SPEAKERS CONTENTS INSERTS
Page 1 TOP OF DOC67343
ELECTRONIC COMMUNICATIONS PRIVACY ACT OF 2000, DIGITAL PRIVACY ACT OF 2000 AND NOTICE OF ELECTRONIC MONITORING ACT
SUBCOMMITTEE ON THE CONSTITUTION
COMMITTEE ON THE JUDICIARY
HOUSE OF REPRESENTATIVES
ONE HUNDRED SIXTH CONGRESS
H.R. 5018, H.R. 4987 and H.R. 4908
SEPTEMBER 6, 2000
Page 2 PREV PAGE TOP OF DOCSerial No. 138
Printed for the use of the Committee on the Judiciary
For sale by the U.S. Government Printing Office
Superintendent of Documents, Congressional Sales Office, Washington, DC 20402
COMMITTEE ON THE JUDICIARY
HENRY J. HYDE, Illinois, Chairman
F. JAMES SENSENBRENNER, Jr., Wisconsin
BILL McCOLLUM, Florida
GEORGE W. GEKAS, Pennsylvania
HOWARD COBLE, North Carolina
LAMAR S. SMITH, Texas
ELTON GALLEGLY, California
CHARLES T. CANADY, Florida
BOB GOODLATTE, Virginia
STEVE CHABOT, Ohio
BOB BARR, Georgia
WILLIAM L. JENKINS, Tennessee
ASA HUTCHINSON, Arkansas
EDWARD A. PEASE, Indiana
CHRIS CANNON, Utah
JAMES E. ROGAN, California
LINDSEY O. GRAHAM, South Carolina
Page 3 PREV PAGE TOP OF DOCMARY BONO, California
SPENCER BACHUS, Alabama
JOE SCARBOROUGH, Florida
DAVID VITTER, Louisiana
JOHN CONYERS, Jr., Michigan
BARNEY FRANK, Massachusetts
HOWARD L. BERMAN, California
RICK BOUCHER, Virginia
JERROLD NADLER, New York
ROBERT C. SCOTT, Virginia
MELVIN L. WATT, North Carolina
ZOE LOFGREN, California
SHEILA JACKSON LEE, Texas
MAXINE WATERS, California
MARTIN T. MEEHAN, Massachusetts
WILLIAM D. DELAHUNT, Massachusetts
ROBERT WEXLER, Florida
STEVEN R. ROTHMAN, New Jersey
TAMMY BALDWIN, Wisconsin
ANTHONY D. WEINER, New York
THOMAS E. MOONEY, SR., General Counsel-Chief of Staff
JULIAN EPSTEIN, Minority Chief Counsel and Staff Director
Page 4 PREV PAGE TOP OF DOCSubcommittee on the Constitution
CHARLES T. CANADY, Florida, Chairman
HENRY J. HYDE, Illinois
ASA HUTCHINSON, Arkansas
SPENCER BACHUS, Alabama
BOB GOODLATTE, Virginia
BOB BARR, Georgia
WILLIAM L. JENKINS, Tennessee
LINDSEY O. GRAHAM, South Carolina
MELVIN L. WATT, North Carolina
MAXINE WATERS, California
BARNEY FRANK, Massachusetts
JOHN CONYERS, Jr., Michigan
JERROLD NADLER, New York
CATHLEEN CLEAVER, Chief Counsel
BRADLEY S. CLANTON, Counsel
JONATHAN A. VOGEL, Counsel
PAUL B. TAYLOR, Counsel
C O N T E N T S
September 6, 2000
Page 5 PREV PAGE TOP OF DOC
TEXT OF BILLS
Canady, Hon. Charles T., a Representative in Congress From the State of Florida, and chairman, Subcommittee on the Constitution
Corn-Revere, Robert, attorney, Hogan & Hartson L.L.P., Washington, DC
Dempsey, James X., senior staff counsel, Center for Democracy and Technology
DiGregory, Kevin, Deputy Associate Attorney General, Department of Justice
Maltby, Lewis, president, National Workrights Institute
Nojeim, Gregory T., legislative counsel, American Civil Liberties Union
Page 6 PREV PAGE TOP OF DOC
Overly, Michael, Foley & Lardner
Rotenberg, Marc, executive director, Electronic Privacy Information Center
Schumer, Hon. Charles, a U.S. Senator From the State of New York
Segarnick, Kenneth, assistant general counsel, United Messaging
LETTERS, STATEMENTS, ETC., SUBMITTED FOR THE HEARING
Canady, Hon. Charles T., a Representative in Congress From the State of Florida, and chairman, Subcommittee on the Constitution: Prepared statement
Conyers, Hon. John, Jr., a Representative in Congress From the State of Michigan: Prepared statement
Corn-Revere, Robert, attorney, Hogan & Hartson L.L.P., Washington, DC: Prepared statement
Dempsey, James X., senior staff counsel, Center for Democracy and Technology: Prepared statement
DiGregory, Kevin, Deputy Associate Attorney General, Department of Justice: Prepared statement
Page 7 PREV PAGE TOP OF DOC
Kerr, Donald M., Assistant Director, Federal Bureau of Investigation Before the United States Senate, The Committee on the Judiciary, September 6, 2000
Maltby, Lewis, president, National Workrights Institute: Prepared statement
