeveloped in the targeted country in several ways. To begin with, many countries have their own cryptographic research. If a particular nation's technology if of interest, a traveler can purchase a book and return home, or the equivalent web page can be accessed. A recent decision by the US Federal Courts calls rulings that prevent the discussion and spread of the technology prior restraint of the freedom of speech. A necessary result is that the implementation can be done in the country to which the product may not be exported. COCOM export restrictions are therefore protectionist legislation which one country enacts to favor industry in another, something that boggles the mind.
 Page 112       PREV PAGE       TOP OF DOC

Banning Encryption

    Some countries go as far as to ban the use of encryption entirely. This approach, of course, makes the entire concept of Key Escrow moot, and can only be supported if one starts from the assumption that all information is available to random wiretap. It therefore has all the problems of Key Escrow and Legal Intercept, and no definable controls. It only makes sense in a country which fundamentally views its citizens as untrustworthy, which is an interesting observation given the stated ideals of some of the countries which take this course.

    But this approach has a bigger problem in the Internet. If encryption is unlawful to use at all, it is unlawful to use to secure the Internet infrastructure, and the insecurity of the Internet is enshrined in law. This observation calls for sober consideration.

IETF decision on wiretap, and specifically on legal intercept

    The IETF believes that strong privacy, implemented using strong authentication or encryption, is important for the development of Internet commerce and for the safety of both the infrastructure and its users. The IETF itself makes no statement on law, and its specifications are used throughout the world to build a single global network. Obviously, nations are sovereign, and can pass any laws they like concerning the use of that technology within and across their borders. For the IETF to try to stop that from happening would be futile, and for the IETF to try to develop one comprehensive specification that supports the wiretap laws of every country would be an impossibly complex undertaking. In essence, the IETF concluded that these are national matters and are best left to national bodies.
 Page 113       PREV PAGE       TOP OF DOC

    That observation, however, sidesteps some very difficult legal, societal, and technical problems which the members of the IETF community see, and which this article has attempted to expose. Having observed on them, the IETF is of the opinion that this discussion must continue in venues better suited to it. But the issues are very troubling to the IETF community at large.

    The IETF understands that this viewpoint is not helpful to law enforcement interests. It observes that in at least the western democracies, the job of law enforcement is intentionally difficult, and that the rights of the citizen are not normally traded away for the ease of law enforcement. To quote two men who have arguably shaped part of that line of reasoning,

  They that give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.—Benjamin Franklin, 1759

  Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves.—William Pitt

    In essence, we observe that the concept of a border has changed dramatically over the past decade. A national border used to be a boundary that controlled trade, the transference of people, ideas, and information, and which could be guarded—and was regarded as something that should be guarded—by oceans, walls, and men with guns. With the explosive deployment of communications technology, however, it has become the edge of a legal jurisdiction that is transparent to the communication of information and arguably creates more trouble than it avoids. Recognizing this, the nations of Europe are coalescing into a European Community with open internal borders and a set of states that with open borders to the European Community. Recognizing this, the North American Free Trade Zone is (at least in theory) lowering barriers to commerce and communication across borders. Recognizing this, financial managers increasingly talk not about geographically and politically separated commercial zones, but about a single global economy with many interdependent parts. It is no longer obvious that governments can or should inhibit the flow of information, as the ultimate responsibility for the information and its use is increasingly forced to rest in the hands of the citizen.
 Page 114       PREV PAGE       TOP OF DOC

Enclosures:

IAB AND IESG STATEMENT ON CRYPTOGRAPHIC TECHNOLOGY AND THE INTERNET

Status of This Memo

    This memo provides information for the Internet community. This memo does not specify an Internet standard of any kind. Distribution of this memo is unlimited.

Copyright

    (C) Internet Society 1996. Reproduction or translation of the complete document, but not of extracts, including this notice, is freely permitted.

July 24, 1996

    The Internet Architecture Board (IAB) and the Internet Engineering Steering Group (IESG), the bodies which oversee architecture and standards for the Internet, are concerned by the need for increased protection of international commercial transactions on the Internet, and by the need to offer all Internet users an adequate degree of privacy.

    Security mechanisms being developed in the Internet Engineering Task Force to meet these needs require and depend on the international use of adequate cryptographic technology. Ready access to such technology is therefore a key factor in the future growth of the Internet as a motor for international commerce and communication.
 Page 115       PREV PAGE       TOP OF DOC

    The IAB and IESG are therefore disturbed to note that various governments have actual or proposed policies on access to cryptographic technology that either:

(a) impose restrictions by implementing export controls; and/or

(b) restrict commercial and private users to weak and inadequate mechanisms such as short cryptographic keys; and/or

(c) mandate that private decryption keys should be in the hands of the government or of some other third party; and/or

(d) prohibit the use of cryptology entirely, or permit it only to specially authorized organizations.

    We believe that such policies are against the interests of consumers and the business community, are largely irrelevant to issues of military security, and provide only a marginal or illusory benefit to law enforcement agencies, as discussed below.

    The IAB and IESG would like to encourage policies that allow ready access to uniform strong cryptographic technology for all Internet users in all countries.

The IAB and IESG claim:

    The Internet is becoming the predominant vehicle for electronic commerce and information exchange. It is essential that the support structure for these activities can be trusted.
 Page 116       PREV PAGE       TOP OF DOC

    Encryption is not a secret technology monopolized by any one country, such that export controls can hope to contain its deployment. Any hobbyist can program a PC to do powerful encryption. Many algorithms are well documented, some with source code available in textbooks.

    Export controls on encryption place companies in that country at a competitive disadvantage. Their competitors from countries without export restrictions can sell systems whose only design constraint is being secure, and easy to use.

    Usage controls on encryption will also place companies in that country at a competitive disadvantage because these companies cannot securely and easily engage in electronic commerce.

    Escrow mechanisms inevitably weaken the security of the overall cryptographic system, by creating new points of vulnerability that can and will be attacked.

    Export controls and usage controls are slowing the deployment of security at the same time as the Internet is exponentially increasing in size and attackers are increasing in sophistication. This puts users in a dangerous position as they are forced to rely on insecure electronic communication.

TECHNICAL ANALYSIS

Key Size
 Page 117       PREV PAGE       TOP OF DOC

    It is not acceptable to restrict the use or export of cryptosystems based on their key size. Systems that are breakable by one country will be breakable by others, possibly unfriendly ones. Large corporations and even criminal enterprises have the resources to break many cryptosystems. Furthermore, conversations often need to be protected for years to come; as computers increase in speed, key sizes that were once out of reach of cryptanalysis will become insecure.

Public Key Infrastructure

    Use of public key cryptography often requires the existence of a ''certification authority''. That is, some third party must sign a string containing the user's identity and public key. In turn, the third party's key is often signed by a higher-level certification authority.

    Such a structure is legitimate and necessary. Indeed, many governments will and should run their own CAs, if only to protect citizens' transactions with their governments. But certification authorities should not be confused with escrow centers. Escrow centers are repositories for private keys, while certification authorities deal with public keys. Indeed, sound cryptographic practice dictates that users never reveal their private keys to anyone, even the certification authority.

Keys Should Not Be Revealable

    The security of a modern cryptosystem rests entirely on the secrecy of the keys. Accordingly, it is a major principle of system design that to the extent possible, secret keys should never leave their user's secure environment. Key escrow implies that keys must be disclosed in some fashion, a flat-out contradiction of this principle. Any such disclosure weakens the total security of the system.
 Page 118       PREV PAGE       TOP OF DOC

Data Recovery

    Sometimes escrow systems are touted as being good for the customer because they allow data recovery in the case of lost keys. However, it should be up to the customer to decide whether they would prefer the more secure system in which lost keys mean lost data, or one in which keys are escrowed to be recovered when necessary. Similarly, keys used only for conversations (as opposed to file storage) need never be escrowed. And a system in which the secret key is stored by a government and not by the data owner is certainly not practical for data recovery.

Signature Keys

    Keys used for signatures and authentication must never be escrowed. Any third party with access to such keys could impersonate the legitimate owner, creating new opportunities for fraud and deceit.

    Indeed, a user who wished to repudiate a transaction could claim that his or her escrowed key was used, putting the onus on that party. If a government escrowed the keys, a defendant could claim that the evidence had been forged by the government, thereby making prosecution much more difficult. For electronic commerce, non-repudiation is one of the most important uses for cryptography; and non-repudiation depends on the assumption that only the user has access to the private key.

Protection of the Existing Infrastructure
 Page 119       PREV PAGE       TOP OF DOC

    In some cases, it is technically feasible to use cryptographic operations that do not involve secrecy. While this may suffice in some cases, much of the existing technical and commercial infrastructure cannot be protected in this way. For example, conventional passwords, credit card numbers, and the like must be protected by strong encryption, even though some day more sophisticated techniques may replace them. Encryption can be added on quite easily; wholesale changes to diverse systems cannot.

Conflicting International Policies

    Conflicting restrictions on encryption often force an international company to use a weak encryption system, in order to satisfy legal requirements in two or more different countries. Ironically, in such cases either nation might consider the other an adversary against whom commercial enterprises should use strong cryptography. Clearly, key escrow is not a suitable compromise, since neither country would want to disclose keys to the other.

Multiple Encryption

    Even if escrowed encryption schemes are used, there is nothing to prevent someone from using another encryption scheme first. Certainly, any serious malefactors would do this; the outer encryption layer, which would use an escrowed scheme, would be used to divert suspicion.

Escrow of Private Keys Won't Necessarily Allow Data Decryption

 Page 120       PREV PAGE       TOP OF DOC
    A major threat to users of cryptographic systems is the theft of long-term keys (perhaps by a hacker), either before or after a sensitive conversation. To counter this threat, schemes with ''perfect forward secrecy'' are often employed. If PFS is used, the attacker must be in control of the machine during the actual conversation. But PFS is generally incompatible with schemes involving escrow of private keys. (This is an oversimplification, but a full analysis would be too lengthy for this document.)

Conclusions

    As more and more companies connect to the Internet, and as more and more commerce takes place there, security is becoming more and more critical. Cryptography is the most powerful single tool that users can use to secure the Internet. Knowingly making that tool weaker threatens their ability to do so, and has no proven benefit.

Security Considerations

    Security issues are discussed throughout this memo.

    The Internet Society is described at http://www.isoc.org/

    The Internet Architecture Board is described at http://www.iab.org/iab

    The Internet Engineering Task Force and the Internet Engineering Steering Group are described at http://www.ietf.org

 Page 121       PREV PAGE       TOP OF DOC
IETF POLICY ON WIRETAPPING

Status of this Memo

    This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.

Copyright Notice

    Copyright (C) The Internet Society (2000). All Rights Reserved.

Abstract

    The IETF has been asked to take a position on the inclusion into IETF standards-track documents of functionality designed to facilitate wiretapping.

    This memo explains what the IETF thinks the question means, why its answer is ''no'', and what that answer means.

1. Summary position

    The IETF has decided not to consider requirements for wiretapping as part of the process for creating and maintaining IETF standards.

    It takes this position for the following basic reasons:
 Page 122       PREV PAGE       TOP OF DOC

 The IETF, an international standards body, believes itself to be the wrong forum for designing protocol or equipment features that address needs arising from the laws of individual countries, because these laws vary widely across the areas that IETF standards are deployed in. Bodies whose scope of authority correspond to a single regime of jurisdiction are more appropriate for this task.

 The IETF sets standards for communications that pass across networks that may be owned, operated and maintained by people from numerous jurisdictions with numerous requirements for privacy. In light of these potentially divergent requirements, the IETF believes that the operation of the Internet and the needs of its users are best served by making sure the security properties of connections across the Internet are as well known as possible. At the present stage of our ignorance this means making them as free from security loopholes as possible.

 The IETF believes that in the case of traffic that is today going across the Internet without being protected by the end systems (by encryption or other means), the use of existing network features, if deployed intelligently, provides extensive opportunities for wiretapping, and should be sufficient under presently seen requirements for many cases. The IETF does not see an engineering solution that allows such wiretapping when the end systems take adequate measures to protect their communications.

 The IETF believes that adding a requirement for wiretapping will make affected protocol designs considerably more complex. Experience has shown that complexity almost inevitably jeopardizes the security of communications even when it is not being tapped by any legal means; there are also obvious risks raised by having to protect the access to the wiretap. This is in conflict with the goal of freedom from security loopholes.
 Page 123       PREV PAGE       TOP OF DOC

 The IETF restates its strongly held belief, stated at greater length in [RFC 1984], that both commercial development of the Internet and adequate privacy for its users against illegal intrusion requires the wide availability of strong cryptographic technology.

 On the other hand, the IETF believes that mechanisms designed to facilitate or enable wiretapping, or methods of using other facilities for such purposes, should be openly described, so as to ensure the maximum review of the mechanisms and ensure that they adhere as closely as possible to their design constraints. The IETF believes that the publication of such mechanisms, and the publication of known weaknesses in such mechanisms, is a Good Thing.

2. The Raven process

    The issue of the IETF doing work on legal intercept technologies came up as a byproduct of the extensive work that the IETF is now doing in the area if IP-based telephony.

    In the telephony world, there has been a tradition of cooperation (often mandated by law) between law enforcement agencies and telephone equipment operators on wiretapping, leading to companies that build telephone equipment adding wiretapping features to their telephony-related equipment, and an emerging consensus in the industry of how to build and manage such features. Some traditional telephony standards organizations have supported this by adding intercept features to their telephony-related standards.

    Since the future of the telephone seems to be intertwined with the Internet it is inevitable that the primary Internet standards organization would be faced with the issue sooner or later.
 Page 124       PREV PAGE       TOP OF DOC

    In this case some of the participants of one of the IETF working groups working on a new standard for communication between components of a distributed phone switch brought up the issue. Since adding features of this type would be something the IETF had never done before, the IETF management decided to have a public discussion before deciding if the working group should go ahead. A new mailing list was created (the Raven mailing list, see http://www.ietf.org/mailman/listinfo/raven) for this discussion. Close to 500 people subscribed to the list and about 10% of those sent at least one message to the list. The discussion on this list was a precursor to a discussion held during the IETF plenary in Washington.

    Twenty-nine people spoke during the plenary session. Opinions ranged from libertarian: ''governments have no right to wiretap''—to pragmatic: ''it will be done somewhere, best have it done where the technology was developed''. At the end of the discussion there was a show of hands to indicate opinions: should the IETF add special features, not do this or abstain. Very few people spoke out strongly in support for adding the intercept features, while many spoke out against it, but a sizable portion of the audience refused to state an opinion (raised their hands when asked for ''abstain'' in the show of hands).

    This is the background on the basis of which the IESG and the IAB was asked to formulate a policy.

3. A definition of wiretapping

    The various legal statutes defining wiretapping do not give adequate definitions to distinguish between wiretapping and various other activities at the technical level. For the purposes of this memo, the following definition of wiretapping is used:
 Page 125       PREV PAGE       TOP OF DOC

    Wiretapping is what occurs when information passed across the Internet from one party to one or more other parties is delivered to a third party:

1. Without the sending party knowing about the third party

2. Without any of the recipient parties knowing about the delivery to the third party

3. When the normal expectation of the sender is that the transmitted information will only be seen by the recipient parties or parties obliged to keep the information in confidence

4. When the third party acts deliberately to target the transmission of the first party, either because he is of interest, or because the second party's reception is of interest.

    The term ''party'', as used here, can refer to one person, a group of persons, or equipment acting on behalf of persons; the term ''party'' is used for brevity.

    Of course, many wiretaps will be bidirectional, monitoring traffic sent by two or more parties to each other.

    Thus, for instance, monitoring public newsgroups is not wiretapping (condition 3 violated), random monitoring of a large population is not wiretapping (condition 4 violated), a recipient passing on private email is not wiretapping (condition 2 violated).

    An Internet equivalent of call tracing by means of accounting logs (sometimes called ''pen registers'') that is a feature of the telephone network is also wiretapping by this definition, since the normal expectation of the sender is that the company doing the accounting will keep this information in confidence.
 Page 126       PREV PAGE       TOP OF DOC

    Wiretapping may logically be thought of as 3 distinct steps:

 Capture—getting information off the wire that contains the information wanted

 Filtering—selecting the information wanted from information gathered by accident

 Delivery—transmitting the information wanted to the ones who want it.

    The term applies to the whole process; for instance, random monitoring followed by filtering to extract information about a smaller group of parties would be wiretapping by this definition.

    In all these stages, the possibility of using or abusing mechanisms defined for this purpose for other purposes exists.

    This definition deliberately does not include considerations of:

 Whether the wiretap is legal or not, since that is a legal, not a technical matter

 Whether the wiretap occurs in real time, or can be performed after the fact by looking at information recorded for other purposes (such as the accounting example given above)

 What the medium targeted by the wiretap is—whether it is email, IP telephony, Web browsing or EDI transfers
 Page 127       PREV PAGE       TOP OF DOC

    These questions are believed to be irrelevant to the policy outlined in this memo.

    Wiretapping is also sometimes called ''interception'', but that term is also used in a sense that is considerably wider than the monitoring of data crossing networks, and is therefore not used here.

4. Why the IETF does not take a moral position

    Much of the debate about wiretapping has centered around the question of whether wiretapping is morally evil, no matter who does it, necessary in any civilized society, or an effective tool for catching criminals that has been abused in the past and will be abused again.

    The IETF has decided not to take a position in this matter, since:

 There is no clear consensus around a single position in the IETF

 There is no means of detecting the morality of an act ''on the wire''. Since the IETF deals with protocol standardization, not protocol deployment, it is not in a position to dictate that its product is only used in moral or legal ways.

    However, a few observations can be made:

 Page 128       PREV PAGE       TOP OF DOC
 Experience shows that tools which are effective for a purpose tend to be used for that purpose.

 Experience shows that tools designed for one purpose that are effective for another tend to be used for that other purpose too, no matter what its designers intended.

 Experience shows that if a vulnerability exists in a security system, it is likely that someone will take advantage of it sooner or later.

 Experience shows that human factors, not technology per se, is the biggest single source of such vulnerabilities.

    What this boils down to is that if effective tools for wiretapping exist, it is likely that they will be used as designed, for purposes legal in their jurisdiction, and also in ways they were not intended for, in ways that are not legal in that jurisdiction. When weighing the development or deployment of such tools, this should be borne in mind.

5. Utility considerations

    When designing any communications function, it is a relevant question to ask if such functions efficiently perform the task they are designed for, or whether the work spent in developing them is not, in fact, worth the benefit gained.

    Given that there are no specific proposals being developed in the IETF, the IETF cannot weigh proposals for wiretapping directly in this manner.
 Page 129       PREV PAGE       TOP OF DOC

    However, as above, a few general observations can be made:

 Wiretapping by copying the bytes passed between two users of the Internet with known, static points of attachment is not hard. Standard functions designed for diagnostic purposes can accomplish this.

 Correlating users' identities with their points of attachment to the Internet can be significantly harder, but not impossible, if the user uses standard means of identification. However, this means linking into multiple Internet subsystems used for address assignment, name resolution and so on; this is not trivial.

 An adversary has several simple countermeasures available to defeat wiretapping attempts, even without resorting to encryption. This includes Internet cafes and anonymous dialups, anonymous remailers, multi-hop login sessions and use of obscure communications media; these are well known tools in the cracker community.

 Of course, communications where the content is protected by strong encryption can be easily recorded, but the content is still not available to the wiretapper, defeating all information gathering apart from traffic analysis. Since Internet data is already in digital form, encrypting it is very simple for the end-user.

    These things taken together mean that while wiretapping is an efficient tool for use in situations where the target of a wiretap is either ignorant or believes himself innocent of wrongdoing, Internet-based wiretapping is a less useful tool than might be imagined against an alerted and technically competent adversary.
 Page 130       PREV PAGE       TOP OF DOC

6. Security considerations

    Wiretapping, by definition (see above), releases information that the information sender did not expect to be released.

    This means that a system that allows wiretapping has to contain a function that can be exercised without alerting the information sender to the fact that his desires for privacy are not being met.

    This, in turn, means that one has to design the system in such a way that it cannot guarantee any level of privacy; at the maximum, it can only guarantee it as long as the function for wiretapping is not exercised.

    For instance, encrypted telephone conferences have to be designed in such a way that the participants cannot know to whom any shared keying material is being revealed.

    This means:

 The system is less secure than it could be had this function not been present.

 The system is more complex than it could be had this function not been present.

 Being more complex, the risk of unintended security flaws in the system is larger.

 Page 131       PREV PAGE       TOP OF DOC
    Wiretapping, even when it is not being exercised, therefore lowers the security of the system.

7. Acknowledgements

    This memo is endorsed by the IAB and the IESG.

    Their membership is:

IAB:

Harald Alvestrand
Randall Atkinson
Rob Austein
Brian Carpenter
Steve Bellovin
Jon Crowcroft
Steve Deering
Ned Freed
Tony Hain
Tim Howes
Geoff Huston
John Klensin

IESG:
 Page 132       PREV PAGE       TOP OF DOC

Fred Baker
Keith Moore
Patrik Falstrom
Erik Nordmark
Thomas Narten
Randy Bush
Bert Wijnen
Rob Coltun
Dave Oran
Jeff Schiller
Marcus Leech
Scott Bradner
Vern Paxson
April Marine

    The number of contributors to the discussion are too numerous to list.

9. References

    [RFC 1984] IAB and IESG Statement on Cryptographic Technology and the Internet. IAB & IESG. August 1996.

9. Full Copyright Statement

 Page 133       PREV PAGE       TOP OF DOC
    Copyright (C) The Internet Society (2000). All Rights Reserved.

    This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.

    The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.

    This document and the information contained herein is provided on an ''AS IS'' basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Acknowledgement

    Funding for the RFC Editor function is currently provided by the Internet Society.
 Page 134       PREV PAGE       TOP OF DOC

    Mr. CANADY. Mr. Baker

STATEMENT OF STEWART BAKER, STEPTOE & JOHNSON

    Mr. STEWART BAKER. Thank you. It is a pleasure to be here. Thank you, and Mr. Watt and Mr. Barr.

    I thought I would talk about topics that some of the other speakers will not be talking about, two in particular, focused on the FBI's policies in this area.

    There is a story about Henry Wallace, who was Vice President under Roosevelt. Someone once introduced him this way, ''This is a man of extraordinary conviction. He would cut off his right arm for an idea he believed in. Yours too for that matter.'' And that—I think that reflects the risks that the FBI faces as it pursues efforts to deal with new technology. It is very focused on making sure that its law enforcement capabilities are preserved and enhanced in the face of this new technology and sometimes I think a little too focused on that.

    So I would like to talk about two issues, first, what the FBI has done in order to change the playing field in its favor where it perceives the technology as taking away capabilities. It has some striking influence on the technology policy in this country.

    First, in CALEA, it is spending hundreds of millions of dollars and exercising the threat of $10,000 a day fines to get very substantial changes in telecommunications gear to make wiretapping easier. And, interestingly, none of its fights with industry have been over whether the FBI can get the content of tapped calls; that has always been easily agreed upon. The fights have all turned on the FBI's effort to get more and more transactional data under the guise of trap and trace orders and the like, probably because, as we have heard, the legal standard for getting that information is quite low.
 Page 135       PREV PAGE       TOP OF DOC

    Second, we all know the substantial role that the FBI played in the encryption debates, including putting its agents on the review teams for exported equipment and setting up a system designed to reward people who build particularly law-enforcement-friendly systems.

    Third, the National Infrastructure Protection Center in the FBI spends tens of millions of dollars, produces equipment, and exercises considerable sway over the kinds of security standards that are built into our computer infrastructure.

    The fourth is probably the least focused area of FBI technology policy-making. The FBI and the Justice Department have intervened repeatedly at the FCC to try to deny licenses to companies that have not been fully cooperative or that have developed new technologies that the FBI thinks should be more accessible. This is all in an effort to get the FCC, usually successfully, to deny licenses to operate in the United States to companies that have not cooperated with the Bureau. They did this to Iridium when Iridium wanted to locate a ground station in Canada. They did it in the BT–MCI merger. And it has become a regular feature of mergers where foreign companies propose to provide telecommunications services in the United States.

    All of those things have happened without any significant supervision, with the possible occasional exception of Justice Department supervision. The Bureau is a wonderful organization, but sharing information and coordinating with other agencies are not its real strength.

 Page 136       PREV PAGE       TOP OF DOC
    So my first suggestion is that this committee consider the question whether there ought to be some form of technology policy oversight board that would have the ability to ask the FBI any question it wanted about the activities of the FBI in influencing technology policy. It seems to me that this is an area where opening up the system would make a lot of sense.

    My second point, and I will make this in closing, is that we ask ourselves, as the FBI builds these enormous transactional databases, ''what is going to happen to that information?'' The answer is that it is going to stay in those files forever. The FBI doesn't throw much out, and in the end it will all be subject to the Freedom of Information Act. And so if we are worried about our privacy in the future, we should be worried about the effect of the Freedom of Information Act. FOIA requests can ask for everything in the FBI's files on Representative Barr or Chairman Canady, and the only protection for their privacy is that the data wouldn't be released if the release would mean an unwarranted invasion of privacy.

    So far, so good. But, the Justice Department and the FBI have taken the view that when you die, you ain't got no privacy. That is a bit of an oversimplification. Occasionally they have blocked released autopsy photos even after someone has died, but if you go to the FBI's Website today, you can find that they actually put these files on their Website—John Lennon's FBI file, Mickey Mantle's FBI files; and my personal favorite, George Orwell's files.

    It seems to me this has to change. When the FBI gets a request to produce information aimed at a particular individual, they should give that individual or his heirs notice that that request has been filed. There is no requirement for that today, and you might also ask why should the taxpayer subsidize that kind of invasion of privacy by providing free search services under FOIA to people who are mostly engaged in voyeuristic efforts to find out more about famous people.
 Page 137       PREV PAGE       TOP OF DOC

    So that would be my suggestion, that you focus on first providing oversight for what the FBI is doing to influence technology, and second, that you ask what is going to happen to all that data in the long run. Thank you.

    Mr. CANADY. Thank you very much, Mr. Baker.

    Professor Fishman.

STATEMENT OF CLIFFORD S. FISHMAN, PROFESSOR OF LAW, COLUMBUS SCHOOL OF LAW, CATHOLIC UNIVERSITY OF AMERICA

    Mr. FISHMAN. Thank you, Mr. Chairman, members of the subcommittee. I appreciate the opportunity to testify today.

    The fourth amendment constantly requires us to strike a balance between the conflicting interests of individual privacy and the need for effective law enforcement, and the Internet obviously has exposed some absurd anomalies in the way the balance is struck today. Suppose, for example, the Government wants to examine my address book and my appointment book. If I keep these things in my pocket, in my desk drawer or on my hard drive of my computer at home, the Government needs a search warrant based on probable cause issued by a judge before it can search and seize those items. The Government can subpoena them from me, but I may be protected from having to surrender them because the very act of turning them over in compliance with the subpoena has what the Supreme Court has acknowledged are fifth amendment testimonial implications.
 Page 138       PREV PAGE       TOP OF DOC

    But if instead I keep that address book or that appointment calendar on a service provided by my Internet service provider, the Supreme Court's fourth amendment decisions say that the Government can simply obtain those items from the ISP by subpoena, and I have no basis to complain because they aren't being taken from me; nor do I have a fifth amendment basis to complain, because I am not being compelled to surrender anything. It is the ISP that is doing the surrendering.

    Similarly, a subpoena would suffice to obtain a list of the Websites I visit or the chat rooms that I visit, assuming that information is retrievable by my ISP, and, of course, this is very disturbing. But let us remember that unless there is evidence that the Government has abused or is abusing its ability to accumulate evidence against us, we should be careful not to rush in to throw up barricades which make it more difficult or impossible for law enforcement to do its job.

    I think despite some criticisms, we should acknowledge that the Justice Department has overall done a superb job complying with the restrictions imposed by title III of the Organized Crime Control and Safe Streets Act of 1968. If you eliminate the escapades of John Mitchell's Justice Department, its record in obtaining interception orders properly, its record in executing the orders properly and its record in preserving the privacy, even of those whose incriminating conversations are intercepted is, I think, rather remarkable. Some State offices have done as well, some States have done much more poorly, but I think overall the Justice Department has done a superb job using title III as it was meant.

    I am not troubled by another witness's testimony that one year 2 million innocent conversations were intercepted during court-approved wiretaps when you consider that in that same year there were probably billions, maybe trillions, of phone conversations that took place in this country. The amount of wiretapping done in this country is an incredibly small drop in the bucket, and it will always remain so for a variety of reasons, but I think we should acknowledge the Justice Department's record in complying with the law overall is quite excellent.
 Page 139       PREV PAGE       TOP OF DOC

    We must not forget that there are those who use the Internet to learn how to build bombs; to incite others to violence; to gather information to defraud, extort or intimidate; or to entice vulnerable children into sexual liaisons. We have to be careful, in making sure that privacy is protected, that we don't make it impossible for the Government to protect us against those and similar crimes.

    A variety of approaches should be considered in striking the balance. Obviously ECPA is now woefully out of date. Professor Rosen suggested that the law could vary the intensity of search permitted by the severity of the crime being investigated. He also suggested when a massive amount of information is seized, that a neutral master be appointed to decide what material the Government gets and what it doesn't.

    There are other solutions which, depending on the information sought, might be worthwhile.

    The administrative regulation, drafted in response to the Privacy Protection Act of 1980, 42 U.S.C. §2000aa et. seq., did a good job of balancing the need of the Government to subpoena information from innocent third parties or professional and those individuals' privacy.

    The minimization provisions of the Foreign Intelligence Surveillance Act provides that the Government must minimize the retention or dissemination of information. It may intercept a great deal, but it has to erase most of it. It cannot distribute it widely.

 Page 140       PREV PAGE       TOP OF DOC
    Under some circumstances a reasonable suspicion standard might be more appropriate than some of the more lax standards that are employed today, and perhaps this might be the most radical approach of all, that an approach to privacy should focus not so much on what the Government does to obtain the information, not the means employed, so much as the nature of the information sought itself. If somebody peeks under my garage door to see if my car is in the garage, that doesn't bother me even though that might technically violate my fourth amendment rights. I am much more offended if a commercial enterprise tracks all of the purchases I make and reveals that information to other commercial enterprises or, for that matter, to the Government.

    I am grateful for the opportunity to address the committee and look forward to the committee's work in the future on this issue. Thank you.

    Mr. CANADY. Thank you, Professor.

    [The prepared statement of Mr. Fishman follows:]

PREPARED STATEMENT OF CLIFFORD S. FISHMAN, PROFESSOR OF LAW, COLUMBUS SCHOOL OF LAW, CATHOLIC UNIVERSITY OF AMERICA

    The Fourth Amendment,(see footnote 13) the Constitution's primary guarantor of individual privacy against Government intrusion, embodies and codifies deeply held American values. On the other hand, now more than ever we must look to the Government to protect us against a wide range of criminal activity that threatens our safety, our economic well being and our system of government; to provide that protection the Government must have reasonable means to obtain information that is useful in a criminal investigation or prosecution. Reconciling those often conflicting values and interests presents particularly troubling questions in the context of electronic communications such as e-mail and other uses of the Internet. People are making increasing use of the Internet to store personal information; criminals are making increasing use of the Internet to commit or facilitate their crimes.
 Page 141       PREV PAGE       TOP OF DOC

1. General Fourth Amendment principles

    The Fourth Amendment directs that, certain exceptions aside, the police may not enter someone's home or office to search for and seize evidence unless they first go to a judge, spell out probable cause, and obtain a warrant authorizing the search and seizure.

    But the Supreme Court has held in a variety of contexts that if a person knowingly reveals information to a second party, he has no constitutional protection if that second party voluntarily turns that information over to the Government.(see footnote 14)

    Thus, in Smith v. Maryland,(see footnote 15) the Supreme Court held that a telephone company customer has no constitutional basis to complain if the phone company, in response to a police request, places a pen register on his phone, enabling the police to make a record of all the phone numbers (local as well as long distance) he dials from his phone. By ''knowingly exposing numerical information to the phone company,'' the Supreme Court held, anyone who makes a phone call assumes the risk that the phone company will voluntarily share that information with the police.

    Similarly I have no constitutional complaint if the company that picks up my garbage turns it over to the police instead of mashing it up with the rest of the refuse it collects on its route. By voluntarily putting my garbage out at the curb, the Supreme Court has held, I give up my privacy rights in it.(see footnote 16)
 Page 142       PREV PAGE       TOP OF DOC

2. Principles governing subpoenas

    When the Government serves someone with a subpoena requiring that person to testify or to surrender certain evidence, the Government need not show probable cause, and need not first obtain judicial approval. This is because of the long-established principle that, except for certain situations involving legal privilege, ''The public is entitled to every man's evidence.''(see footnote 17)

    Thus, for example, in U.S. v. Miller,(see footnote 18) the Supreme Court held that a bank customer has no constitutional protection if an FBI agent shows up at the bank with a subpoena for her bank records.

    If an FBI agent shows up at my door with a subpoena requiring me to bring my financial records (or my computer hard drive) to the grand jury, I can move to quash the subpoena, but so far as the Fourth Amendment is concerned, my motion must be denied so long as the Government can show a reason to believe that what the investigators seek is relevant to their investigation and the subpoena is not overly broad or too burdensome.

    If I am the target of the investigation, the Government will often be reluctant to subpoena evidence from me, not because of the Fourth Amendment, but because of the Fifth. The Fifth Amendment does not protect the contents of the subpoenaed documents or files, but it often protects the act of surrendering them in compliance with the subpoena.(see footnote 19) But the Fifth Amendment does not protect me if instead the Government subpoenas such records from someone else—for example, from a friend, a business partner, or my bank.(see footnote 20)
 Page 143       PREV PAGE       TOP OF DOC

3. E-mail: analogies to the telephone and regular mail

    A logical starting place with e-mail is to compare it to the two forms of communication it most closely resembles: telephone calls and mail delivered by the Postal Service.

    Each is protected from unauthorized interception: it is a crime for a private person to tap someone's phone,(see footnote 21) or open and read someone else's mail,(see footnote 22) and law enforcement officials may not do either without an interception order (in the case of a phone call),(see footnote 23) or search warrant (in the case of mail),(see footnote 24) based on probable cause to believe that evidence of a crime will be revealed. If I have phone conversations with someone else (call her ''X''), the Government does not need a search warrant or interception order to require X to reveal what we said; it can simply serve her with a subpoena. Similarly, the Government can serve a subpoena on X directing her to surrender all correspondence she has received from me.(see footnote 25) Unless X is my spouse or my attorney,(see footnote 26) I have no legal basis to oppose the subpoena. And unless X is my lawyer or my spouse or asserts a claim that testifying about our phone conversations or surrendering my letters would incriminate her, X has no legal grounds to refuse to comply, either.

    The same is true with e-mails: the Government could serve a subpoena on X, requiring her to turn over all e-mails she received from me. And that is as it should be: unless X and I share a legally privileged relationship, a grand jury, court or Congressional committee is entitled to X's evidence, however reluctant X may be to give that evidence.
 Page 144       PREV PAGE       TOP OF DOC

4. E-mail, the Fourth Amendment, and the Electronic Communications Privacy Act of 1986(see footnote 27)

    Now suppose that, instead of serving a subpoena on X to turn over copies of our e-mail correspondence, the Government seeks information from my Internet service provider or remote computer storage facility, either of which may have a record of all my e-mail—what I sent as well as what I received. Are my e-mails available to the Government merely by subpoena, like the Supreme Court has held is the case with regard to my bank records or the numbers I dial on my phone?

    To deal with these issues, Congress, in the Electronic Communications Privacy Act of 1986 (ECPA), made an elaborate series of distinctions based on what the Government sought, from whom it sought it, and when. Briefly the law is as follows.

    1. Interception of e-mail as it is being sent. ECPA requires the Government to obtain an interception order from a judge.(see footnote 28) The prerequisites for such an order are somewhat more demanding than those for a regular search warrant but somewhat less demanding than those for an order to tap a telephone or bug a particular premises.

    2. Access to electronic communications in storage for 180 days or less. In this situation, the law regards the service provider as the equivalent of the Postal Service: just as a search warrant is required to open a letter after it has been mailed but before it has been received,(see footnote 29) ECPA requires the Government to obtain a search warrant requiring the Internet Service Provider to turn over the targeted e-mails.(see footnote 30) To obtain a search warrant, the Government must persuade a judge that probable cause exists that the e-mails being sought will provide evidence of a crime. If the judge issues the warrant, the Government may obtain the e-mails immediately, without prior notice to the subscriber or customer.(see footnote 31)
 Page 145       PREV PAGE       TOP OF DOC

    3. Access to electronic communications in storage with a service provider for more than 180 days. ECPA treats this situation differently than the previous situation. The reasoning: after 180 days, the service provider is no longer acting like the Postal Service delivering the mail; it is acting more like a friend or business partner who is storing my records for me. Thus, ECPA gives the Government several options.

    (1) It may apply to a judge for a search warrant, as in the previous situation.

    (2) It may issue a subpoena, which does not require judicial approval or probable cause,(see footnote 32) but which does require advance notice to the subscriber or customer, who may bring a motion to quash.(see footnote 33) As outlined earlier, to defeat a motion to quash, the Government merely need show that there is reason to believe that evidence relevant to a legitimate investigation may be obtained from the subpoenaed items.

    (3) It may seek a court order by demonstrating to the judge that there are ''reasonable grounds to believe'' that the information sought ''are relevant and material to an ongoing investigation.''(see footnote 34) In seeking such a court order, the Government may also seek permission to postpone notice to the subscriber or customer for up to 90 days by showing that there is ''reason to believe'' that such notice will jeopardize someone's safety, result in the destruction of evidence, or in some other way impede the investigation.(see footnote 35)
 Page 146       PREV PAGE       TOP OF DOC

    4. Access to electronic communications stored with a remote computing service, regardless of for how long or short a period of time. In this situation as well, the Government has the same three options: a search warrant, a subpoena or a court order.(see footnote 36) The reasoning: the storage facility is not like the Postal Service delivering the mail; it is merely a third party who is storing my records for me.

5. Other Internet-related information

    At present there is no clear law regulating Government access to other information about customers or subscribers that can be obtained from an ISP. If I keep my address book and appointment calendar in my pocket, in my desk drawer, or on my home computer's hard drive, the Government can obtain them from me only by first getting a search warrant from a judge, based on probable cause.(see footnote 37) But if instead I keep my address book or appointment calendar with a service provided by an ISP, presumably the Fourth Amendment requires only that the Government serve a subpoena on the ISP. After all, I knowingly exposed the information to the ISP—just as I expose ''numerical data'' to the telephone company when I dial my phone, and my financial transactions to the bank when I write a check or make a deposit or withdrawal.

    Similarly, a subpoena would presumably suffice to obtain a list of the chat rooms or web sites a subscriber visited, assuming the ISP could retrieve or gather this information.

    The Internet enables us to communicate, to associate, to research, to explore and to shop in ways that could not have been imagined a generation ago. Most of us use it to increase our knowledge, to stay in touch with friends, to increase the efficiency with which we do various chores (shopping, bill paying, etc.). As we do so, we create data about ourselves that should be protected from too-easy access, whether by the Government or by commercial entities.
 Page 147       PREV PAGE       TOP OF DOC

    On the other hand, we must not forget that there are those who use the Internet to learn how to build bombs, or to gather information for use in fraud or extortion, or to entice vulnerable children into sexual liaisons. If we make it too difficult for the Government to track and obtain a perpetrator's use of the Internet for these purposes, its ability to protect us from these crimes may be seriously undermined.

    It is appropriate for this Subcommittee to explore how it can protect the privacy from Government (and non-Government) intrusion of information generated by or stored on Internet-related services. In doing so it must strive to strike a balance between the right to privacy and the Government's legitimate need to prevent crime and apprehend and prosecute criminals.

    A variety of approaches are available. Congress could impose a search warrant requirement before the Government could obtain a wide range of information about an ISP's customer or subscriber. This would insure substantial protection of privacy, but at some cost to law enforcement efficiency. In the alternative, it could create an intermediate level of protection. After the Supreme Court's pen register decision in Smith v. Maryland, Congress enacted legislation imposing certain minimal requirements on the Government before it could obtain a pen register.(see footnote 38) The different ways ECPA treats e-mail under different circumstances provides another example of a nuanced approach of what should be protected, how vigorously, and under what circumstances.

    I am grateful for the opportunity to appear before this Subcommittee and am eager to be of assistance in exploring these issues.
 Page 148       PREV PAGE       TOP OF DOC

    Mr. CANADY. Mr. Corn-Revere.

STATEMENT OF ROBERT CORN-REVERE, HOGAN & HARTSON L.L.P.

    Mr. CORN-REVERE. Mr. Chairman, members of the committee, thank you for the opportunity to address this important subject. As other members of the panel have already described, the law of electronic surveillance and the fourth amendment requires courts and policy-makers to continually reassess the balance between privacy interests of Americans and the needs of law enforcement. The growth and development of the Internet and World Wide Web present not just another opportunity, but I believe, an obligation for policy-makers to again reassess that balance.

    There was been a lot of discussion in the last few years about privacy on the Internet. It has been the focus of much attention, but much of that focus has been on the potential intrusions by commercial enterprises, as Professor Fishman just described, of tracking Internet purchases or the types of commercial exploitation that might take place. Where attention has been devoted to the issue of Government surveillance, quite often it is the framework of asking for greater authority for law enforcement to conduct electronic surveillance.