Nadler, Hon. Jerrold, a Representative in Congress From the State of New York: Prepared statement
Nojeim, Gregory T., legislative counsel, American Civil Liberties Union: Prepared statement
Overly, Michael, Foley & Lardner: Prepared statement
Rotenberg, Marc, executive director, Electronic Privacy Information Center: Prepared statement
Schumer, Hon. Charles, a U.S. Senator From the State of New York: Prepared statement
Segarnick, Kenneth, assistant general counsel, United Messaging: Prepared statement
ELECTRONIC COMMUNICATIONS PRIVACY ACT OF 2000, DIGITAL PRIVACY ACT OF 2000 AND NOTICE OF ELECTRONIC MONITORING ACT
Page 8 PREV PAGE TOP OF DOC
WEDNESDAY, SEPTEMBER 6, 2000
House of Representatives,
Subcommittee on the Constitution,
Committee on the Judiciary,
The subcommittee met, pursuant to call, at 2 p.m., in Room 2237, Rayburn House Office Building, Hon. Charles Canady [chairman of the subcommittee] presiding.
Present: Representatives Charles T. Canady, Asa Hutchinson, Bob Goodlatte, Bob Barr, Melvin L. Watt, John Conyers, Jr. and Jerrold Nadler.
Staff present: Cathleen Cleaver, chief counsel; Jonathan A. Vogel, counsel; Paul B. Taylor, counsel; Susana Gutierrez, clerk; Anthony Foxx, minority counsel; and Cori Flam, minority counsel, Committee on the Judiciary.
OPENING STATEMENT OF CHAIRMAN CANADY
Mr. CANADY. The subcommittee will be in order.
In recent hearings the subcommittee has considered issues arising from the development of the Internet as a networked global communications medium. Prior testimony before the subcommittee has shown that the expansion in the range of transactions that occur on-line, and the amount of information now stored with third-party Internet service providers have produced a qualitative change in the nature of communications and, accordingly, in the nature and amount of information that may be exposed to interception by the government and by private employers.
Page 9 PREV PAGE TOP OF DOC
As much of the information individuals formerly kept in their homes, file cabinets, wallets and purses gravitates toward new locations on the Internet's landscape, Congress must consider whether existing statutes adequately protect the rights of individuals, and whether additional legislation or oversight is necessary to ensure that legal protections of personally sensitive information keep pace with rapidly advancing technology related to electronic communication and information storage.
With these concerns in mind, the subcommittee is conducting today's hearings on H.R. 5018, the Electronic Communications Privacy Act of 2000; H.R. 4987, the Digital Privacy Act; and H.R. 4908, the Notice of Electronic Monitoring Act.
[The information referred to follows:]
H. R. 5018
To amend title 18, United States Code, to modify certain provisions of law relating to the interception of communications, and for other purposes.
IN THE HOUSE OF REPRESENTATIVES
JULY 27, 2000
Mr. CANADY of Florida (for himself and Mr. HUTCHINSON) introduced the following bill; which was referred to the Committee on the Judiciary
Page 10 PREV PAGE TOP OF DOCA BILL
To amend title 18, United States Code, to modify certain provisions of law relating to the interception of communications, and for other purposes.
Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ''Electronic Communications Privacy Act of 2000''.
SEC. 2. EXCLUSIONARY RULE.
Section 2515 of title 18, United States Code, is amended
(1) by striking ''wire or oral communication'' and inserting ''wire, oral, or electronic communication'';
(2) by inserting '', or any stored electronic communication has been disclosed,'' after ''has been intercepted''; and
(3) by inserting ''or chapter 121'' after ''this chapter''.
SEC. 3. REPORTS CONCERNING THE DISCLOSURE OF STORED ELECTRONIC COMMUNICATIONS.
Section 2703 of title 18, United States Code, is amended by adding at the end the following:
''(g) REPORTS CONCERNING THE DISCLOSURE OF STORED ELECTRONIC COMMUNICATIONS.