    In light of these developments, I suggest that more attention should be devoted to the potential fourth amendment impact of surveillance, as this hearing is beginning to do, and I hope future hearings will do so as well. From my perspective, the possibility that the Government is invading our privacy is a far more significant issue than whether or not someone is collecting my e-mail address so they can send me some junk e-mail.
 Page 149       PREV PAGE       TOP OF DOC

    I would like to begin the substantive part of my statement by following up a question that Mr. Barr asked earlier about the meaning of the term ''technology-neutral'' as a means of increasing capacity or keeping up with the capacity for conducting electronic surveillance. That is a term that has begun to appear quite a lot of late, and I don't think the meaning is clear. So I welcomed the question. I take the position that ''technology-neutral'' in implementing ECPA or other laws does not necessarily mean ''fourth-amendment-neutral'' or ''privacy-neutral.''

    For example, if Congress extends the ability to conduct trap or trace orders or pen registers that currently applies to telephone systems automatically to the world of the Internet and Internet service providers, you are not going to have the same impact on privacy because the technologies are different. You can't simply treat them in a ''neutral'' fashion as if they are the same, because you are dealing with different kinds of data networks, and you are dealing with the collection of different kinds of information. An e-mail address is not a telephone number, and a telephone line as described in the current law is not the same thing as a router in an ISP that can convey information on a great number of subscribers, and not just a single subscriber.

    With respect to the current authority for pen registers and trap and trace authority, and with all due respect for the Department of Justice's witnesses so far, I think it is not clear that existing law automatically extends to trap and trace or pen registers. I think it is a telling point that the Department's position is that the existing law is sufficient to permit trap and trace authority for Internet service providers, and at the same time the Department is asking Congress for clarification that they have the authority, and to extend that authority. Mr. Di Gregory claimed that the courts have upheld that authority, but I have searched in vain for any reference in the case books of a decision upholding that authority. Perhaps one reason I am here today as a witness is because I have participated in a case that I would love to tell you about or love to cite for you, but the decision is actually under seal, so I can't do that. Instead, I will describe basically what happened in general terms, and I hope that my account will indicate where some of the difficulties lie.
 Page 150       PREV PAGE       TOP OF DOC

    Last December a client of mine, an Internet service provider, was served with a trap and trace order and asked to permit the installation of software on their data network to implement the order. The order itself, if I can find the exact language here—well, I will get to the exact language in the order, but basically it was to collect the routing information, e-mail addresses and so forth of the person who was the target of that transmission. As the software that would be used was described to my client, it wasn't clear at all that the information that would be gleaned from the order would be limited to just signaling information or the equivalent of a telephone number. So as a result, and out of an abundance of caution, we challenged the order and filed a motion to quash the order with the magistrate.

    I see my time is up. I will just sum up by saying——

    Mr. CANADY. I am very interested. So I don't think there is going to be any objection if you take a little longer.

    Mr. WATT. That is the chairman's prerogative.

    Mr. CANADY. Please proceed.

    Mr. CORN-REVERE. I am happy to comply with the chairman's wishes.

    As I say, when we received the order, there was quite a bit of concern about implementing this in a way that didn't intrude on the privacy of other subscribers to the ISP and didn't provide far more information than what would be the equivalent of a telephone number. Unfortunately the law provides no real guidance to someone who is served with an order like this one, and there is no interpretive law on that point. In fact, we also looked at the Justice Department's Federal guidelines for searching and seizing computers and found nothing of relevance to help us understand what was going on.
 Page 151       PREV PAGE       TOP OF DOC

    Like other ISPs, my client's policy is to fully cooperate with law enforcement when they receive a surveillance order. Yet at the same time my client also wished to preserve the privacy of its subscribers and also faced the prospect of potential liability under ECPA if, even in response to a court order, he provided more information than in his good faith belief thought was warranted by that court order. That explains why we then took the case to the magistrate.

    We argued in the hearing before the magistrate that the law was far from clear, and that in those cases that did not deal with the Internet, courts have applied the trap and trace provisions of ECPA quite narrowly and quite literally. This has been the rule both with respect to clone pagers and with respect to similar devices, such as devices designed to pull phone numbers from wireless systems using a digital analyzer to get cellular phone numbers. Courts have said that specific terms of the statute control, and that you cannot extend the trap and trace statute to those technologies.

    Nevertheless, and despite the differences between the language of ECPA and the facts relevant to the technology of Internet communications, the magistrate upheld the court order. But he did so with what, at least from my perspective, seemed to be quite a bit of reluctance. The judge did note that this was a use of ECPA that the framers of the statute did not appear to have in mind when they adopted the law. He noted that the order did not meet the literal terms of the statute, but that instead would get the ''functional'' equivalent, as it was described, of a telephone number.

    Now as I mentioned, there are substantial differences between simply getting a telephone number with a pen register and attaching a piece of equipment to a data network in an ISP. Among them are the facts that instead of attaching a device to a single subscriber line on a circuit-switch network, you are attaching a device to a router on a packet switch network that has traffic passing through it for many subscribers, not just one. And it has information that is combined, including both the routing information and the content-based information.
 Page 152       PREV PAGE       TOP OF DOC

    I am not suggesting that anyone had any bad intentions with applying for or implementing this order. I think the assistant U.S. attorney and the Marshal's Service were quite responsible and respectful of the privacy implications of what they were doing. Ultimately my client and the Government were able to reach an accomodation that I think was reasonably privacy-protective of subscribers' interests. The difficulty is that it was such an ad hoc solution that it is difficult to see how this meets the expectation that Congress had when it adopted ECPA or that it is workable going forward as a general policy.

    Based on my experience and my understanding of the law, the lesson to be drawn from that experience is that it is time for Congress to re-examine not just the trap and trace provisions of ECPA, but more generally the law as well. At the same time, Congress should pay careful attention to the potential fourth amendment ramifications of changing the law rather than to simply—as the Justice Department puts it—in a ''technology-neutral'' fashion extend authority in a blanket way as if it were nothing other than putting a pen register on a telephone line. Thank you.

    Mr. CANADY. Thank you very much, Mr. Corn-Revere.

    [The prepared statement of Mr. Corn-Revere follows:]

PREPARED STATEMENT OF ROBERT CORN-REVERE, HOGAN & HARTSON L.L.P.

    Mr. Chairman, and Members of the Subcommittee. Thank you for inviting me to testify on this important subject.
 Page 153       PREV PAGE       TOP OF DOC

    As an Adjunct Professor at the Communications Law Institute, Columbus School of Law at the Catholic University of America I have long had an interest in the privacy implications of new communications technologies. As a practitioner, I regularly counsel Internet Service Providers (''ISPs'') and other Internet-related businesses on compliance with privacy laws, including the Electronic Communication Privacy Act (''ECPA''). In addition, I am a member of the legal team for Daniel Bernstein, a cryptographer who successfully challenged U.S. export controls on encryption software as a violation of the First Amendment. The views I express today are mine alone; I am not testifying on behalf of any client.

INTRODUCTION

    I believe it is vital for Congress now to examine the Fourth Amendment implications of electronic surveillance on the Internet and the World Wide Web. As the United States Supreme Court explained in 1997, the Internet is a unique and wholly new medium of worldwide human communication.(see footnote 39) Judge Paul L. Friedman of the U.S. District Court for the District of Columbia has suggested that ''[i]t is probably safe to say that more ideas and information are shared on the Internet than in any other medium,'' and that it may be only a slight overstatement to conclude that ''the Internet represents a brave new world of free speech.''(see footnote 40) Another federal judge has suggested that the Internet ''may well be the premier technological innovation of the present age.''(see footnote 41) Increasingly, more aspects of Americans' daily lives are conducted using this new medium. And, just as ''more ideas and information are shared on the Internet than in any other medium,'' more information can be collected by means of electronic surveillance.
 Page 154       PREV PAGE       TOP OF DOC

    The issue of privacy on the Internet has been the focus of much attention in the past few years. However, much of the concern in this regard has been directed toward the possible commercial exploitation of personal information gleaned from the Web. Where attention has been devoted to the question of government surveillance and the Internet, it often has been part of a call to update federal law in order to facilitate electronic surveillance. A recent example of such advocacy is the recent report by the President's Working Group on Unlawful Conduct on the Internet entitled THE ELECTRONIC FRONTIER: THE CHALLENGE OF UNLAWFUL CONDUCT INVOLVING THE USE OF THE INTERNET (February 2000) (''THE ELECTRONIC FRONTIER''). Similarly, it was reported recently that the Securities and Exchange Commission is seeking to create an automated surveillance system to scour the Internet for people who violate securities laws.(see footnote 42)

    In light of these developments, I suggest that more attention should be devoted to the potential impact on privacy of increased government surveillance. While I agree with the suggestion of the President's Working Group that the law should be updated to account for technological change, I think it must take into account the important Fourth Amendment values that form the foundation of our law. Any legislative reform also should examine the historic considerations that led Congress in the past to amend U.S. law governing electronic surveillance. With these thoughts in mind, I will address the Fourth Amendment and statutory background relating to electronic surveillance and I will describe a recent experience I had in trying to apply existing law governing pen registers and trap and trace devices to Internet communications.

Background: The Fourth Amendment and Federal Law

 Page 155       PREV PAGE       TOP OF DOC
    There has long been an uneasy relationship between electronic surveillance and the Fourth Amendment to the U.S. Constitution. The Fourth Amendment prohibits unreasonable searches or seizures, including those relating to a person's papers. It provides:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.(see footnote 43)

In Olmstead v. United States, the Supreme Court in 1928 considered whether warrantless wiretapping violated the Fourth Amendment. The Court found no constitutional violation because the surveillance was accomplished without intruding on the physical property of the defendant.(see footnote 44) By failing to acknowledge that technology permitted the government to intrude on communications in a way that previously was impossible, a five-vote majority concluded that the Fourth Amendment ''does not forbid what was done here'' because ''[t]he United States takes no such care of telegraph or telephone messages as of mailed sealed letters.''(see footnote 45)

    Justice Brandeis wrote in dissent that constitutional principles were undermined to the extent the Court focused excessively on the method chosen for communication. He argued forcefully that constitutions must be interpreted with technological advancements in mind to preserve fundamental rights. In particular, Justice Brandeis wrote, constitutions must be designed ''to approach immortality'' and ''our contemplation cannot only be what has been but of what may be.''(see footnote 46) Foreshadowing the rise of a computer-based society, he warned that:
 Page 156       PREV PAGE       TOP OF DOC

Discovery and invention have made it possible for the Government, by means far more effective than stretching upon the rack, to obtain disclosure in court of what is whispered in the closet.

                    * * *

The progress of science in furnishing the Government with means of espionage is not likely to stop with wire-tapping. Ways may some day be developed by which the Government, without removing papers from secret drawers, can reproduce them in court, and by which it will be enabled to expose to a jury the most intimate occurrences of the home. Advances in the psychic and related sciences may bring means of exploring unexpressed beliefs, thoughts and emotions.

                    * * *

Can it be that the Constitution affords no protection against such invasions of individual security?

Justice Brandeis concluded that if the courts did not adapt to new realities, then constitutional principles would be ''converted by precedent into impotent and lifeless formulas'' and that ''[r]ights declared in words might be lost in reality.''(see footnote 47)

    The Supreme Court eventually adopted Justice Brandeis' view toward wiretapping. In Katz v. United States, it declared that the Fourth Amendment ''protects people, not places'' and held that wiretapping is allowable only after a valid warrant is issued—the same as for any other search.(see footnote 48) The Court reasoned that ''[t]o read the Constitution more narrowly is to ignore the vital role that the public telephone has come to play in private communication.''(see footnote 49) The decision expressly overruled Olmstead, replacing the previous focus on the means of communication with an appreciation of the fact of communication as the source of constitutional rights. It concluded that ''[t]he Government's activities in electronically listening to and recording the petitioner's words violated the privacy upon which he justifiably relied. . . .''(see footnote 50)
 Page 157       PREV PAGE       TOP OF DOC

    Congress subsequently incorporated the Fourth Amendment calculus of Katz into federal law. It sought to establish a balance between the interests of privacy and law enforcement in the midst of continuing developments in communications technology. Congress' first effort to achieve this balance was its enactment in 1968 of the Omnibus Crime Control and Safe Streets Act (''1968 Act'').(see footnote 51) The Act prohibited the use of electronic surveillance by private individuals. At the same time, however, the Act created a judicial process by which law enforcement officials could obtain a court's authorization to conduct such surveillance.(see footnote 52) The 1968 Act's ''dual purpose'' was to ''(1) protect[ ] the privacy of wire and oral communications and (2) delineat[e] on a uniform basis the circumstances and conditions under which the interception of wire and oral communications may be authorized.''(see footnote 53)

    In the years since 1968, Congress has engaged in an ongoing balancing process. In 1970, the United States Court of Appeals for the Ninth Circuit held that the 1968 Act neither required carriers to provide the technical support needed by law enforcement to conduct authorized electronic surveillance, nor authorized the courts to compel such support.(see footnote 54) Congress responded by amending the Act to provide that any order issued by a federal court authorizing an electronic interception must, upon request of the government, direct communications service providers to provide all information, facilities, and technical assistance necessary to accomplish the interception.(see footnote 55)

    Continuing technological developments again prompted Congress to take legislative action in 1986 through passage of ECPA.(see footnote 56) It was adopted to bring new communication technologies—such as wireless and electronic communications—under the umbrella of federal wiretap law.(see footnote 57) While the purpose of ECPA was to maintain a balance between the privacy of citizens and the needs of law enforcement,(see footnote 58) much of the impetus for the law was a determination by Congress that electronic communications lacked sufficient safeguards against governmental and third-party interception.(see footnote 59) Congress found that the law had not kept pace with the development of new electronic technologies, and that ''the use of sophisticated technologies for surveillance purposes . . . presents dangers to society.''(see footnote 60) The Office of Technology Assessment found that the use of advanced technology for surveillance could infringe upon First, Fourth and Fifth Amendment protections, as well as the statutory safeguards of Title III and other laws.(see footnote 61) It concluded that ''[o]ver time, the cumulative effect of widespread surveillance for law enforcement, intelligence, and other investigatory purposes could change the climate and fabric of society in fundamental ways.''(see footnote 62)
 Page 158       PREV PAGE       TOP OF DOC

    Such findings were foremost in the minds of ECPA's drafters. As the Senate Report on ECPA noted, ''[w]hen the Framers of the Constitution acted to guard against the arbitrary use of government power to maintain surveillance over citizens, there were limited methods of intrusion into the ''houses, papers, and effects' protected by the fourth amendment.''(see footnote 63) It added that ''development of new methods of communication and devices for surveillance has expanded dramatically the opportunities for such intrusions.''(see footnote 64) After pointing to ''tremendous advances in telecommunications and computer technologies'' as well as surveillance techniques, the Report stated that ''[e]lectronic hardware making it possible for overzealous law enforcement agencies, industrial spies and private parties to intercept the personal or proprietary communications of others'' required changes in Title III.(see footnote 65) The Report concluded that ''the law must advance with the technology to ensure the continued vitality of the fourth amendment. Privacy cannot be left to depend solely on physical protection, or it will gradually erode as technology advances. Congress must act to protect the privacy of our citizens. If we do not, we will promote the gradual erosion of this precious right.''(see footnote 66)

    Congress did not make this change out of devotion to some abstract principle. Rather it was well aware of a history of ''tapping and bugging [in which the government] targeted many people who might not normally appear to be appropriate targets.''(see footnote 67) Indeed, the Church Committee investigations in the 1970s revealed the FBI had used electronic surveillance to investigate Dr. Martin Luther King, Jr., Congressman Harold Cooley, dissident groups and journalists among many others.(see footnote 68) After providing detailed accounts of improper use of electronic surveillance by the FBI and other government agencies, the Church Committee noted that ''[t]echnological developments in this century have rendered most private conversations of American citizens vulnerable to interception and monitoring by government agents.''(see footnote 69) Accordingly, the Report found:
 Page 159       PREV PAGE       TOP OF DOC

  By their very nature . . . electronic surveillance techniques also provide the means by which the Government can collect vast amounts of information, unrelated to any legitimate governmental interest, about large numbers of American citizens. Because electronic monitoring is surreptitious, it allows Government agents to eavesdrop on the conversations of individuals in unguarded moments, when they believe they are speaking in confidence. Once in operation, electronic surveillance techniques record not merely conversations about criminal, treasonable, or espionage-related activities, but all conversations about the full range of human events. Neither the most mundane nor the most personal nor the most political expressions of the speakers are immune from interception. Nor are these techniques sufficiently precise to limit the conversations overheard to those of the intended subject of the surveillance: anyone who speaks in a bugged room and anyone who talks over a tapped telephone is also overheard and recorded.

  The very intrusiveness of these techniques implies the need for strict controls on their use, and the Fourth Amendment protection against unreasonable searches and seizures demands no less. Without such controls, they may be directed against entirely innocent American citizens, and the Government may use the vast range of information exposed by electronic means for partisan political and other improper purposes. Yet in the past the controls on these techniques have not been effective; improper targets have been selected and politically useful information obtained through electronic surveillance has been provided to senior administration officials.(see footnote 70)

    The revelations of the Church Committee were a catalyst for positive reform. Nevertheless, recent reports indicate that there is always the potential for abuse. For example, it has been estimated that in Los Angeles alone there have been ''hundreds of secret 'handoff' taps and electronic intercepts, [and] by extrapolation, thousands of Los Angeles residents have had their telephone conversations secretly and illegally monitored by LAPD.''(see footnote 71) Given such reports it should come as no surprise that a majority of Americans are deeply skeptical of wiretapping as an investigative tool. During fifteen years of surveys conducted by the Department of Justice, the percentage of the U.S. population that approved of the use of wiretapping never exceeded 30 percent. The level of disapproval ranged from 70 to 80 percent across all demographic groups.(see footnote 72)
 Page 160       PREV PAGE       TOP OF DOC

    Congress' most recent effort to address these issues was the enactment in 1994 of the Communications Assistance for Law Enforcement Act (''CALEA'').(see footnote 73) It again sought to ''preserve the balance sought in 1968 and 1986'' in the face of a now accelerated pace of change in telecommunications technology.(see footnote 74) Although the legislation enacted in 1968 and 1970 had made clear that telecommunications carriers were required to cooperate with law enforcement personnel in conducting electronic surveillance, CALEA is the first statute to impose upon telecommunications carriers an affirmative obligation to modify and design their equipment, facilities, and services ''to ensure that new technologies and services do not hinder law enforcement's access to the communications of a subscriber who is the subject of a court order authorizing electronic surveillance.''(see footnote 75) However, Congress also made clear that CALEA was intended only to preserve the status quo in surveillance capabilities. The law was intended to set ''both a floor and a ceiling'' on the ability of law enforcement to conduct electronic surveillance.(see footnote 76) While CALEA was intended to ensure that new technologies would not reduce law enforcement's existing surveillance capabilities, it also was carefully crafted to prevent any expansion of those capabilities.(see footnote 77)

    CALEA also expanded privacy and security protection for telephone and computer communications in certain other respects.(see footnote 78) For example, Section 103(a)(4)(A) requires carriers to perform their obligations under the statute ''in a manner that protects—[ ] the privacy and security of communications and call-identifying information not authorized to be intercepted'' by law enforcement.(see footnote 79) Section 103(a)(2) prohibits the use by law enforcement of pen registers and trap and trace devices to obtain tracking or location information on a targeted subscriber, other than that which can be determined from a telephone number.(see footnote 80) Section 208 requires that law enforcement use reasonably available technology to minimize information obtained through pen registers.(see footnote 81) Section 207 enhances the protection of e-mail and other transactional data, such as transactional logs containing a person's entire on-line profile, by requiring the presentation of a court order by law enforcement officials, rather than a mere administrative subpoena, to obtain such information.(see footnote 82)
 Page 161       PREV PAGE       TOP OF DOC

    CALEA also avoided imposing new obligations on ISPs. The legislative history specified that ''[t]he definition of telecommunications carrier does not include persons or entities to the extent they are engaged in providing information services, such as electronic mail providers, on-line services providers, such as Compuserve, Prodigy, America-On-Line or Mead Data, or Internet service providers.''(see footnote 83) This is not to suggest that Internet communications are somehow immune from electronic surveillance when appropriately authorized under ECPA. Congress made clear that CALEA did not expand or contract the ability to conduct such surveillance, and that ''law enforcement will most likely intercept communications over the Internet at the same place it intercepts other electronic communications: at the carrier that provides access to the public switched network.''(see footnote 84)

    Given the vast changes in computer and communications technologies, we currently face much the same situation that existed in the mid-1980s, when Congress adopted ECPA. The law enforcement community points out that the law must be changed to preserve its mission to prevent and punish crime, while the civil liberties community warns of grave dangers to personal privacy and the Fourth Amendment. Each group may emphasize different aspects of the problem, but all agree on one fundamental issue: the law must be updated to keep up with changes in technology.

Pen Registers and Trap and Trace Devices

    One aspect of the problem identified by the President's Working Group on Unlawful Conduct on the Internet involves authorizations for pen registers and trap and trace devices. Pen registers are devices used to record telephone numbers that are dialed from a telephone, and trap and trace devices are used to determine the number of origin of a telephone call. Among other things, there have been calls for clarification that authority to use such devices extends to equipment that may be installed on the data networks of Internet Service Providers and for expanded ability to authorize such surveillance across judicial districts.(see footnote 85)
 Page 162       PREV PAGE       TOP OF DOC

    The Supreme Court has held that the information that may be obtained by pen registers or trap and trace devices is not protected by the Fourth Amendment because individuals do not have a reasonable expectation of privacy in the numbers dialed on a telephone.(see footnote 86) In reaching this conclusion, the Court stressed the limited capabilities of such devices, noting that ''pen registers do not acquire the contents of communications.''(see footnote 87) The Court has emphasized that:

[A] law enforcement official could not even determine from the use of a pen register whether a communication existed. These devices do not hear sound. They disclose only the telephone numbers that have been dialed—a means of establishing communication. Neither the purport of any communication between the caller and the recipient of the call, their identities, nor whether the call was even completed is disclosed by pen registers.(see footnote 88)

    In the absence of constitutional protection for such information, federal law prescribes a regime governing pen registers or trap and trace devices. Sections 3121–3127 of ECPA establish procedures for law enforcement officials to obtain authorizations for the use of such devices. However, given the more limited information that may be acquired, the law prescribes a far lesser threshold for obtaining a pen register order than it does other forms of electronic surveillance.(see footnote 89) ECPA provides that a court ''shall enter an ex parte order authorizing the installation and use of a pen register or trap and trace device'' where a law enforcement officer certifies that the ''information likely to be obtained is relevant to an ongoing criminal investigation.''(see footnote 90)
 Page 163       PREV PAGE       TOP OF DOC

    Law enforcement authorities have begun to get court orders for the installation of such devices at ISPs. The President's Working Group on Unlawful Conduct on the Internet has described pen registers and trap and trace devices as ''important tools in the investigation of unlawful conduct on the Internet.''(see footnote 91) While I have no reason to question this assessment, my discussions with both law enforcement officials and those in the online industries have not turned up more than a handful of accounts of ISP-directed trap and trace orders out of the thousands that are issued each year.(see footnote 92) Unfortunately, current law does not require public reporting of the number of such orders when applied to ISPs, so there is no way to determine the extent of the problem.

    Nevertheless, it is becoming increasingly clear that the ''pen register'' and ''trap and trace'' concepts as set forth in ECPA do not fit well in the online environment. Nor is it valid to assume that such devices do not raise Fourth Amendment issues given that the type of information potentially available from an ISP by a ''pen register'' greatly exceeds the type of information normally available when one is installed on a telephone line. As Congress noted when it expanded statutory protection for transactional records under Section 2703, ''in the eight years since the enactment of ECPA, society's patterns of using electronic communications technology have changed dramatically. Millions of people now have electronic mail addresses. Businesses, nonprofit organizations and political groups conduct their work over the Internet. Individuals maintain a wide range of relationships on-line.''(see footnote 93)

    As a matter of legal interpretation, the current law does not clearly apply to ISPs and Internet communication. Section 3127 of ECPA defines a pen register as:
 Page 164       PREV PAGE       TOP OF DOC

a device which records or decodes electronic or other impulses which identify the numbers dialed or otherwise transmitted on the telephone line to which such device is attached, but such term does not include any device used by a provider or customer of a wire or electronic communication service for billing, or recording as an incident to billing, for communications services provided by such provider or any device used by a provider or customer of a wire communication service for cost accounting or other like purposes in the ordinary course of its business.(see footnote 94)

ECPA defines a trap and trace device as ''a device which captures the incoming electronic or other impulses which identify the originating number of an instrument or device from which a wire or electronic communication was transmitted.''(see footnote 95)

    The legislative history of these provisions suggests that Congress intended the terms ''pen register'' and ''trap and trace device'' to refer only to devices used in connection with telephone systems. The legislative history states that:

Pen registers are devices that record the telephone numbers to which calls have been placed from a particular telephone. These capture no part of an actual telephone conversation, but merely the electronic switching signals that connect two telephones. The same holds true for trap and trace devices, which record the numbers of telephones from which calls have been placed to a particular telephone.(see footnote 96)

 Page 165       PREV PAGE       TOP OF DOC
    Consistent with the statutory language and legislative history, reviewing courts have interpreted these provisions literally, and narrowly. For example, the Fourth Circuit refused to classify a digital display pager clone as a pen register, despite the fact that it displays phone numbers, because it does not fit the precise definition provided in the text of the statute.(see footnote 97) Similarly, Section 3123 was held inapplicable to use of digital analyzers in mobile situations to display numbers dialed from a cellular telephone.(see footnote 98) There the court noted that ''the statute should be strictly construed, and any ambiguity in its scope must be construed narrowly.''(see footnote 99)

    Although the court in Digital Analyzer held that no order was needed for the interception of numbers dialed by a cellular phone, it declined the government's request for a prophylactic order and to extend the pen register provisions ''by analogy.'' In addition to the problem that the wireless interception of dialed numbers did not fit the literal terms of ECPA, the court noted that such an order ''would not ensure sufficient accountability'' where ''law enforcement officers us[e] advanced technology that might threaten privacy rights.''(see footnote 100) Among other problems, the court noted that ''calls made by others than the subjects of the investigation could be inadvertently intercepted,'' that ''all such telephones could be analyzed without any record being produced,'' and that the collection of subscriber information would be authorized ''without specific and articulable facts showing that a particular subscriber's records will be material to an ongoing criminal investigation.''(see footnote 101)

    The President's Working Group on Unlawful Conduct on the Internet has recognized the dissonance between ECPA's language and current technology. It pointed out that:
 Page 166       PREV PAGE       TOP OF DOC

[A]dvances in telecommunications technology have made the language of the statute obsolete. The statute, for example, refers to a ''device'' that is ''attached'' to a ''telephone line,'' [18 U.S.C.] §3127(3). Telephone companies, however, no longer accomplish these functions using physical hardware attached to actual telephone lines. Moreover, the statute focuses specifically on telephone ''numbers,'' id., a concept made out-of-date by the need to trace communications over the Internet that may use other means to identify users accounts.''(see footnote 102)

    Beyond pure questions of legal interpretation, the nature of information gathering using a ''pen register'' and ''trap and trace'' device is far different in the online environment compared to traditional telephone systems. It is true that information such as electronic mail is sent over the telephone lines ISPs use to connect their data networks to the telecommunications system, but these facts do not convert the facilities of Internet service providers into ''telephone lines.''(see footnote 103) A trap and trace device or pen register for Internet-based communications is installed on the data network of an ISP, not on a telephone line, and the information which may be intercepted is not limited to that transmitted over a single subscriber line.

    The trap and trace provisions of ECPA clearly contemplate making a physical connection to a dedicated telephone line, which envisions a different type of network configuration than exists for Internet-based systems:

[T]he Internet is what is known as a packet-switched network. In a packet-switched network, there is no single, unbroken connection between sender and receiver. Instead, when information is sent, it is broken into small packets, sent over many different routes at the same time, and then reassembled at the receiving end. By contrast, the telephone system is a circuit-switched network. In a circuit-switched network, after a connection is made (as with a telephone call, for example), that part of the network is dedicated only to that single connection.(see footnote 104)
 Page 167       PREV PAGE       TOP OF DOC

    The use of pen registers or trap and trace devices to intercept packetized network information raises privacy concerns of a far different magnitude than the Supreme Court contemplated in Smith v. Maryland. Such information is not the conceptual equivalent of a telephone number, as some suggest. The substance of this issue was addressed by the FCC in its rulemaking proceeding implementing CALEA. There, the Commission found that interception of packet-mode communications raises significant technical and privacy concerns because call routing information and content are both contained in the packets.(see footnote 105) Thus, interception of packetized information potentially allows the government to ''receive both call identifying information and call content under a pen register.''(see footnote 106)

    New York courts have addressed the privacy implications of pen registers that may be ''converted'' to receive the contents of communications. In People v. Bialostok, for example, the New York Court of Appeals held that, under the New York electronic surveillance statute, a pen register capable of being used as a listening device required an eavesdropping warrant obtainable based on probable cause, rather than merely a judicial order obtainable based on reasonable suspicion.(see footnote 107) The court held that the facts that the device's audio function was disabled, and that no conversations were actually heard, did not remove the need for a warrant. Although Bialostok involved the interpretation of New York law, it is relevant to the constitutional principles underlying federal wiretap law.(see footnote 108)

    Subsequent decisions have held that such ''convertible'' pen registers may not be considered wiretaps per se, but the nature of the technology must be carefully reviewed. In People v. Kramer, for example, the New York Court of Appeals noted that pen register technology must be scrutinized as it is used in a given investigation. The court noted that ''the appropriate judicial assessment should include not only the capacity of the device used to intercept, hear and record communication, but the manner in which it does so and its susceptibility to evasion of statutory, precedential, and even constitutional protections.''(see footnote 109)
 Page 168       PREV PAGE       TOP OF DOC

    I believe it would be appropriate to Congress to address similar questions if it decides to amend the law so as to end the confusion regarding use of pen registers or trap and trace devices for Internet-based communications.

Case History: Installation of a Pen Register and Trap and Trace Device at an ISP

    The issues described above present more than an academic concern to ISPs. The nature of the concern probably is best demonstrated by the type of questions a client of mine faced when it received its first pen register Order last December. I would cite the case for the committee, but the pen register authorization was an ex parte Order, and the subsequent proceedings to clarify the ECPA requirements were conducted before a Magistrate under seal. For that reason I will describe the events without naming any of the parties involved.

    My client felt it was necessary to seek clarification for a variety of reasons, among them the ambiguities in the law described by the President's Working Group on Unlawful Conduct on the Internet. Unfortunately, ECPA provides no clear guidance on this issue and there are no cases directly on point. One reason for the absence of interpretive law is that service providers have no incentive to seek judicial clarification in the vast majority of cases. In addition, it is worth noting that the practice of installing pen registers or trap and trace devices at ISPs is not even mentioned in DOJ's FEDERAL GUIDELINES FOR SEARCHING AND SEIZING COMPUTERS.

    Like other ISPs, my client's policy is to cooperate fully with all lawful orders to assist law enforcement authorities. At the same time, Internet Service Providers are civilly liable under ECPA if they reveal subscriber information or the contents of stored communications to the government without first requiring a warrant, court order, or subpoena.(see footnote 110) Indeed, for certain violations of the Act, courts have suggested that only the ISP, and not the government, may be liable where the government obtains information though the use of ''improper subpoenas.''(see footnote 111)
 Page 169       PREV PAGE       TOP OF DOC

    Thus, ISPs have an obligation under ECPA to protect the communications and other information of their subscribers, while complying with lawful requests for assistance from law enforcement authorities. Although the law immunizes ISPs from liability when they supply information about a subscriber or permit an interception based on ''good faith reliance'' on a court warrant or order,(see footnote 112) reviewing courts have suggested that this immunity could be lost if the service provider has reason to believe that a subpoena or court order is not valid, or if the government's actions exceed its authorization.(see footnote 113) As a result, service providers may be placed in an ''awkward position'' where, as here, they show ''a willingness to comply with the Government's request'' yet face the possibility of liability if they do so.(see footnote 114) Such situations ''threaten to whipsaw the Company in its good faith attempt to cooperate with the Government.''(see footnote 115)

    Last December, my client ('the ISP'') was placed in just such an ''awkward position'' when it was served by federal Marshals with an Order providing that United States agents ''may install a pen register and trap and trace device to register time, date, and source and destination addressing information of the electronic mail messages sent to and from the subject Internet account, including information regarding the true source of the messages without geographic limitation[.]'' As an apparent indication of some doubt about its authority in this regard, the Assistant United States Attorney applied for this Order not just under §3122 of ECPA, but also under 18 U.S.C. §2703(c)–(d), which applies to stored electronic data and transactional information about subscribers, and which requires the government to offer ''specific and articulable facts showing that there are reasonable grounds to believe'' that the information sought is ''relevant and material to an ongoing criminal investigation.'' In granting the Order, however, the Magistrate determined that the applicant had met only the lower standard of §3122—a certification that the information likely to be obtained is relevant to an ongoing criminal investigation
 Page 170       PREV PAGE       TOP OF DOC

    The ISP was contacted by a U.S. Marshal and notified about the Order a day before it was issued. In conversations with the Marshall, the ISP's Manager for Investigations learned that the government wished to install a device called ''EtherPeek'' to carry out the Order.(see footnote 116) It was explained that the EtherPeek device would be connected to the ISP's internal data network and would allow the government to monitor the electronic messages on the system. This raised several concerns for the ISP, including whether the device would allow the government to view the contents of intercepted messages, whether the government's review of the messages could be limited to the target of the Order as opposed to all of the ISP's customers, and whether use of the device would be consistent with the Order and ECPA.

    The ISP was concerned that the device to be installed would have the ability to see all content and header information for all email messages sent or received by its system. Indeed, the materials available at the manufacturer's website stated that ''EtherPeek and TokenPeek capture all conversations on a network segment, much like a telephone tap,'' and the product description indicated that it would enable the user to view the content portion(s) of electronic messages. At a minimum, the ISP was concerned that the device would disclose the header information on email messages, including the subject line, which would exceed the terms of the Order and the authority under ECPA. In addition, to the extent the Marshals intended to access the EtherPeek device remotely, the ISP was concerned that their activities would create a major security hole in its internal network that could be exploited by others.

    In view of these concerns, the ISP proposed a compromise that would not entail the installation of a device on its system. It designed a software solution to comply with the Order to provide the government with email sender and recipient information, without disclosing the content of communications, or invading the privacy of other subscribers. Initially, the government agreed not to insist upon installing or requiring the installation of its own device at the ISP. A few weeks later, however, the Marshal's Service became dissatisfied with the compromise solution and insisted that it should install its own device.
 Page 171       PREV PAGE       TOP OF DOC

    At that point, the ISP filed a motion asking the Magistrate who had issued the trap and trace order to quash, or at least limit and/or clarify the Order.(see footnote 117) The motion provided the background leading up to the Order, including the ISP's efforts to assist the Marshals short of having a device attached to its facilities, the Marshals' resulting demand for attachment of the device, and the legal bases for the ISP's belief that such activities were not authorized by ECPA.

    The government opposed the ISP's motion. The essential thrust of the opposition was that 18 U.S.C. §3122 empowers it to obtain the ''conceptual equivalent of a telephone number'' and that, even though email addresses ''are commonly referred to by names, . . . such names are viewed by the computer as a number.'' It acknowledged that its proposed device would not be connected directly to a telephone line but would be connected to ''a router which is connected to the telephone lines some customers use to access [the ISP's] system.'' The opposition stated that the government did not intend to install the ''EtherPeek'' device, but instead planned to use a proprietary software program with the not-very-reassuring name of ''Carnivore.'' Although the government acknowledged that Carnivore would be capable of capturing more than the information authorized under the Order, it would be programmed to obtain only information from the target subscriber's account, and would be configured not to intercept the content of any communication. It was acknowledged that Carnivore would enable remote access to the ISP's network and would be under the exclusive control of government agents.

    Following a hearing on the motion, the Magistrate denied the ISP's motion. In a four-page discussion, he held that the government's proposed activities to intercept email routing information is the functional equivalent of capturing telephone numbers with a pen register or trap and trace device. The order noted some key differences between the use of a pen register or trap and trace device installed at an ISP and more traditional uses of such devices. The Magistrate agreed that the drafters of Section 3121–3127 of ECPA did not contemplate that it would be used to authorize the issuance of court orders to capture email addresses of persons sending email to and receiving email from a targeted email address. The Magistrate also noted that Carnivore is not attached to a telephone line, which is a crucial element of statutory definition. However, because the ISP's network is attached, ultimately, through other pieces of equipment, to telephone lines, the Magistrate upheld the trap and trace order.
 Page 172       PREV PAGE       TOP OF DOC

    At the hearing the Magistrate indicated that he would welcome guidance from reviewing courts. However, as noted above, there is little incentive for ISPs to litigate cases of this type, and, as a result, no reported cases. Although this case might provide some guidance, the decision is under seal. Ultimately, the ISP and the government reached an accommodation in which the device was installed and further assurances were made about network security and about protecting the privacy of subscribers generally.

CONCLUSIONS

    This story is not intended to suggest that any of the parties involved acted without due regard for the law enforcement or privacy interests at issue. The government was pursuing a legitimate law enforcement objective and was sensitive to the privacy interests at stake. At the same time, the ISP made a good faith effort to meet the needs of law enforcement while seeking judicial clarification to protect the privacy of its subscribers. The story indicates, however, that the authority to install pen registers or trap and trace devices on the data networks of ISPs is far from clear, and that current law is unsatisfactory from both law enforcement and privacy perspectives. The story does not address what would happen if a government entity used this authority without due regard to the privacy interests involved. If Congress decides to amend the law to extend pen register and trap and trace authority, it should do so only after fully considering the Fourth Amendment implications of such a change.

    Mr. CANADY. Mr. Richards.

STATEMENT OF JEFF B. RICHARDS, EXECUTIVE DIRECTOR, INTERNET ALLIANCE
 Page 173       PREV PAGE       TOP OF DOC

    Mr. RICHARDS. Mr. Chairman, Mr. Watt, Mr. Barr, I really am grateful for the opportunity to be here today. I am Jeff Richards, executive director of the Internet Alliance. Ironically, it was our predecessor, the Videotex Industry Association, in 1983—that is 1983, not 1993—we were founded by those companies who had the audacity in 1983—they were The Source CompuServe, Western Electric, and others, another hallowed name long gone, who said that there would in fact be a consumer marketplace one day, and when there was, it would change everything. So for about 10 years we mostly battled total disbelief and catcalls and now are dealing with the problems of success, and we are seeing the problems of success here before us today.

    It was, in fact, the VIA and one of our founders CompuServe who were one of the triggers of ECPA in the first place. It was CompuServe, I believe, who found that agents thought showing up at 5 a.m. at CompuServe's front doors would accomplish the same thing as showing up at a suspect's home at 5 a.m. Some investigative techniques have improved since then. Some have not.

    We possess the unique viewpoint of a trade association today which actually has an established record of cooperation with law enforcement. Our Law Enforcement and Security Council brings together senior security officials of key IA members to bridge the gaps, and there are some real gaps between industry, Federal, State and international law enforcement agencies, a topic we could talk about in itself.

    We believe the Governments' most pressing duty today to protect consumers on the Internet is to effectively enforce existing laws, and we support and have supported additional appropriations of Federal and State agencies to increase the number and competency of investigative and prosecutorial personnel and so forth, but let me condense it into five quick points.
 Page 174       PREV PAGE       TOP OF DOC

    The Internet's ultimate success will depend upon the extent to which consumers trust the security of personal information sent on it.

    Second, it is particularly true when it comes to criminal investigation and prosecutions that proper observance of the fourth amendment's protections and the statutes such as ECPA is essential if the public is, as it was then—we think ECPA laid the groundwork for the explosion of consumer e-mail—is essential if the public is to develop and maintain this level of trust, and so we support strongly the broadest reach of ECPA.

    Third, ECPA has been very useful in laying out reasonable ground rules in the past to govern law enforcement requests. Regarding its coverage to new Internet services such as third-party storage of calendar information, it is our belief that ECPA is drafted broadly enough to cover these activities, and the experience of major ISPs that are members of the Internet Alliance, law enforcement officials seeking such information have not claimed otherwise. However, if this conclusion were to appear to be in doubt, we would support the enactment of clarifying language making plain ECPA's broad applicability.

    Further, fourth, we believe the current legal framework is generally sound. Leading ISPs represented by the Internet Alliance include AOL, MCI WorldCom/UUNet, Bell Atlantic, IBM, Prodigy, Microsoft; in fact, more than 90 percent of consumer U.S. access today. They place great value on consumers' confidence and have established policies and internal mechanisms limiting the sharing of personal user information with law enforcement in accordance with ECPA. However, our companies' experience with law enforcement has been variable. There have been cases in which subpoenas and other documents and even improper verbal requests were submitted to the wrong persons, such as customer service representatives, rather than those within the company's structure responsible for responding to such requests.
 Page 175       PREV PAGE       TOP OF DOC

    In many cases, subpoena requests seek information beyond that which is authorized by ECPA, presumably because the officers were not adequately informed. While many larger ISPs have the resources to counter these problems on their end, we cannot reassure the subcommittee that the same is true throughout the industry, especially among those who may infrequently deal with law enforcement.