(1) Within thirty days after the expiration of an order (or each extension thereof) entered under subsection (d), or the denial of an order approving a disclosure of stored electronic communications, the issuing or denying judge shall report to the Administrative Office of the United States Courts
(A) the fact that an order or extension was applied for;
Page 11 PREV PAGE TOP OF DOC (B) the kind of order or extension applied for;
(C) the fact that the order or extension was granted as applied for, was modified, or was denied;
(D) the period of disclosures authorized by the order, and the number and duration of any extensions of the order;
(E) the offense specified in the order or application, or extension of an order;
(F) the identity of the applying investigative or law enforcement officer and agency making the application and the person authorizing the application; and
(G) the nature of the facilities from which or the place where stored electronic communications were to be disclosed.
(2) In January of each year the Attorney General, an Assistant Attorney General specially designated by the Attorney General, or the principal prosecuting attorney of a State, or the principal prosecuting attorney for any political subdivision of a State, shall report to the Administrative Office of the United States Courts
(A) the information required by subparagraphs (A) through (G) of paragraph (1) of this section with respect to each application for an order or extension made during the preceding calendar year;
(B) a general description of the disclosures made under such order or extension, including
(i) the approximate nature and frequency of incriminating communications disclosed;
(ii) the approximate nature and frequency of other communications disclosed;
(iii) the approximate number of persons whose communications were disclosed; and
Page 12 PREV PAGE TOP OF DOC (iv) the approximate nature, amount, and cost of the manpower and other resources used in the disclosures;
(C) the number of arrests resulting from disclosures made under such order or extension, and the offenses for which arrests were made;
(D) the number of trials resulting from such disclosures;
(E) the number of motions to suppress made with respect to such disclosures, and the number granted or denied;
(F) the number of convictions resulting from such disclosures and the offenses for which the convictions were obtained and a general assessment of the importance of the disclosures;
(G) the approximate number of persons whose communications were disclosed and who were not charged with a crime; and
(H) the information required by subparagraphs (B) through (G) of this paragraph with respect to orders or extensions obtained in a preceding calendar year.
(3) In April of each year the Director of the Administrative Office of the United States Courts shall transmit to the Congress a full and complete report concerning the number of applications for orders authorizing or approving the disclosure of stored electronic communications pursuant to this chapter and the number of orders and extensions granted or denied pursuant to this chapter during the preceding calendar year. Such report shall include a summary and analysis of the data required to be filed with the Administrative Office by paragraphs (1) and (2) of this section. The Director of the Administrative Office of the United States Courts is authorized to issue binding regulations dealing with the content and form of the reports required to be filed by paragraphs (1) and (2) of this section.
SEC. 4. PEN REGISTERS.
(a) APPLICATION.Section 3122(b)(2) of title 18, United States Code, is amended to read as follows:
Page 13 PREV PAGE TOP OF DOC ''(2) a showing by the applicant that the requirements of section 3123 have been met.''.
(b) ISSUANCE OF ORDER.Section 3123 of title 18, United States Code, is amended
(1) in subsection (a), by inserting '', except that such order shall not be entered if the pen register or trap and trace device identifies an e-mail address unless the court finds that specific and articulable facts reasonably indicate that a crime has been, is being, or will be committed, and information likely to be obtained by such installation and use is relevant to an investigation of that crime'' before the period at the end; and
(2) in subparagraphs (A) and (C) of subsection (b)(1), by striking ''telephone'' and inserting ''transmission''.
(c) DEFINITIONS.Section 3127 of title 18, United States Code, is amended
(1) in paragraph (3), by inserting ''or which identify the e-mail address transmitted'' after ''attached''; and
(2) in paragraph (4), by inserting '', or which identify an e-mail address'' after ''transmitted''.
H. R. 4987
To amend title 18, United States Code, with respect to electronic eavesdropping, and for other purposes.
IN THE HOUSE OF REPRESENTATIVES
Page 14 PREV PAGE TOP OF DOCJULY 27, 2000
Mr. BARR of Georgia (for himself and Mrs. EMERSON) introduced the following bill; which was referred to the Committee on the Judiciary
To amend title 18, United States Code, with respect to electronic eavesdropping, and for other purposes.
Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ''Digital Privacy Act of 2000''.
SEC. 2. REPORTING REQUIREMENTS.
Section 2703 of title 18, United States Code, is amended by adding at the end the following:
''(g) REPORTS CONCERNING COURT-ORDERED DISCLOSURE.Not later than 30 days after the expiration of (or each extension thereof) an order under subsection (d) by a Federal court, or the denial of such an order, the issuing or denying judge shall report to the Administrative Office of the United States Courts that information about the order of disclosure that would be required to be reported under section 2519 with respect to an order relating to an interception under chapter 119.''.