    So for these reasons our Law Enforcement Security Council is in the process of developing and rolling out a multimedia training course for law enforcement officials in conjunction with the Department of Justice and Interpol. The Law Enforcement Security Council is also developing a worldwide, comprehensive, secure electronic directory—that is a lot of attributes all for one little thing—but it is a very important directory because it will respond to and make possible legal requests for information; who is the right company contact at this particular company at a particular point in time, made available to law enforcement and vice versa. We think these are the kinds of concrete kinds of steps that have to be taken now.

    As I am concluding, there is one set of special circumstances we would invite you to consider in the ECPA context. Infrequently law enforcement asks for information in situations regarding an immediate threat to life or bodily harm, suicide threat, some other situations, when it is felt that information cannot wait until ECPA authorizing documents are obtained. And so we would seek a narrow exemption that helps in this situation, user location information possibly based on navigational data, so that we feel that we are in the middle, in a position between possibly life-threatening situations and law enforcement requests, and there may be an area here where there could be some further work done with ECPA to help map out this particular situation.
 Page 176       PREV PAGE       TOP OF DOC

    In conclusion, we share your commitment to ensure the protections of the fourth amendment—that the fourth amendment applies online as well as offline, and that ECPA is honored both in theory and in practice.

    As we have heard today, there have been some very interesting anecdotes. I plan to keep our Law Enforcement Security Council—frankly, I am going to brief them about what was said here today and see if they have a response, and we look forward to being helpful, we hope, to you as you go forward in further hearings and other investigations. Thank you very much.

    Mr. CANADY. Thank you, Mr. Richards.

    [The prepared statement of Mr. Richards follows:]

PREPARED STATEMENT OF JEFF B. RICHARDS, EXECUTIVE DIRECTOR, INTERNET ALLIANCE

    Mr. Chairman, Mr. Ranking Member, members of the Subcommittee, I am Jeff B. Richards, Executive Director of the Internet Alliance. Since its founding in 1982 as the Videotex Industry Association, the Internet Alliance (IA) has been the only trade association to address online Internet issues from a consumer Internet online company perspective. Through public policy, advocacy, consumer outreach and strategic alliances, the IA is building the trust and confidence necessary for the Internet to become the global mass-market medium of this century. The Internet Alliance's 70-plus members represent more than ninety percent of consumer access to the Internet in the United States. Since May of 1999, the Internet Alliance has been a separate subsidiary of the Direct Marketing Association, bringing the resources of a 4,500-member organization to bear on Internet issues and their resolution.
 Page 177       PREV PAGE       TOP OF DOC

    Our mission is to increase consumer trust and confidence in the Internet by promoting good business practices, public education initiatives, enforcement of existing laws protecting consumers, and the development of a legal framework governing the Internet that will provide at the same time predictability and efficiency, security and freedom to innovate. Because of our business point of view coupled with our focus on improving the Internet experience for consumers, we feel well qualified to provide the Committee input and advice on its questions on the application to the Internet of the Fourth Amendment of the U.S. Constitution.

    We also possess the unique viewpoint of a trade association with an established record of cooperation with law enforcement. IA's Law Enforcement and Security Council brings together senior security officials of key IA members to bridge the gaps between industry and federal, state, and international law enforcement agencies. It benefits from IA's unique presence—in the fifty states, Washington and abroad—to increase its knowledge and leverage. We have an excellent, constructive relationship with representatives of various levels of law enforcement. We believe the government's most pressing duty in protecting consumers on the Internet is to enforce existing laws, and we support additional appropriations for federal agencies to increase the number and competency of investigative and prosecutorial personnel, and to provide them with state-of-the art technology.

    In addressing the subject of this hearing, let me first observe that while the Internet has experienced an unbelievable expansion of functionality and usage in less than a decade, its ability to attract the tens of millions who do not currently use it, and its continued ability to evolve in beneficial ways, is not at all assured. Indeed, there is a significant risk this new tool will fail to become the universal medium of the twenty-first century, that it will fail to deliver on its promise to revolutionize business and shopping practices, to enrich and extend education, to expand interpersonal communication and enable instant worldwide publication of ideas and creative content, in short, that it will fail to fully empower individuals through the unprecedented and virtually unlimited ability to make truly personal choices over what to learn, whom to talk to, where to visit, what to say. The condition for this outcome is the Internet's failure to satisfy the needs and desires of the ordinary user.
 Page 178       PREV PAGE       TOP OF DOC

    Many factors affect consumer satisfaction, but we are convinced none is presently more important to the public than the security of personal information transmitted online or stored by technologies which are accessible online. As with other public concerns, this one did not arise with the emergence of the Internet. It is simply the reflection in a new environment of the overriding value our nation places on individual freedom, and of our recognition that in securing individual freedom, one of our most vital principles has been limiting government access to confidential information.

    That principle is embodied in the Fourth Amendment's prohibition against unbridled searches and seizures by government. This limitation remains a cherished part of our legal structure, even though it sometimes thwarts government's attempts to identify criminals or to gather the evidence necessary to convict them. In other words, we value freedom enough that we're willing to tolerate some degree of crime to secure it. It is this balancing of security and freedom which produces the age-old tension the Subcommittee has noted. None of us want to live in anarchy and lawlessness, but neither have we been willing to submit to the kinds of authoritarian rule which has sometimes prospered elsewhere by promising a no-holds-barred attack on crime.

    I make this point because it is relevant to today's discussion. Clearly Congress has already placed great emphasis on implementing the Fourth Amendment's protections online. The signal example is the enactment of the Electronic Communications Privacy Act (ECPA). In ECPA, Congress established rules and procedures by which law enforcement could have access to an individual's electronic communications and records. These limits on government parallel the approaches traditionally taken in the ''bricks and mortar'' world: requirements, in various settings, for warrants, judicial orders and subpoenas before those in possession of data can be required to share them with law enforcement.
 Page 179       PREV PAGE       TOP OF DOC

    The Subcommittee now examines with a fine sense of timing whether technology, business models, or user activities have changed over the last few years in ways that expose gaps in laws carrying out our Constitution's Fourth Amendment, and privacy, mandates. The subcommittee has also expressed interest in how the mandates of law are being carried out in practice. Accordingly, our response is two-fold:

 First, we believe that the language of ECPA was drafted broadly enough to capture the new Internet functions that are being developed, at least to this point. In our experience, law enforcement is treating these functions as subject to ECPA restrictions.

    To illustrate, let me point to the growing trend of third-party services hosting confidential consumer information for various purposes on servers or by other means. A number of companies invite individuals and groups to set up their calendars on secure servers, a convenient means of coordinating schedules by simply accessing the Internet. Likewise, others give free server space for the hosting of document files, both for backup storage and to enable group members to work together on the same document from different locations. And there are a number of sites where family photographs and other personal content can be deposited under restrictive access conditions controlled by the user or group. We believe these kinds of data are covered under ECPA.

    Similarly, user travel and transactions on the Internet can generate new kinds of records, whether they be intentionally generated for a specific purpose or mere artifacts of transmission or storage. These range from navigational data to chat room and dynamic address records. While the user is often not consciously involved in their creation, we believe these records are and must be covered by ECPA.
 Page 180       PREV PAGE       TOP OF DOC

    Regardless, constitutional values continue to govern government's law enforcement activities even with respect to activities that may not fall clearly within the terms of ECPA or of related restraints. Thus, if ways of transmitting, using or storing confidential information are developed, that are determined to be outside the coverage of ECPA, we would urge the Congress to move promptly to extend ECPA's coverage.

    However, there is one set of special circumstances that we would invite the Subcommittee to consider. Infrequently, law enforcement asks for information in situations involving an immediate threat to life or bodily harm, when it is felt that access to the information cannot wait until ECPA authorizing documents can be obtained. These requests often seek user location information based on navigational or other system data identifying the locality from which a message or transmission originates. Rather than subjecting the ISP to an unfair choice, or jeopardizing subsequent prosecution based on improperly shared information, ECPA could be amended with a limited exception for exigent circumstances, perhaps subject to the condition that applicable ECPA requirements for subpoena's, orders, etc., are complied with as soon as practicable after the exception is invoked. Any such provision would need to be very narrowly drafted, and should provide that such information cannot be used in a criminal proceeding if the exception is invoked improperly. If the subcommittee agrees that such a provision is called for, we would be happy to work with you in crafting legislative language.

 Second, we believe the current system of Fourth Amendment protections is generally working well. Major ISP's represented by the Internet Alliance include AOL, MCI WorldCom/UUNET, Bell Atlantic, IBM, Microsoft, and Prodigy. They have in place policies and internal mechanisms limiting the sharing of personal user information with law enforcement in accordance with ECPA. However, while we cannot speak for others, our companies have had experience with some law enforcement personnel who seem to have been unaware of ECPA's requirements. There have been cases in which more information was requested by subpoena than is permitted under the law, and in which legal request documents and even improper verbal requests were submitted to the wrong persons, such as consumer service representatives, rather than to those within the ISP structure responsible for responding to such requests.
 Page 181       PREV PAGE       TOP OF DOC

    In part for these reasons, we have strongly supported additional resources for training law enforcement in proper investigative techniques in the online environment. We testified to this effect before the Senate Appropriations Committee earlier this year. In addition, the Internet Alliance through its Law Enforcement and Security Council (LESC) is in the process of developing a basic multimedia training course for law enforcement officers, in conjunction with the Department of Justice and Interpol. The LESC is also developing a comprehensive list of company officials authorized to respond to legal requests for information, which will be accessible to law enforcement officials nationwide, and which will hopefully eliminate the problem of misdirected requests.

    In conclusion, we share the Subcommittee's commitment to ensure that the protections of the Fourth Amendment apply online as well as offline. We believe the current system of laws is generally adequate, and we believe both industry and law enforcement are doing a good job complying with the law. From our end, we have initiatives in progress to further improve the situation, and we welcome the Subcommittee's continuing oversight to monitor the situation as the Internet continues to evolve.

    Thank you. I would be glad to respond to any questions.

    Mr. CANADY. And for our last witness of the day on this very, very interesting and informative panel, Ms. Wong.

STATEMENT OF NICOLE WONG, EXECUTIVE DIRECTOR, PERKINS COIE
 Page 182       PREV PAGE       TOP OF DOC

    Ms. WONG. Thank you. Good afternoon or evening, Mr. Chairman, Mr. Watt, Mr. Barr. I am coming here from San Francisco in Silicon Valley where I represent a number of Internet clients. I am not here today representing any of them, and the views that I am going to discuss with you today are really my own and not representing any client or even the firm.

    There has been so much valuable testimony here today that what I think I can probably do best is to give you a sense of what is happening at ground zero in Silicon Valley. The bulk of my practice is to advise Internet companies that range from emerging growth companies to very well-established companies that are ''bricks-and-mortar'' companies, as we call them, that are moving online and to help them set up policies so they are in compliance with laws. And very frankly, the privacy laws are some of the most difficult ones to try and comply with. My advice ranges not only from what the FTC has been doing in the last few years, but also in responding to the requests of Federal, State and local law enforcement to provide information or content about users. So I would go off my written testimony and simply ask it be entered in the record.

    First, to sort of give you a sense of what the privacy landscape is for Internet companies today, as you are probably aware, online privacy has been the dominant business and legal issue for these Internet companies, starting with the FTC's 1996 report, which was looking at the state of consumer privacy online, and the report was quite discouraging. The clear thrust of what the FTC said there was that users on the Web do have a right to privacy in the information that they transmit over the Web, and it should be treated with great respect.

    Following that, both the European Union and now just this week Canada have actually enacted stricter standards for protecting personal privacy, and then last year this Congress and a number of Federal agencies enacted specialized laws to protect online privacy, the children's online privacy protection law and also special laws for consumer financial information and for health and medical information.
 Page 183       PREV PAGE       TOP OF DOC

    Finally, in the last 6 months we have actually seen several major class action lawsuits filed against Internet companies for the alleged unfair or deceptive data collection practices by Internet companies.

    All of this is to say that the message that my clients and other Internet companies are getting is that consumers very much value their privacy on line, whether it is the registration information that they are providing, or if it is their click stream data.

    Against this background of intense scrutiny over the protection of user information, we have seen a number—an increase in Federal, State and local law enforcement agencies asking for information that is collected, maintained and stored by these Internet companies, and in the middle of all this sit my clients and other Internet companies who are trying to balance their desire to cooperate with law enforcement and to deter criminal activity on their Website and their systems, and yet to respect the privacy of their users.

    Having said this, maybe I can throw out a few terms in terms of the type of information collected by most or some Internet companies to sort of help give us a framework for this discussion.

    Typically, when I sit down with my clients and go through privacy issues, we try and identify all the types of information they are collecting, and it, generally speaking, falls in four categories: One, information that is specifically requested by the service; for example, the registration information you provide when you sign up for a service, typically an e-mail address and a pseudonym, or it could be more detailed information. If I order a book online, I am going to give my billing information and my shipping information.
 Page 184       PREV PAGE       TOP OF DOC

    Second is, I think, the grayer area, and no one knows quite how to deal with yet, which is the navigational or click stream data, and this is data that is collected when a user hits a Website. They can be tracked through a variety of technologies, which I mention more in my written testimony, cookies which allow the Website to identify a specific user as they come onto the system, the IP address which is transmitted from the user's Internet service provider to a Website, refers which show where the user last came from and where they are going, and global unique identifiers which can identify the specific or unique download of a particular type of software.

    All of these, although they are navigational information or click stream data and neutral, can be matched to personal information and can be quite revealing of a person even if it is not content. And so that is something which I think we should begin to consider what the user's reasonable expectation of privacy is in that type of information.

    There are two other categories, one public communications, the type of things you will see on a message board, which for all intents and purposes is really like putting up an ad in the newspaper because it is distributed around the world. So there probably is not a high degree or expectation of privacy in the content of the message. But I think we also should ask the question of whether there is a degree of privacy in who put up the message, and as I think was mentioned earlier, the Supreme Court has recognized a write to speak anonymously.

    And finally, the last one that has been most discussed here is the nature of private communications for services that provide e-mail or private clubs where users are able to send communications to specific people, and it is their expectation that the content will only be divulged between the sender and the recipient.
 Page 185       PREV PAGE       TOP OF DOC

    It is in this cyberworld that it is still unclear what level of privacy a user expects. When I talk some of my colleagues, there are many people in Silicon Valley who have moved the computer. It is not just in their office anymore. It is in their home. It is in the living room next to the TV. The computer has become another appliance. So when I use my computer in my home to do my banking or trading or communicating with my family, it is as if I was doing this all in my home and not as if it was existing—all that stored content was existing somewhere else out of my control. What I think this begs is for us to look at the reasonable expectation of privacy, that touchstone of the fourth amendment and how it is changed by a technology where the Internet works by sharing and passing along data on different servers and whether or not there nonetheless exists a right of privacy for the individual who is sending along those packets.

    Thank you very much for your time.

    Mr. CANADY. Thank you.

    [The prepared statement of Ms. Wong follows:]

PREPARED STATEMENT OF NICOLE WONG, EXECUTIVE DIRECTOR, PERKINS COIE

    Good afternoon, Mr. Chairman and members of the Committee. My name is Nicole Wong and I am an attorney with the law firm of Perkins Coie in its San Francisco and Silicon Valley offices. I am delighted to have the opportunity to appear before you today on this important issue of the Fourth Amendment and the Internet.
 Page 186       PREV PAGE       TOP OF DOC

    The core of my practice is Internet law and advising clients about doing business on the Web. My clients include Yahoo!, Dell, Go2Net, General Electric Company, Los Angeles Times, Third Voice, Octopus.com and Zero Knowledge. Today, I am not representing any of those or other cutting-edge companies, but only appear as one who spends the bulk of her time advising many of them about online privacy and other Internet-related issues.

I. BACKGROUND: ONLINE PRIVACY PROTECTION

    As you are probably aware, online privacy has been a dominant business and legal issue for Internet companies and bricks-and-mortar companies moving online. In late 1996, the Federal Trade Commission released a report on the state of consumer privacy on the World Wide Web, and the findings were not encouraging.(see footnote 118) The clear thrust of the FTC's report was that information provided by users to Web sites should be presumptively private and should be treated accordingly.(see footnote 119) This same concern was echoed in the international community. In 1998, the European Union passed its Directive on Data Protection to ensure the privacy of EU residents' personal information (under far more stringent standards than in the U.S.), and other nations are following suit.(see footnote 120) In the last year, this Congress and a number of federal agencies announced new privacy laws and regulations to protect children's online information, consumer's financial information, and health and medical information.(see footnote 121) Furthermore, in the last six months, more than ten major lawsuits have been filed arising from the alleged unfair or deceptive data collection practices of several large Internet companies.(see footnote 122)

 Page 187       PREV PAGE       TOP OF DOC
    Against the background of this intense scrutiny over the protection of user information, federal, state and local law enforcement and other government agencies began requesting personal information about users that is collected, maintained and stored by many Internet companies. While both this government and the public seek greater protections for the information provided online, law enforcement agents demand access to the same information, even where the law does not clearly authorize such access.

    My purpose in speaking to you today is to give you a sense of the difficulties faced by these Internet companies as they try to navigate the course between cooperating with law enforcement and other government agencies and protecting the privacy of their users. The advances in technology over the last five years are reshaping our notions of personal privacy and demanding reconsideration of our privacy and search and seizure laws.

II. ''PERSONS, HOUSES, PAPERS AND EFFECTS''

    The Fourth Amendment imposes limits on government interference with personal autonomy by protecting ''persons, houses, papers and effects'' from unreasonable search and seizure.(see footnote 123) As an initial matter, it may be helpful for me to explain the types of services and information, the cyber-equivalent of ''persons, houses, papers and effects,'' available on and through the Internet.

    For those of you who regularly surf the Web, you probably know that just about any good or service you want can be found on the Internet. You can get an e-mail account accessible from anywhere in the world. You can sign up for news bulletins specifically tailored to your interests. You can maintain a personal calendar on the Web and share it with others. You can record your own music and perform it for others. You can find a date or a rock climbing partner. You can seek expert advice in any range of areas from taxes to astrology. You can order groceries. You can order prescription drugs. You can bank or trade. You can make travel arrangements. You can sell all that old junk in your garage. You can create a private club to discuss anything from presidential politics to Pokemon. The list goes on.
 Page 188       PREV PAGE       TOP OF DOC

    In general, the information collected by Web sites can be placed in four categories:

1. Specifically Requested Information. Most Internet Service Providers, Web sites and other online services ask users for some personally identifying information, either for purposes of registration, participating in contests or surveys, or making purchases. Such information may include name, address, e-mail address and credit card information.

2. Navigational and Transactional Data. In addition to direct requests for information, most online services also use some form of tracking technology to collect information while a user ''surfs'' their site or the Internet generally. This data can be used to create a record of a user's online communications, transactions and other activities, including Web sites visited, pages and ads viewed, purchases made, and more. This record of a user's travel through the Internet is sometimes called ''clickstream data.'' Specific types of such data include:

a. Cookies. ''Cookies'' are small data text files that are sent from a server computer to a recipient computer during a browsing session. Cookies allow a Web site server to remember what the user did when he or she visited the site; for example, when the last visit occurred and which pages were viewed at that time. While a cookie identifies an individual user's computer in the sense it can distinguish one from another, it typically does not know the actual identity of the user. Generally, cookies do not pose a threat to either destroy or compromise a system.

b. IP Address. When a user connects to the Internet, its ISP assigns the computer a numeric Internet Protocol Address. The IP Address allows the user's computer to communicate with the servers of the Web sites he or she visits, and may be traced to the ISP or, in some cases, computer owner. Generally, IP addresses are automatically gathered and maintained by the Web site.
 Page 189       PREV PAGE       TOP OF DOC

c. Referrers. Some online services may collect a ''referrer'' from the user's Web browser which references the URL that the user is visiting. Such information is generally used to identify and track a user's travel across the Web.

d. GUID. A Globally Unique Identifier is an alphanumeric identifier for a unique installation of software. GUIDs may be used to identify software or other files created or downloaded on the user's hard drive.

   By themselves, cookies and other tracking technology typically do not reveal the actual identity of an individual. When matched with personal information provided by the user (such as registration data), however, the data can be used to create a profile of a specific user. Cookies and other tracking technology enhance the browsing experience by identifying the user with his or her previously selected preferences or activities during earlier visits, which ''personalizes'' the site for the user's repeated visits.

3. Public Communications. Many Web sites host message boards or chat rooms that are open to site members or the public generally. Such public postings are equivalent to taking out an ad in the local newspaper. These messages are, for all intents and purposes, ''public'' communications and users have no reasonable expectation of privacy in such communications.

4. Private Content. Many online services also offer private communication tools, such as e-mail or instant messaging or private ''club'' platforms, or simply private storage facilities for users to keep and access data. In general, these communications are intended for the eyes of the sender, recipient or storage holder alone.
 Page 190       PREV PAGE       TOP OF DOC

    Your activity on the Web—in whole or part—may be collected, used for internal analysis, marketing or other purposes, or rented, sold or disclosed to another company. The routine logging of user activity information can produce highly granular and powerful information about your interests, preferences and habits. For example, an e-commerce site may track not only what you purchase, but also the Web pages you look at and for how long. This is equivalent to someone not merely reviewing your receipt of purchases from the store, but following you through the aisles of the store and recording all of the goods or promotions that catch your eye. In this new cyberworld, it is still unclear what expectation of privacy users have. As the class action lawsuits described above indicate, many users do believe that they have a privacy right in the data regarding the Web sites they visit, what Web pages they click on, and what software they use.

III. INTERNET USERS' EXPECTATION OF PRIVACY

    The new technologies demand a new look at the Internet user's reasonable expectation of privacy, the touchstone of the Fourth Amendment. While data reflecting one's ''communications, personality, politics and thoughts''(see footnote 124) is more accessible than ever, the legal protection for such data has not evolved with the technology. If the right of privacy is to have any meaning, then the mere fact that techology makes access to personal information both possible and easy should not eviscerate the individual's expectation of privacy.

    As described above, the Internet—by its networking nature—challenges existing laws predicated on the old-fashioned belief that a person's most private possessions are in the home, and that privacy ends at the property line.(see footnote 125) In cyberspace, however, we must recognize that the traditional notions of ''place'' and ''possession'' do not exist in a network of computers that function on the basis of sharing and passing along data. When an individual logs onto her computer at home, however, she suddenly connects to a vast network of computers and data which appears on her computer screen is not ''in'' her home. Yet, most users would argue that the bank statements, personal correspondence, personal calendars and address books are personal and private and should be accorded the same degree of protection from government intrusion as if those ''papers and effects'' were kept in the home.
 Page 191       PREV PAGE       TOP OF DOC

    And there are other interests involved. For example, a user who anonymously posts on a public message board may have an expectation that she will remain anonymous and, furthermore, may have a First Amendment right to speak anonymously.(see footnote 126) Similarly, a user may have an expectation of privacy in her membership in an online ''club'' for her church group, chess club, or political association, and a right to freely associate with those groups without the oversight of the government.(see footnote 127) Based on similar notions of privacy and the First Amendment, Congress previously passed a law establishing a privacy right in an individual's video rentals.(see footnote 128) Substantially similar privacy interests are implicated on the Internet.

V. GAPS IN THE LAW

    There are three principal federal statutes governing the interception and disclosure of electronic information:

1. Electronic Communications Privacy Act of 1986 (''ECPA''), Title I, 18 U.S.C. §2510 et seq. (''Wiretap Act''), makes it unlawful to listen to or observe the contents of a private communication without the permission of at least one party to the communication or a probable cause order.

2. ECPA, Title II, 18 U.S.C. §2701 et seq. (''Stored Information Act''), generally prohibits the disclosure of the content of electronically stored communications or user information to the government unless an appropriate warrant, court order or subpoena is obtained.

 Page 192       PREV PAGE       TOP OF DOC
3. ECPA, Title II, 18 U.S.C. §3121 et seq. (''Pen RegisterAct'') prohibits the installation or use of a pen register or trap and trace device without first obtaining a court order.

In addition, online service providers should be aware of various discovery statutes, privacy and other state laws and their contractual obligations to their users (i.e., Terms of Service) that may bear on the disclosure of user information and electronic communications.

    The ECPA was enacted in 1986 recognizing that ''despite the efforts by both Congress and the courts, legal protection against the unreasonable use of newer surveillance techniques has not kept pace with technology.''(see footnote 129) Now in the year 2000, the technology has again outpaced the law, resulting in uncertainty for online services, Internet users and the government as to what information may or may not be disclosed and under what circumstances. By way of example, here are some issues not directly addressed by current law:

    Are web sites covered by the ECPA? Is a website an electronic communication service (''any service which provides to users thereof the ability to send or receive . . . electronic communications'')(see footnote 130) or a remote computing service (''provision to the public of computer storage or processing services by means of an electronic communications service'')?(see footnote 131) If a Web site is simply a ''bill board'' with advertising, must it disclose user information about its advertisers? If a Web site sells goods on credit card transactions, are those transactions ''communications?''

 Page 193       PREV PAGE       TOP OF DOC
    Is transactional data content of communications or user information? Is an Internet Protocol address the content of a communication or something pertaining to user information? What about clickstream data?

    Does the Pen Register Act apply to e-mail or other Web-based communications? What are the impulses to be recorded that ''identify the numbers dialed'' or ''identify the originating number'' of the device from which the communication is transmitted?

    To what extent must the online service provider assist law enforcement in obtaining information? If an online service is not designed to capture the type of information that the government requests, what assistance must the service provider offer? Can the service provider be required to create new programming code or to redesign the site for a use not intended by—or useful to—the business?

    The lack of clarity in the existing laws calls for new legislation to update the protection of personal data from the unwarranted intrusion of the government in light of new technology.

V. CONCLUSION

    Notwithstanding battles with certain government agents as to what information may be disclosed, online services and government agencies are almost always on the same side. Both have an interest in ensuring the protection of the public and the security and growth of e-Business. This is achieved, not only by ensuring that Internet criminals are caught, but that regular ''Netizens are confident of their privacy.
 Page 194       PREV PAGE       TOP OF DOC

    Mr. CANADY. Mr. Watt.

    Mr. WATT. This is pretty much like the whole e-commerce and e-world is so overwhelming, it is hard to know where to start. Let me start with Mr. Corn-Revere to be sure that I am clear on two things. Number one, I assume that in your case that is now sealed, the person whose information was being sought was not at the table in this discussion, it was you as the ISP and law enforcement who was deciding on this person's privacy?

    Mr. CORN-REVERE. That is right. Under ECPA, trap and trace orders and pen register orders are issued as ex parte orders. So the Government goes to a judge or magistrate and gets the order and executes it without any knowledge on the part of the target, because obviously if the target knows that surveillance is taking place, then the communication stops.

    Mr. WATT. And number two, then, I am assuming the reason that this information is now sealed and you can't talk about it is that this person still doesn't know?

    Mr. CORN-REVERE. So far as I know. I don't know what has happened with that investigation, but it is under seal because the Government was renewing its order to continue the investigation. Typically these kinds of orders are never challenged in court because, as other witnesses have testified, there is essentially no threshold of proof required to get the warrant other than a certification that the law enforcement official expects it to be relevant to an ongoing criminal investigation. The law further provides that the court ''shall'' issue the order upon receiving that kind of certification. There typically is no one in a position to challenge the order. The situation that I described is a rather unique one where there was a serious concern that the order was going to result in the invasion of privacy beyond the terms of the statute both for the target of the investigation and potentially for other subscribers to the ISP service. So we ended up going to a hearing. Yet still there is no publicly available case law or analysis to provide guidance to anyone else.
 Page 195       PREV PAGE       TOP OF DOC

    Mr. WATT. To some of us who profess that we are purists on some constitutional issues, it is a little frightening what Professor Rosen and Professor Fishman were saying about kind of having different standards for different kinds of allegations of criminal activity. I guess there is some precedent for that, or is there precedent for that now? I know that we have pretty much reacted in a different way to terrorism and to some extent to child pornography in some select cases. Are we in the process right now of basically setting up different categories of standards under the fourth amendment?

    Mr. FISHMAN. Congress did so in 1968 when it passed title III, more was required to obtain a wiretap than is required for a search warrant. It is not a question of watering down standards so much as requiring more than the Constitution requires if the evidence sought or the means to seek it is particularly intrusive.

    That is what Congress did in 1968, and Congress could vary the formula either by being more demanding or less demanding, depending upon how it viewed the particular situation.

    Mr. WATT. You are distinguishing between a search warrant and a wiretap?

    Mr. FISHMAN. Correct. It is much more difficult to get a wiretap than a search warrant, and I think that is as it ought to be, because a wiretap is so much more intrusive.

 Page 196       PREV PAGE       TOP OF DOC
    Mr. ROSEN. Congressman, that leaves private papers and e-mails and click stream data and all the things we have been talking about this morning essentially unprotected. You have much more protection for your telephone conversations than even for your private diaries stored on the computer. So although it does seem counterintuitive that there should be different standards for different crimes, it is really necessary if we are to resurrect the same amount of protection today that we had in the 18th century. In the 18th century judges did engage in that balancing act under the rubric of reasonableness.

    The fourth amendment prohibits unreasonable searches. All of us can recognize that the diaries in the Unabomber case are perhaps much more legitimately obtained than diaries in the Packwood case. So what we have abandoned now is the ability to have judicial agents conduct this balancing, and you have a great opportunity as the Legislature to actually carry that title III model into the electronic world and specify the crimes that can justify these intrusive searches.

    Mr. WATT. If we can get the two lobbyists here to respond, so go ahead, and then I will yield back. I don't have any more questions.

    Mr. CANADY. Without objection, the gentleman will have 3 additional minutes.

    Mr. DEMPSEY. I just wanted to be sure that the record is clear, neither of the witnesses was suggesting lowering the standards for more serious crimes. What Mr. Rosen was suggesting was increasing the standard for everything except the most serious crimes. Right now, one of the differences with the way we are treating this data is that the e-mail, the records outside the home, all of this information outside of our physical custody is not even enjoying the protections of title III. That information is currently available in investigations of any crime, often on a mere subpoena without the contemporaneous notice required by the fourth amendment. So I think what Professor Rosen is saying is let us put the standards in place for all that information that we have under title III where we did say wiretapping is permitted for only the most serious cases.
 Page 197       PREV PAGE       TOP OF DOC

    Congressman, you are 100 percent right to ask where do we start here, and I think we start with the core concept of the fourth amendment. If the Government wants to get my date book, they have to come to me to get it, and they can seize it from me immediately with a warrant, or they can get it from me with a subpoena. If they want to come into my home, they have to get that warrant and knock on the door. If I don't open the door, they can break it down, but they need that warrant, and I get to see that warrant.

    Now, the home has exploded. All of that information which we used to keep, even on the hard drive of your computer, is out there on these networks. It is out there in third-party records. It is stored on remote servers, and the current standards of the law do not come anywhere close to that fourth amendment core principle, and that is what we need to use as our touchstone here as we try to sort through all of these complicated technologies.

    Mr. WATT. I was wondering why I was being so conservative in keeping all my stuff on my hard drive. I am not connected. I know it is sacrilegious to say that to a bunch of computer people, but I am not on this.

    Mr. DEMPSEY. I would say, Congressman, that even in your office, what you think is in your office is actually probably on a server maintained by the administrative people.

    Mr. WATT. All that is public information. I don't worry about that. It is my personal information I worry about.

 Page 198       PREV PAGE       TOP OF DOC
    Mr. NOJEIM. Just I think the important thing is not to try to tinker with what is probable cause and what is not based on the crime that is being investigated, and my radar kind of went up when I heard something earlier that might have been interpreted to suggest that.

    There is a bill over in the other body where there is some talk with tinkering with what is probable cause for purposes of a FISA warrant; if the warrant is being sought for a particularly egregious intelligence violation, then maybe what needs to be shown is a little less. There would be a balancing. If that balancing sneaks in, that is the end of probable cause. So we would urge you to keep that determination pure.

    Mr. BAKER. I will offer a note of slight dissent or caution here. The fact is a lot of this is data we gave away. We gave it away to advertisers when we went to Websites. They gathered it. We knew it, we were happy to have them to do so because they gave us better advertisements as a result. I think it would be unusual to take the position that information that is for sale about us everywhere in the world is information that law enforcement can't get under a fairly easy standard. I recognize that these standards are absurdly low in some cases, but to say that that data ought to be treated as the environment of our home, I think, a little excessive.

    Mr. WATT. Thank you, Mr. Chairman.

    Mr. CANADY. Thank you, Mr. Watt.

    Mr. Barr.
 Page 199       PREV PAGE       TOP OF DOC

    Mr. BARR. Thank you, Mr. Chairman. There has been so much information here today, it is really hard to know where to start.

    Mr. WATT. You sound like me.

    Mr. BARR. I will take that as a compliment.

    Let me start with complimenting the committee staff for an outstanding memorandum provided for our background, Mr. Chairman. It provides considerably more background information, technical data than many of the background memoranda that other subcommittees provide, and it really was very, very helpful.

    We have touched on a lot of different areas. One that we haven't touched on that I would like if anybody here would like to comment on it, and that concerns the Privacy Act. And it came to my mind as I was reading a letter from the head of the Securities and Exchange Commission, does anybody see—and what now seems to be an increasing propensity for a lot of Federal Government agencies to do what we saw beginning, I guess, quite some time ago in Project Echelon, looking for keywords, being able to gather in huge numbers of electronic communications and analyze them and so forth, and now the SEC is saying that, and they sent me a letter the other day assuring me that my concerns were certainly not right at the time.

    I am still left with a lot of questions about it, and one question, putting aside whether or not it is possible or whether or not we should trust the Government to say, oh, we are only going to use this technology in this plan to gather information that is, in their words, readily accessible to the general public—leaving that question aside, are there Privacy Act concerns here? If you have a Government agency and they start gathering information, that means you necessarily need to store it and do something with it. Without any specific articulable reason to suspect criminal activity, are there privacy concerns with what these agencies are now starting to do that we ought to be considering?
 Page 200       PREV PAGE       TOP OF DOC

    And that raises the whole issue of what is the interface between the Privacy Act and gathering and analyzing information off the Internet.

    Mr. Nojeim.

    Mr. NOJEIM. It does implicate the Privacy Act. If the data is gathered even from public places, and then it is put in, say, a name file, the SEC has said that it was also asking its provider to try to get the name of the person who was posting that note that said, get rich quick, that kind of thing, when they start putting it in personally identifiable files and start gathering the information, there should be the opportunity for the person to whom that information pertains to get it unless an exception applies, and there is a broad law enforcement exception to the Privacy Act.

    I thought the interesting question raised by the SEC's program was whether it would be physically able to reply to a Privacy Act request from a person who asked for that information, and it wasn't clear from the story that appeared or from the SEC's subsequent press release that it would be able to comply. So, yes, I think it does raise those concerns.

    Mr. BARR. I don't know at this point, Mr. Chairman, what other Federal agencies are starting to do this. It just so happened that I became aware of this, went through some media reports, but it might be interesting to inquire of all the Federal agencies whether they put out RFPs for similar software development, you know, the FTC, the FCC and so forth.

 Page 201       PREV PAGE       TOP OF DOC
    One other area that we haven't touched on that we have sort of hinted at some problems in the area of foreign intelligence surveillance collection is the blurring of lines between foreign intelligence collection and domestic law enforcement information. I am sorry that the other Mr. Baker apparently had to leave because I wanted to pose a specific question regarding CALEA, and I don't know whether anybody here is sufficiently familiar with CALEA.

    For example, I did notice in the President's fiscal year 2001 budget his request for CALEA reimbursement is roughly split between the Department of Defense and the Department of Justice, and the question that comes to my mind is why is the national security establishment represented by the Department of Defense spending or proposing to spend such large amount of money to support a statute that was intended to facilitate domestic wiretapping? And this raises questions in my mind about the continued blurring of the line between foreign intelligence collection and domestic law enforcement collection, and this is something that I suspect we will also be going into in some hearings on Project Echelon later on this year.

    Is anybody sufficiently familiar with CALEA to address that issue?

    Mr. BAKER. I do a lot of CALEA work. I used to kid that my practice consisted of being the first lawyer to figure out that the principal telecommunications regulatory body in the United States was the Federal Bureau of Investigation. On this issue, and having been general counsel of NSA, I am reasonably familiar with the lines between law enforcement and intelligence surveillance. I am not persuaded that where the appropriation is placed tells you much about the likelihood that this line is being inappropriately blurred, but I do think that there are significant challenges in the electronic world for the old rules that used to be easy to enforce. It used to be easy to say, ''You can't do that because that is a line on which Americans are likely to be talking, you can't intercept it that without particularly strong reason to believe that they are agents of a foreign power.'' It is now much more difficult to tell who is hacking into your system. Whether it is an American or a foreign power is not something that is easily determined even after months of investigation.
 Page 202       PREV PAGE       TOP OF DOC

    By and large the solution that has been arrived at is for the National Security Agency and the CIA to take a back seat to the FBI, which has gotten title III authority to go after people in those circumstances. There are some problems with doing that, some technical issues that have required support from national security agencies to the FBI, but the approach has been to require that anything that is done be done pursuant to domestic law enforcement authority.

    That isn't to say that there aren't any risks, but I think that in general law enforcement and intelligence authorities have been quite conservative about allowing intelligence agencies to do anything in the new regime without real assurances that Americans are not the targets.

    Mr. DEMPSEY. Congressman, if I could, there are a host of issues under CALEA that could be discussed. I think there have been abuses of that statute by the FBI in their pushing for additional surveillance authorities beyond those contemplated under that statute, and in the failure of the FCC to exercise the role that Congress granted it to hold a balance between privacy and law enforcement. We are right now challenging that FCC decision in court on the grounds that it did go too far and failed to protect a privacy.

    I think the fact that CALEA is the law and that the FBI is exercising control, as Stewart Baker said, over the design of the Nation's telecommunications system heightens the importance of ensuring that we have strong legal standards for the use of those technical capabilities, and as we have talked about, those standards now are in some respects too low.

 Page 203       PREV PAGE       TOP OF DOC
    Location information on cell phones is a major issue in the CALEA debate. The FBI convinced the FCC to require location tracking, contrary to all of the FBI's testimony before the predecessor of this very subcommittee that CALEA was not intended to impose a location tracking capability mandate on cell phone companies. Yet what is the legal standard for the Government to get access to location tracking information? This is a growing issue of concern to Internet service providers who, increasingly through the hand-held devices, will be tracking the location of users in order to provide them with targeted advertisements and other things like that.

    The Justice Department claims to find in the so-called 2703(d) provision authority to compel the tracking of cell phone users, but 2703(d) does not meet the fourth amendment probable cause standard. That is another area in which CALEA and the legal standards intersect, and CALEA is being used to push the technology forward before the legal standards are fully in place.

    If you look internationally, the big issue there is that neither title III, the criminal wiretap law, nor FISA, the Foreign Intelligence Surveillance Act, have any extraterritorial application, and we are seeing more operational activity, appropriately, by U.S. law enforcement agencies overseas, and we are seeing FISA being used more in cases that turn into criminal cases, which was intended to be rare at best, and yet overseas those statutes have no application, and now we have a global communications network.

    So I would like to see extension of those statutes so that wiretaps, and electronic surveillance activity by the U.S. Government overseas, at least where a law enforcement purpose is in mind, would be subject to the same rules here because of the global nature of these communication networks where American citizens are communicating overseas.
 Page 204       PREV PAGE       TOP OF DOC

    Mr. BARR. Thank you.

    We will have a little more time after you, Mr. Chairman?

    Mr. CANADY. If you want to go ahead, and I will conclude briefly. The gentleman will have 5 additional minutes.

    Mr. BARR. One other area relating to CALEA, and I would appreciate Mr. Fred Baker being here, this came up recently with the IETF developing policy of CALEA's applicability to the Internet in building in facilitating technology to make it easier for the Government to tap into the Internet. I appreciate Mr. Baker and his colleagues at least up to this point holding the line on that.

    Mr. Nojeim, you are very familiar, of course, with the various types of surveillance we are talking about here. What is the Internet or private Internet communications most like? Is it most like a letter where you have one standard for a postal cover and another to actually go into the letter? Is it more like a newspaper, as the FCC seems to want us to believe? Is it more like a telephone call, or is it something different entirely? To me it is much more like a telephone call, but is that your view based on all of your work?

    Mr. NOJEIM. It is, and really the balance that Congress struck back in 1986, I don't know that it makes entirely good sense today. It seems to me that the mere fortuity that a message is stored, stored almost immediately or has been accessed, I don't know that that turns it into something that looks so much more like a letter versus a voice communication that it ought to have such a diminished expectation of privacy. But that is what happened back in 1986, and maybe it is worth rethinking that today and at least raising some of those standards in section 2703 that are there right now.
 Page 205       PREV PAGE       TOP OF DOC

    Mr. BARR. Are you familiar with the specific requests that the FBI has made in the upcoming budget cycle for what was referred to today in the newspaper as Digital Storm? Are you familiar—I think they have asked for what for them, I suppose, is a very modest amount, I think $25 million or whatnot, to get started in this area. Are you familiar with that, or is anybody familiar specifically with what they are asking for? And where this will lead us if we allow them to start doing this?

    Mr. DEMPSEY. What it illustrates is that up until now part of the constraint on Government surveillance has been the practical limitations of having to have somebody listen, transcribe, index transcripts of intercepts. What Digital Storm and the associated programs mentioned in the budget documents represent is an effort to bring computer processing power to bear on that problem, eliminating the practical, resource limitations.

    At that point, we are only left with the legal limitations. More and more information is out there available to the Government not only in electronic communications, but in stored records and transactional records. To be able to apply digital analytic capabilities to that, to be able to link it, analyze it, do text word searching, keyword searching means that the Government can sweep in even more information. I disagree with the concept that, well, you voluntarily put it out there, so you have voluntarily surrendered your privacy. To some extent that argument was made with the telephone conversation, well, you know, you gave it to the phone company, and it traveled over their wires, and the operator could have picked it up and listened to it. In 1967, the Supreme Court said, no, privacy should be fully protected. In 1968, Congress reinforced that and actually added additional protections.

 Page 206       PREV PAGE       TOP OF DOC
    In 1986, with ECPA, Congress drew a distinction between what the private sector holders of that transaction information could do with it and what the Government could do with it. Our whole fourth amendment tradition flows from this concept—that we do set a higher threshold for the Government. And now we are seeing with Digital Storm where that threshold is not adequate and this private sector information is out there too. When you marry up the low legal standards with the high computing power that the FBI is seeking in this budget request, I think it does get to the point where we are potentially eliminating privacy.

    Mr. BARR. That was my final question. I have many others. Maybe we can submit some in writing, Mr. Chairman, to the witnesses as well.

    Mr. CANADY. Yes. We would appreciate the witnesses responding to any questions that members of the subcommittee may submit, and the record will remain open for responses.

    Mr. BARR. Thank you.

    My final question you sort of addressed, Mr. Dempsey, addressed for any of you all. Do any of you here feel that in just a few years we are going to have any privacy at all left unless we do something to address the issues that we are beginning to address today, given the tremendous capability, virtually limitless capability, the Government has to intercept, gather, manipulate, store electronic information, and given that the degree to which every single citizen communicates electronically, either indirectly themselves or through businesses with which they deal and people they deal with; if we don't get a handle on this, is there going to be any privacy at all left within half a dozen years?
 Page 207       PREV PAGE       TOP OF DOC

    Mr. RICHARDS. Maybe I can begin to answer that. Jeff Richards, Internet Alliance. I think we have not yet begun to see the judgment of the marketplace and that we will. We have some earlier indications. For example, the Internet is a place that where I think we will see some abuses and some self-corrections of lightning speed. An example, Real Networks. You may recollect when Real Jukebox last fall was said to collect user specific data about what musical selections users listen to. Within 6 hours Real Networks had aggressively launched a patch to that and it has changed the course not only of that company's privacy history, I think, but sensitized a whole generation of other providers. I am not suggesting that the marketplace is the total cure-all. I am saying it is a potent voice which has not yet been fully heard from.

    Mr. BARR. My concern is not so much the marketplace but Government. It is one thing for a private concern to develop consumer profiles. They don't have the capability to use that to put me in jail or to come to my house and arrest somebody. The Government does. How do we get a handle on the Government's ability to do this, not private industry?

    Mr. RICHARDS. Congressman, what I might also suggest by extension, there may be others much better qualified than I to speak to that but the principle of transparency may play here as well, that as various bodies make clear what is being collected and that the political and philosophical interplay of this body, that as Congress takes the lead here, that that become clear to citizens.

    I might add, and we made passing reference to this before, we are dealing with a global medium here. I think we should be mindful that not only are we looking at that which we as American citizens and American companies must abide with and deal with but we are dealing with the global medium which carries with it issues of jurisdiction, territoriality that we haven't begun to address here and that might be useful and, second, that there are in the United States some high levels of standards for behavior of different bodies and relationships not met in many places or most places in the world. That is another interesting aspect to all of this. What is the political leadership we wish to exert in the world of the Internet globally? I would say I don't have answers to those questions but we propose them as questions.
 Page 208       PREV PAGE       TOP OF DOC

    Mr. STEWART BAKER. Just a quick reaction to two questions you asked. We are losing privacy, and it is inevitable that we will lose substantial amounts of privacy. The data is just too cheap and too easy to gather and there are too many reasons why we choose to give it up in some context, though we then may feel a little aggrieved when it is used in other context. But it was gone when it was first given away. I think the answer is not to say to the FBI, ''Do not use tools that are used every day by ordinary companies.''

    Data mining, which is the kind of thing that is proposed in Digital Storm, is a straightforward application of commercial technology and to deny that to the FBI would just reduce their capabilities. The best thing is to look for ways to make the FBI responsible, to assure FBI responsibility in the use of it too, to have audits on the kinds of searches that are done, to make it impossible for people to file FOIA requests saying I would like you to do a private search for me on Representative Barr and tell me everything you have got on him now, and when he dies you can tell me the rest. That is not a responsible way to handle these databases.

    It may well be that there should be a higher standard for gathering some of this information or for compiling it, but I think focusing on the way in which that data is used rather than on the fact that it is in the hands of the Government may turn out to be the best approach.

    Mr. NOJEIM. There is a risk that this activity of the FBI will circumvent some of the investigative guidelines that have been imposed on it to protect civil liberties. Let me illustrate this with an example right now. The Social Security Administration was asked by the Immigration Service to verify tens of thousands of Social Security numbers of workers in the meat packing industry in an operation called Operation Vanguard. The Social Security Administration said we can't do that. We can only do this if you have particularized suspicion that a person is working illegally at the company. We don't do this, you know, willy nilly. There has to be some level of suspicion.
 Page 209       PREV PAGE       TOP OF DOC

    What did the Immigration Service propose to do? Go to a private company that had those Social Security numbers and could verify them. And that is a proposal that is pending right now. So what we thought was a protection——

    Mr. BARR. Has it been challenged?

    Mr. NOJEIM. It hasn't been challenged yet but it has out in the media out in Nebraska and the Midwest. It struck me as interesting that the protection that the Social Security Administration was trying to maintain for these workers was being completely circumvented by going through the private sector.

    Mr. ROSEN. Representative Barr, I think it is such an important question. I didn't want to sound too optimistic having just written a book with the subtitle the Destruction of Privacy in America, but there is some grounds for hope that we haven't discussed today. That of course is technology and technological self-help. We haven't discussed things like anonymous e-mailers and anonymity providers which are becoming very sophisticated and using strong encryption can make it possible to browse and send e-mail in ways that can't be traced by law enforcement even with a supoena. Companies like Zero Knowledge, based in Montreal, if given a subpoena are able to turn over a list of their subscribers but can't list the pseudonyms that they assign for browsers with individual users, they are physically not able to do that. Similarly scribble technology and self-deleting e-mail that makes it possible for us to cover our electronic tracks. I mention this only because you will face important questions in the future as the Justice Department and the FBI try to resist these technologies.

 Page 210       PREV PAGE       TOP OF DOC
    With each technological advance for privacy there is an attempted counter. In 1999 you were asked by the FBI to require anyone who encrypts information to turn over a plain text version with relatively low levels of cause and you properly resisted that. So I just would counsel some optimism about the possibilities of technology and great continued vigilance and caution on your part to ensure the technology allows us to reconstruct in the 21st century the same amount of privacy that we took for granted in the 18th century.

    Mr. BARR. Thank you.

    Mr. RICHARDS. To clarify my comment about Real Networks also. I think it is so important. That was an example where consumers and a company had major interplay and lots of media attention and the kind of high profile. A thing that we will see more of, not less of is there is some transparency about all of this. But the good news is the consumers it would appear still trust Real Networks and it worked and it worked within 12 hours and its working 6, 8 months later. The tragedy would be if in fact privacy is destroyed because then the Internet will not reach the potential we all think it has. The golden goose will die. The international accord about the Internet that is necessary for it to work will break down and most of all, consumer confidence and trust which we know is essential at the Internet Alliance, the success of the Internet will die and wither.

    There have been a number of proposals suggested here. This seems an incredibly rich topic, not just privacy but the fourth amendment for—and one that we at the Internet Alliance are deeply concerned about. Thank you.

    Mr. BARR. Thank you.
 Page 211       PREV PAGE       TOP OF DOC

    Mr. Chairman, can I ask unanimous consent to include in the record a letter to which I have been referring from the FCC dated April 3, my outgoing letter to the FCC dated March 28, and then the article from today's ''Washington Post'' which I have been referring on Digital Storm be included in the record.

    [The information referred to follows:]


Congress of the United States,
Washington, DC, March 28, 2000.
Mr. ARTHUR LEVITT, JR., Chairman,
Securities and Exchange Commission,
Washington, DC.

IN RE: Online Fraud Monitoring

    DEAR CHAIRMAN LEVITT: As a Member of the House Banking and Financial Services Committee, I write to express my concern with reports that the Securities and Exchange Commission (SEC) plans to implement an automated system for monitoring Internet speech on a massive scale. In light of the serious constitutional, legal and policy questions raised by such a system, I urge you to reconsider this plan.

    To use an analogy based on current practices, the fact that telephones may be used to commit fraud does not entitle the FCC, the FBI, or the SEC to engage in wholesale monitoring of all telephone conversations. Instead, you are required to go before a court, meet constitutional and statutory requirements for a warrant, and listen only to specific conversations pursuant to the court's order. This system may seem inconvenient to you at times, but it has done a remarkably good job of protecting the privacy of American citizens without unduly hampering law enforcement. It is difficult to argue we should discard it, and adopt a new system of widespread monitoring, simply because new technologies make such monitoring possible.
 Page 212       PREV PAGE       TOP OF DOC

    The system you are reportedly contemplating would turn current practices upside down by monitoring large portions of online speech without a court order, and sifting through that speech for items of interest to your or some other federal agency. Engaging in such a wide level of monitoring will have a chilling effect on free speech online. Furthermore, it seems likely experienced criminals can easily avoid such well-publicized and widespread monitoring, by simply encrypting their data or conducting business from offshore havens.

    While I understand the need to prevent securities fraud, federal agents should not be allowed to sift through the conversations of millions of innocent parties in order to do so. I urge you to reconsider this plan and adopt a system that is narrower in scope, and complies fully with constitutional guarantees, as well as existing statutory protections.

With kind regards, I am,

very truly yours,


BOB BARR, Member of Congress.

cc:

Hon. Jim Leach
Hon. Dick Armey


 Page 213       PREV PAGE       TOP OF DOC
United States Securities and
Exchange Commission,
Washington, DC, April 3, 2000.
Hon. BOB BARR,
House of Representatives, Washington, DC.

    DEAR CONGRESSMAN BARR: Thank you for your letter of March 28, 2000 concerning the Commission's Internet enforcement program and our recent Request for Proposals for an automated Internet search system. I appreciate the opportunity to respond to your concerns.

    I share your commitment to safeguarding the privacy rights of all Americans. Historically, the Commission has taken great pains to respect and protect the privacy of all persons with whom it deals. We work hard to ensure compliance with constitutional and statutory privacy protections, including the Privacy Act and the Electronic Communications Privacy Act. We take these obligations as seriously when we monitor the Internet as we do in any other context.

    I agree with you that the Commission's Internet surveillance should not include private communications. It does not.

    Rather, as permitted by the Electronic Communications Privacy Act, the staff accesses only electronic materials that are ''readily accessible to the general public,'' both when conducting investigations and when engaging in other Commission business. Contrary to what has been reported in the press, the Commission staff will not monitor private, on-line communications, and the RFP does not seek technology to do so. The RFP simply seeks the ability to automate and customize the staff's searches of public sites that are already accessible to the general public through commercial search engines. This is not similar to government monitoring of private telephone conversations. It is, however, similar to reading the newspaper with the aid of a tool that helps you to find quickly and more exactly the stories in which you are interested.
 Page 214       PREV PAGE       TOP OF DOC

    The RFP was carefully drafted to require that the contractor chosen respect the privacy of non-public communications conducted over the Internet; it expressly states that the ''[c]ontractor shall access data posted only on publicly accessible web sites and news and message servers.'' In addition, the RFP bars the contractor from using a system that would access private materials on the Internet such as ''private email correspondence, transactions or communications.''

    During the past few years, the Commission has taken significant steps to protect investors from securities fraud on the Internet. I regard these efforts as vital to ensuring the fairness and integrity of our markets. I assure you that we will continue to undertake these efforts mindful and respectful of fundamental privacy rights.

Sincerely,

Arthur Levitt, Chairman.

Title: 'Digital Storm' Brews at FBI
Subtitle: Information Technology Expansion Raises Privacy Concerns
Newspaper: The Washington Post
Date: April 6, 2000
By: ROBERT O'HARROW JR.
Washington Post Staff Writer

    In response to growing concerns about terrorism, hackers and other high-tech criminals, the Federal Bureau of Investigation is planning a series of sophisticated computer systems that would sharply increase agents' ability to gather and analyze information.
 Page 215       PREV PAGE       TOP OF DOC

    The FBI is seeking more than $75 million in budget appropriations to continue a massive information technology expansion, which includes a system dubbed ''Digital Storm'' that eases the court-sanctioned collection and electronic sifting of traffic on telephones and cellular phones.

    Another proposed system would create ''the foundation for an up-to-date, flexible digital collection infrastructure'' for wiretaps under the Foreign Intelligence Surveillance Act. A third initiative would develop an ''enterprise database'' that would enable agents to analyze huge amounts of data and share them via a secure World Wide Web-style network. The bureau has also formed a privacy council to review the use of data and protect against unwarranted intrusions into innocent Americans' lives, a concern raised by privacy advocates.

    FBI officials said the, bureau's information technology systems are aging and need to be updated to keep pace with criminal activities both on the Internet and offline.

    ''Our crimes that we're investigating today have a much more national and global scale,'' said Deputy Assistant Director Edward Allen. ''And it's so much faster-paced. It becomes much more critical that we communicate more comprehensively.''

    The proposals follow a series of bureau initiatives in recent years to gain more authority to conduct wiretaps, crack encrypted documents and subpoena computer-related information. FBI officials believe that the new data surveillance capability is crucial to the bureau's strategic goal of deterring major criminal acts through surveillance and intelligence-gathering.
 Page 216       PREV PAGE       TOP OF DOC

    ''The [information technology] demanded of this plan presently does not exist within the FBI, but is at the core of activities to be implemented,'' the budget documents state.

    But civil liberties activists, legislators and legal specialists are alarmed that the bureau's proposals could erode constitutional protections that limit government searches, with almost no discussion to date about the implications on Capitol Hill.

    The initiatives apparently would not require an expansion of FBI powers under existing law. But critics said the linking of scattered sources of information would lead to a huge increase in data collection and analysis.

    In its budget documents, for example, the FBI estimates that technological advances would so improve the ability to conduct wiretaps that the number of improved that the number of approved taps would grow by 300 percent over the next decade. Allen played down that figure, saying it was the result of a ''poor analysis'' and probably would be much lower.

    The agency would also continue expanding its use of commercial databases containing credit information real estate records, vehicle registrations and a plethora of other personal details.

    The budget says ''the explosion and availability of open source information, and the number of information bases and data sources that can and should be searched be comes formidable.''
 Page 217       PREV PAGE       TOP OF DOC

    ''They're not merely talking about making more efficient use of information they already have,'' said James Dempsey, senior staff counsel at the Center for Democracy and Technology, an advocacy group in the District. ''They're talking about casting a wider net and sweeping in vastly more information.''

    Others, such as Stewart Baker, former general counsel for the National Security Agency, say the FBI already has tremendous power and little oversight.

    ''They're acting within the law, but it's fair to be nervous about that,'' said Baker, a partner at the law firm Steptoe & Johnson and a member of a privacy advisory board at the Federal Trade Commission. ''An awful lot of information can be gathered with only a modest amount of justification.''

    Rep. Robert L. Barr Jr. (R–Ga.) said the FBI has focused so tightly on preventing terrorist activity that it has virtually ignored the implications of its plans, at least publicly. ''They're saying, 'We need to do whatever it takes,' '' Barr said.

    Barr will raise his concerns at a hearing today of the Constitution subcommittee of the House Judiciary Committee. The subcommittee will explore the adequacy of privacy protections under current laws.

    ''They reason we're focusing on this now . . . because of the government's ability to gather, store and manipulate massive amounts of data,'' Barr said.

 Page 218       PREV PAGE       TOP OF DOC
    The FBI's Allen acknowledged that the bureau's ability to manage that data will soar with the new technology. But he said bureau employees will have only restricted access to the databases, and that there already are legal restraints on wiretaps and other surveillance. Agents seeking a wiretap, for instance, will still have to receive court approval and then make regular reports to the judge about the progress of the case.

    Allen also said that the FBI will include software that tracks who accesses files in order to create an audit trail.

    The bureau is seeking $15 million for Digital Storm, a digital surveillance system that helps agents monitor telephone calls and analyze computerized recordings under federal Title III wiretap authority. Other law enforcement agencies use similar systems. A similar program for monitoring under the Foreign Intelligence Surveillance Act (FISA) would cost $10 million next year.

    Information from Digital Storm and the FISA system would be fed into new in-house databases known as Casa De Web. It would enable agents and other authorities to use Web browsers to instantly upload the results of surveillance or other evidence. It also would archive ''audio, data, and reports produced on these collection systems,'' the budget states.

    ''It facilitates the sharing of electronic surveillance evidentiary data . . . and intelligence . . . between FBI field offices,'' the budget documents said in the $10 million request for Casa De Web.

    The bureau also is asking Congress for $41 million for an Information Sharing Initiative. That program, begun last year, calls for the creation of a giant ''enterprise database'' and an array of other technological improvements that would give the bureau ''a robust intelligence capability.''
 Page 219       PREV PAGE       TOP OF DOC

    Carolyn Morris, head of the bureau's information resources division, noted that the ''enterprise database''—essentially a data warehouse—would contain the same information the bureau already collects. ''A lot of people think it's going to be something entirely new,'' she said. ''It isn't.''

    But the database would give analysts the unprecedented ability to conduct ''data mining'' on vast mountains of digital records for patterns or clues now buried in paper files or scattered in unlinked FBI computers.

    ''You've got to have an electronic repository for everything you collect . . . which means you can mine it, look for links,'' Morris said.

    At the same time, Morris said, the bureau is sensitive to Americans' privacy concerns. Several months ago, the bureau created a privacy council led by Patrick Kelley, deputy general counsel and the senior privacy officer. Among other things, the council will develop privacy rules for databases with 10,000 or more records.

    ''Our goal is to ensure that there are no unwarranted invasions of personal privacy and to balance the interests'' of investigators and individual citizens.

    In a speech to a Senate Appropriations subcommittee in February, FBI Director Louis J. Freeh warned of a coming wave of Internet crime and Web-based terrorism.

    ''I am confident that once the scope of the problem is clear, we can work together to develop the capabilities to meet the computer crime problem, in all its facets, head on,'' Freeh said to the subcommittee for the departments of Commerce, Justice, State and the judiciary. ''Our economy and public safety depend on it.''
 Page 220       PREV PAGE       TOP OF DOC

    Dempsey, of the Center for Democracy and Technology, said federal agents need to be as technologically savvy as criminals and terrorists. But he said limits are needed to protect innocent people.

    ''As we rush forward into this digital storm, we need to consider the rules by which the government uses these techniques to collect information about Americans,'' he said.

    Mr. CANADY. Without objection, it is so ordered. Thank you, Mr. Barr.

    I want to thank all the members of the panel. The hour is late. I want to ask one question, which is along a different line. It goes back to the comments that Professor Rosen made, the background for where we are today. And I think that—let me just frame it this way. How did we get from the Wilkes case to the Packwood case? Why is it that the law moved in that direction?

    Mr. ROSEN. It is such a fascinating question. I think the answer has to do with the New Deal regulatory state. The basic idea is that in the Progressive Era, it became clear that if you really had robust protection for private papers, so much that the Government couldn't force you to turn over a subpoena for plate glass, that was the question in the Boyd case, then enforcing tax laws and environmental laws and the growing regulatory State would become impossible. It would stop the Government in its tracks. So it was those cases, it is really an interesting legal history question. It started in the Progressive Era, got up and going in the New Deal. But it was during the late 19th century that the courts began saying subpoenas are not searches. They are not governed by the fourth amendment. In the Wilkes case it was obvious that either a subpoena or warrant would be a search. You are physically seizing information. Legal fictions began to be created in order to keep the regulatory State up and running.
 Page 221       PREV PAGE       TOP OF DOC

    So that was one aspect of it. We also abandoned—you will stop my professorial instincts because it is my favorite subject. I can go on about this.

    Mr. CANADY. I will read your book.

    Mr. ROSEN. Please do. The idea that mere evidence couldn't be seized especially for paper searches in civil cases, this basic aspect of English common law was abandoned by that wide-eyed liberal Justice William Brennan. He was the one in the 1960's in the Warden v. Hayden case who abandoned the mere evidence rule and said it doesn't make any sense to distinguish between papers and other kinds of evidence so it was basically a notion that it would be very hard to keep the Government up and going. Now, the diaries question is still open despite Judge Jackson's ruling. The Supreme Court has never definitively ruled there is absolutely no protection for private papers. If this is a question that resonates so deeply with people, I don't see why you as a body might consider creating some kind of legislative protection for genuinely private papers if the Court won't do it. It requires line drawing: someone, whether it is a special master or some sort of filtering mechanism, has to decide what is private and what is public. This is something that everyone is upset about, the idea that a diary could be seized and the fact that this crucial protection has been wittled away is something that hasn't been widely noticed and you have it within your power to resurrect it.

    Mr. FISHMAN. The difficulty, if I may, is defining private papers. My recollection is that Senator Packwood dictated his diary to his official secretary and so one could logically argue that it was no longer a private diary because he was actually using a publicly paid secretary to write it all down. How we define which papers are so private they can't be reached by subpoena or could only be reached in terrorism cases, is an enormous challenge and it is a challenge that certainly should not be taken lightly. It may be an appropriate way for the Congress to look at these issues.
 Page 222       PREV PAGE       TOP OF DOC

    Mr. CANADY. Evening is upon us so I want to once again thank all of you. Your testimony has been extremely interesting and informative for the subcommittee. I suspect that the subcommittee and other subcommittees of the Congress will be spending a great deal of time dealing with these issues in the future.

    Thank you very much. The subcommittee stands adjourned.

    [Whereupon, at 6:15 p.m., the subcommittee was adjourned.]











(Footnote 1 return)
Boyd v. United States, 116 U.S. 616, 630–32, 6 S.Ct. 524, 532–33, 29 L.Ed. 746 (1886).


(Footnote 2 return)
Bohach v. Reno, 932 F. Supp. 1232,1234 & n.2 (1996) (quoting Laurie Thomas Lee, Watch Your E-Mail! Employee E-Mail Monitoring and Privacy Law in the Age of the ''Electronic Sweatshop'', 28 J. Marshall L. Rev. 139, 148 (1994).


(Footnote 3 return)
Whitfield Diffie and Susan Landau, Privacy on the Line: The Politics of Wiretapping and Encryption (Cambridge, MA: MIT Press, 1998), pp. 128–29.


(Footnote 4 return)
Albert W. Alschuler, Interpersonal Privacy and the Fourth Amendment, 4 N. Ill. L. Rev. 1, 24 (1983).


(Footnote 5 return)
Smith v. Maryland, 442 U.S. 735, 743–44 (1979) (emphasis removed).


(Footnote 6 return)
Id. at 750. See also United States v. Miller, 425 U.S. 435, 455 (1976) (Marshall, J., dissenting) (citing California Bankers Assn. v. Shultz, 416 U.S. 21, 96 (1974) (Marshall, J., dissenting)).


(Footnote 7 return)
See Alschuler, supra note 17, at 6–8 & n.12. Alschuler stresses that when the government intrudes on property interests in persons, houses, papers, and effects, with or without physical trespass, judges shouldn't have to inquire into cultural expectations of privacy. They should only speculate about cultural expectations, he argues, when evaluating invasions of privacy that take place outside this property-based Fourth Amendment core.


(Footnote 8 return)
David Brinn, The Transparent Society: Will Technology Force Us to Choose Between Privacy and Freedom? 69 (1998).


(Footnote 9 return)
In a desperate effort to get the police to respond to an attack on her son, the woman told a dispatcher he had been shot rather than beaten. See Weber v. Dell., 804 F.2d 796, 798–99 (2d Cir. 1986).


(Footnote 10 return)
See, e.g., James X. Dempsy, Communications Privacy in the Digital Age: Revitalizing the Federal Wiretap Laws to Enhance Privacy, 8 Alb. L.J. Sci. & Tech. 65, 75 (1997).


(Footnote 11 return)
Raphael Winick, Searches and Seizures of Computers and Computer Data, 8 Harv. J.L. & Tech. 75, 105–106 (1994) (citing United States v. Tamura, 694 F.2d 591, 595–96 (9th Cir. 1982)) (discussing the Intermingled Records Doctrine in the Tamura and Steve Jackson Games cases). See also United States v. Shilling, 826 F.2d 1365, 1369 (4th Cir. 1987).


(Footnote 12 return)
Winick, supra note 15, at 107.


(Footnote 13 return)
''The right of the people to be secure in their persons, houses, papers and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.''


(Footnote 14 return)
See, e.g., Hoffa v. U.S., 385 U.S. 293 (1966), and cases cited infra.


(Footnote 15 return)
Smith v. Maryland, 442 U.S. 735 (1979).


(Footnote 16 return)
California v. Greenwood, 486 U.S. 35 (1988).


(Footnote 17 return)
Jaffee v Redmond, 518 U.S. 1, 9 (1996); United States v. Nixon, 418 U.S. 683, 709 (1974); Trammel v. United States, 445 U.S. 40, 51 (1980); United States v. Bryan, 339 U.S. 323, 331 (1950).


(Footnote 18 return)
U.S. v. Miller, 425 U.S. 435 (1976).


(Footnote 19 return)
Fisher v. U.S., 425 U.S. 391 (1976); U.S. v. Doe, 465 U.S. 605 (1984).


(Footnote 20 return)
Other legal issues arise if the person who receives the subpoena is my attorney, my spouse, or someone else with whom I have a privileged relationship.


(Footnote 21 return)
18 U.S.C. §2511.


(Footnote 22 return)
18 U.S.C. §1702.


(Footnote 23 return)
18 U.S.C. §2515, 2516, 1518. See Generally C. Fishman & A. McKenna, Wiretapping and Eavesdropping (2d. ed., West Group, 1995).


(Footnote 24 return)
Ex Parte Jackson, 96 U.S. 727 (1878).


(Footnote 25 return)
The Government for tactical or practical reasons may prefer not to subpoena X, but the law clearly permits it to do so.


(Footnote 26 return)
There are other legal privileges that may also apply, but those are the main ones.


(Footnote 27 return)
For a more detailed discussion of these issues, see C. Fishman & A. McKenna, Wiretapping and Eavesdropping chapter 26 (2d. ed., West Group, , 1995 & ann. supp.)


(Footnote 28 return)
18 U.S.C. §2516(3).


(Footnote 29 return)
Ex Parte Jackson, 96 U.S. 727 (1878), supra. Likewise, if the Government sought to search my home or office to examine my private papers, it would first have to obtain a search warrant from a judge.


(Footnote 30 return)
18 U.S.C. §2703(a).


(Footnote 31 return)
18 U.S.C. §2703(b)(1)(A).


(Footnote 32 return)
See note 5, supra.


(Footnote 33 return)
18 U.S.C. §2703(b)(1)(B).


(Footnote 34 return)
18 U.S.C. §2703(d).


(Footnote 35 return)
18 U.S.C. §2705.


(Footnote 36 return)
18 U.S.C. §2703(b)(1).


(Footnote 37 return)
The Government could also subpoena these items from me, but doing so would raise the Fifth Amendment complications I discussed earlier.


(Footnote 38 return)
18 U.S.C. §3121–3126.


(Footnote 39 return)
Reno v. ACLU, 521 U.S. 844 (1997).


(Footnote 40 return)
Blumenthal v. Drudge, 992 F. Supp. 44, 48 n.7 (D.D.C. 1998).


(Footnote 41 return)
American Libraries Ass'n. v. Pataki, 969 F. Supp. 160, 161 (S.D.N.Y. 1997).


(Footnote 42 return)
See, e.g., Patrick Ross, SEC Faulted on Hill for Possible Online Privacy Violations, Communications Daily, April 5, 2000 at 9.


(Footnote 43 return)
U.S. Const., amend. IV


(Footnote 44 return)
Olmstead v. United States, 277 U.S. 438, 464 (1928).


(Footnote 45 return)
Id.


(Footnote 46 return)
Id. at 472–73 (Brandeis, J., dissenting).


(Footnote 47 return)
Id. at 473–74 (internal quotations omitted).


(Footnote 48 return)
389 U.S. 347, 351 (1967).


(Footnote 49 return)
Katz, 389 U.S. at 352.


(Footnote 50 return)
Id. at 353.


(Footnote 51 return)
Omnibus Crime Control and Safe Streets Act of 1968, Pub. L. No. 90–351, §801–804, 82 Stat. 197, 211–25. See H.R. Rep. No. 827, 103d Cong., 2d Sess., pt. 1, at 3492, 3493 (1994), reprinted in 1995 U.S.C.C.A.N. 3489, 3491 (''H. Rep. 103–827'').


(Footnote 52 return)
Id.


(Footnote 53 return)
Id., quoting Senate Committee on the Judiciary, Omnibus Crime Control and Safe Streets Act of 1967, S. Rep. No. 1097, 90th Cong., 2d Sess. 66 (1968).


(Footnote 54 return)
Application of the United States for Relief, 427 F.2d 639, 643–44 (9th Cir. 1970).


(Footnote 55 return)
18 U.S.C. §2518(4).


(Footnote 56 return)
Electronic Communications Privacy Act of 1986, 100 Stat. 1848, Pub. L. No. 99–508 (1986).


(Footnote 57 return)
See S. Rep. No. 541, 99th Cong., 2d Sess. 1 (1986), reprinted in 1986 U.S.C.C.A.N. 3555.


(Footnote 58 return)
H. Rep. 103–827 at 3492, citing and quoting House Committee on the Judiciary, Electronic Communications Privacy Act of 1986, H.R. No. 99–647, 99th Cong., 2d Sess., pt. 2, at 19 (1986).


(Footnote 59 return)
S. Rep. No. 541, 99th Cong., 2d Sess. 1 (1986), reprinted in 1986 U.S.C.C.A.N. 3555.


(Footnote 60 return)
Office of Technology Assessment, Electronic Surveillance and Civil Liberties 11 (OTA–CIT–293, October 1985).


(Footnote 61 return)
Id. at 11–12.


(Footnote 62 return)
Id. at 11.


(Footnote 63 return)
S. Rep. 99–541, 99th Cong., 2d Sess. 1–2 (Oct. 17, 1986).


(Footnote 64 return)
Id. at 2.


(Footnote 65 return)
Id. at 3.


(Footnote 66 return)
Id. at 5.


(Footnote 67 return)
See Electronic Surveillance and Civil Liberties, supra at 32.


(Footnote 68 return)
Id. See Senate Select Committee to Study Governmental Operations With Respect to Intelligence Activities, 94th Cong., 2d Sess. (1976) (''Church Committee Report'').


(Footnote 69 return)
Church Committee Report, Vol. III at 273.


(Footnote 70 return)
Id. at 274.


(Footnote 71 return)
See, e.g., Charles L. Lindner, Can the L.A. Criminal Justice System Work Without Trust?, LA Times (April 26, 1998) (describing fraudulent methods by which police obtain warrants and revealing that for the past thirteen years law enforcement authorities in Los Angeles have ignored the legal requirement to keep an inventory of tapped conversations as a prerequisite to continuing authorization).


(Footnote 72 return)
Bureau of Justice Statistics, Sourcebook of Criminal Justice Statistics—1992.


(Footnote 73 return)
Communications Assistance for Law Enforcement Act, Pub. L. No. 103–414, 108 Stat. 4279 (1994).


(Footnote 74 return)
H. Rep. 103–827 at 3492.


(Footnote 75 return)
Id. at 3496.


(Footnote 76 return)
Id. at 3502.


(Footnote 77 return)
Id. at 3497, 3502.


(Footnote 78 return)
Id. at 3490.


(Footnote 79 return)
47 U.S.C. §1002(a)(4)(A).


(Footnote 80 return)
Id. §1002(a)(2); H. Rep. 103–827 at 3498.


(Footnote 81 return)
8 U.S.C §2516(1); H. Rep. 103–827 at 3497.


(Footnote 82 return)
18 U.S.C. §2703; H. Rep. 103–827 at 3490.


(Footnote 83 return)
H. Rep. 103–827 at 3500.


(Footnote 84 return)
Id. at 3489, 3503–04.


(Footnote 85 return)
See, e.g., S. 2092, 106th Cong., 2d Sess., introduced February 24, 2000.


(Footnote 86 return)
Smith v. Maryland, 442 U.S. 735 (1979).


(Footnote 87 return)
Id. at 742.


(Footnote 88 return)
United States v. New York Tel. Co., 434 U.S. 159, 167 (1977).


(Footnote 89 return)
Authorization to intercept electronic communications requires a showing of probable cause that the target has committed a specified felony. 18 U.S.C. §2516, 2518. The request for such an order must state with particularity information regarding the facts relied upon by the applicant, the crime at issue, the individuals suspected of committing the offense, and the type of communications to be intercepted.


(Footnote 90 return)
18 U.S.C. §3123(a).


(Footnote 91 return)
The Electronic Frontier at 37.


(Footnote 92 return)
Pursuant to reports to Congress required by 18 U.S.C. §3126, DOJ obtains approximately 3,000 pen register orders and 2,000 trap and trace orders per year. Additionally, a total of 1,329 authorizations were issued for communications interceptions in 1998, of which 566 were requested by the Federal government. 1999 Report of the Director of the Administrative Office of the United States Courts on Applications for Orders Authorizing or Approving the Interception of Wire, Oral, or Electronic Communications, Table 2, at 14.


(Footnote 93 return)
H. Rep. 103–827 at 3497.


(Footnote 94 return)
18 U.S.C. §3127(3).


(Footnote 95 return)
18 U.S.C. §3127(4). In addition, Section 3123(b)(1)(A) requires the government to identify the person to whom the ''telephone line'' is leased, and Section 3124 requires the service provider or ''landlord, custodian or other person'' to ''install such device forthwith on the appropriate line.'' 18 U.S.C. §3124(b).


(Footnote 96 return)
S. Rep. No. 99–541 at 10, 99th Cong., 2d Sess., 1986, 1986 U.S.C.C.A.N. 3555 at 3564.


(Footnote 97 return)
Brown v. Waddell, 50 F.3d 285, 290–291 (4th Cir. 1995) (''As a matter of plain textual meaning, a digital display pager clone does not itself fit this definition—in the critical sense that it is not a device attached to a telephone line.'')


(Footnote 98 return)
See In the Matter of the Application of the United States of America for an Order Authorizing the Use of a Cellular Telephone Digital Analyzer, 885 F.Supp. 197, 199–200 (C.D.CA 1995) (''Digital Analyzer'').


(Footnote 99 return)
Id. at 200.


(Footnote 100 return)
Id. at 201.


(Footnote 101 return)
Id. at 201–202.


(Footnote 102 return)
The Electronic Frontier at 37.


(Footnote 103 return)
The Federal Communications Commission (''FCC'') has consistently ruled that ISPs are not ''telecommunications carriers,'' and that their facilities are distinct from the telephone system. Federal-State Joint Board on Universal Service, Report to Congress, 13 FCC Rcd. 11501 at 73 (1998); Implementation of the Telecommuni cations Act of 1996: Telecommunications Carriers' Use of Customer Proprietary Network Information and Other Customer Information, 13 FCC Rcd. 8061 (1998).


(Footnote 104 return)
Preston Gralla, How the Internet Works at 13 (1999) (emphasis in original).


(Footnote 105 return)
Communications Assistance for Law Enforcement Act, CC Docket No. 97–213, Third Report and Order, 14 FCC Rcd 16794, 16819 (1999) (''CALEA Order'').


(Footnote 106 return)
Id. at 16820.


(Footnote 107 return)
610 N.E.2d 374, 376–377 (N.Y. 1993).


(Footnote 108 return)
See People v. Mendola, 619 N.Y.S.2d 901 (N.Y. App. Div. 1994).


(Footnote 109 return)
706 N.E.2d 731, 737 (N.Y. 1998).


(Footnote 110 return)
United States v. Hambrick, 55 F. Supp.2d 504, 507–508 (W.D. Va. 1999). Cf. McVeigh v. Cohen, 983 F. Supp. 215 (D.D.C. 1998).


(Footnote 111 return)
Tucker v. Waddell, 83 F.3d 688, 691–692 (4th Cir. 1996) (''§2703(c) [of ECPA] does not expressly proscribe any action by governmental entities or their employees. Rather, §2703(c) only prohibits the actions of providers of electronic communications services and remote computing services.'').


(Footnote 112 return)
18 U.S.C. §2707(e)(1), 3124(e).


(Footnote 113 return)
Hambrick, 55 F.Supp.2d at 509.


(Footnote 114 return)
See In re Application of the United States of America for an Order Pursuant to 18 U.S.C. 2703(d), 36 F.Supp.2d 430, 432–433 (1999).


(Footnote 115 return)
Id.


(Footnote 116 return)
This information ultimately proved to be mistaken. However, the device the government installed was similar to EtherPeek.


(Footnote 117 return)
ECPA permits the service provider to file a motion with an issuing court to clarify or quash an overly burdensome court order. 18 U.S.C. §2073(d).


(Footnote 118 return)
''Public Workshop on Consumer Privacy on the Global Information Infrastructure'' (''Report'') (December 1996, Federal Trade Commission), available at http://www.ftc.gov/reports/privacy/privacy1.htm.


(Footnote 119 return)
The FTC announced four necessary elements to protecting consumer privacy online: (1) Notice to consumers about how personal information collected online is used; (2) Choice for consumers about whether and how their personal information is used; (3) Security of personal information, if commerce in cyberspace is to flourish on the Internet; and (4) Access for consumers to their own personal information to ensure accuracy. See Report.


(Footnote 120 return)
EU Directive on Data Protection, Directive 95/46/EC, available at http://www.doc.gov/ecommerce/eudir.htm; Personal Information Protection and Electronic Documents Act, Canada House of Commons Bill C–6 (December 1999), available at http://www.parl.gc.ca/36/2/parlbus/chambus/house/bills/government/C–6/C–6—3/C–6—cover-E.html; see also Jeri Clausing, ''Europe and U.S. Reach Data Privacy Pact,'' New York Times (Mar. 15, 2000), http://www.nytimes.com/library/tech/00/03/biztech/articles/15privacy.html (U.S. agrees to ''safe harbor'' principles for U.S. companies to transfer personal data of EU residents).


(Footnote 121 return)
Children's Online Privacy Protection Act of 1998, 144 Cong. Rec. H11240–42 (Oct. 19, 1998); Gramm-Leach-Bliley Act, Title V, available at http://www.occ.treas.gov/ftp/regs/npr0203.pdf; ''HHS Proposes First-Ever National Standards To Protect Patient's Personal Medical Records,'' U.S. Dept. of Health and Human Services (Oct. 29, 1999), available at http://aspe.os.dhhs.gov/admnsimp/nprm/press4.htm.


(Footnote 122 return)
See, e.g., Bieles v. Alexa Internet and Amazon.com, No. C 00 0187, (N.D. Cal. Jan 14, 2000); Donaldson v. DoubleClick, No. 00CIV. 0696, (S.D.N.Y. Feb. 1, 2000); Healy v. DoubleClick, No. 00 CIV. 0641, (S.D.N.Y., Jan. 31, 2000); Judnick v. DoubleClick, No. CV 000421, (Cal. Super. Ct., County of Marin Jan. 27, 2000); Keel v. RealNetworks, No. C99–1817 (W.D. Wash. Nov. 10, 1999); Lair v. RealNetworks, No. C99–1819 (W.D.Wash. Nov. 12, 1999); Newby v. Alexa Internet and Amazon.com, No. C 00 0054 (N.D.Cal. Jan. 6, 2000); Olsen v. RealNetworks, No. C99–1835 (W.D.Wash. Nov. 12, 1999); Scarangella v. RealNetworks, No. C99–1865 (W.D. Wash. Nov. 17, 1999); Universal Image v. Yahoo, No. 99–13839–b, (County Court, Dallas County, Texas Dec. 20, 1999).


(Footnote 123 return)
U.S. Const., Amend. IV; Olmstead v. U.S., 277 U.S. 438, 478 (1928) (Brandeis, J., dissenting) ('the right to be let alone—the most comprehensive of rights and the right most valued by civilized men. To protect that right, every unjustifiable intrusion by the government upon the privacy of the individual, whatever the means employed, must be deemed a violation of the Fourth Amendment'').


(Footnote 124 return)
Katz v. U.S., 389 U.S. .347 (1967).


(Footnote 125 return)
California v. Greenwood, 486 U.S. 35, 39 (1988) (warrant to search garbage not required because expectation of privacy ends at the curtailage of the property).


(Footnote 126 return)
See, e.g., McIntyre v. Ohio Elections Commission, 514 U.S. 334, 342 (1995) (striking state law prohibiting distribution of anonymous campaign literature as in violation of First Amendment); ACLU v. Miller, 977 F. Supp. 1228, 1231 (N.D. Ga. 1997) (striking criminal law outlawing falsely identifying oneself online); Rancho Publications v. Superior Court, 68 Cal. App. 4th 1538( 1999) (holding plaintiff could not establish a compelling interest in breaching anonymity of persons who placed a newspaper ad critical of plaintiff).


(Footnote 127 return)
NAACP v. Alabama, 357 U.S. 449, 462 (1958) (holding that NAACP could not forced to disclose its membership list).


(Footnote 128 return)
18 U.S.C. §2710.


(Footnote 129 return)
H. Rep. No. 647, 99th Cong., 2d Sess. 18 (1986).


(Footnote 130 return)
18 U.S.C. §2510(15).


(Footnote 131 return)
18 U.S.C. §2711.