''(h) REPORTS CONCERNING OTHER DISCLOSURE.In April of each year, the Attorney General shall transmit to Congress a report on
''(1) the number and kind of warrants and subpoenas applied for by law enforcement agencies of the Department of Justice under this section during the preceding year;
''(2) the number of such applications granted or denied;
Page 15 PREV PAGE TOP OF DOC ''(3) with respect to each warrant or subpoena issued under this section
''(A) the number and type of communications disclosed;
''(B) the approximate number and frequency of incriminating communications disclosed;
''(C) the offense specified in the application; and
''(D) the approximate number of persons whose communications were disclosed; and
''(4) the number of arrests resulting from such warrants and subpoenas, the offenses for which those arrests were made, the number of trials resulting from such warrants and subpoenas, the number of motions to suppress made with respect to such warrants and subpoenas, the number of such motions granted or denied, the number of convictions resulting from such warrants and subpoenas, and the offenses for which the convictions were obtained and a general assessment of the importance of the warrants and subpoenas.''.
SEC. 3. EXTENSION OF EXCLUSIONARY RULE.
Section 2515 of title 18, United States Code, is amended by inserting ''or electronic communication'' after ''wire or oral communication''.
SEC. 4. ISSUANCE OF PEN REGISTER AND TRAP AND TRACE DEVICE ORDERS.
Subsection (a) of section 3123 of title 18, United States Code, is amended by striking ''the attorney for the Government'' and all that follows through the end of the subsection and inserting ''factual evidence reasonably indicates that a crime has been, is being, or will be committed, and information likely to be obtained by such installation and use is relevant to an investigation of that crime.''.
SEC. 5. GOVERNMENT ACCESS TO CONTENTS OF STORED ELECTRONIC COMMUNICATIONS.
Section 2703(a) of title 18, United States Code, is amended by striking ''one hundred and eighty days'' each place it appears and inserting ''one year''.
Page 16 PREV PAGE TOP OF DOCSEC. 6. GOVERNMENT ACCESS TO LOCATION INFORMATION.
(a) COURT ORDER REQUIRED.Section 2703 of title 18, United States Code, as amended by section 2, is further amended by adding at the end the following:
''(i) DISCLOSURE OF LOCATION INFORMATION TO GOVERNMENTAL ENTITIES.
''(1) DISCLOSURE UPON COURT ORDER.A provider of mobile electronic information generated by and disclosing the current physical location of a subscriber's equipment only if the governmental entity obtains a court order issued upon a finding that there is probable cause to believe that the equipment has been used, is being used, or is about to be used to commit a felony offense.
''(2) DISCLOSURE UPON SUBSCRIBER OR USER CONSENT.A provider of mobile electronic communication service may provide to a governmental entity information described in paragraph (1) with the consent of the subscriber or the user of the equipment concerned.''.
(b) CONFORMING AMENDMENT.Subsection (c)(1)(B) of section 2703 of title 18, United States Code, is amended by striking ''(b) of this section'' and inserting ''(b), or wireless location information covered by subsection (g)''.
H. R. 4908
To amend title 18, United States Code, to provide for the disclosure of electronic monitoring of employee communications and computer usage in the workplace.
Page 17 PREV PAGE TOP OF DOCIN THE HOUSE OF REPRESENTATIVES
JULY 20, 2000
Mr. CANADY of Florida (for himself and Mr. BARR of Georgia) introduced the following bill; which was referred to the Committee on the Judiciary
To amend title 18, United States Code, to provide for the disclosure of electronic monitoring of employee communications and computer usage in the workplace.
Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ''Notice of Electronic Monitoring Act''.
SEC. 2. ELECTRONIC MONITORING OF EMPLOYEE COMMUNICATIONS AND COMPUTER USAGE IN THE WORKPLACE.
(a) ELECTRONIC MONITORING.
(1) IN GENERAL.Chapter 121 of title 18, United States Code, is amended
(A) by redesignating section 2711 as section 2712; and
(B) by inserting after section 2710 the following new section 2711:
''§2711. Electronic monitoring in the workplace
''(a) IN GENERAL.(1) Except as provided in subsection (c), an employer who intentionally, by any electronic means, reads, listens to, or otherwise monitors any wire communication, oral communication, or electronic communication of an employee of the employer, or otherwise monitors the computer usage of an employee of the employer, without first having provided the employee notice meeting the requirements of subsection (b) shall be liable to the employee for relief as provided in subsection (d).
Page 18 PREV PAGE TOP OF DOC ''(2) Not later than one year after first providing notice of electronic monitoring under paragraph (1), and annually thereafter, an employer shall provide notice meeting the requirements of subsection (b) to all employees of the employer who are subject to such electronic monitoring.
''(3) Before implementing a material change in an electronic monitoring practice described in paragraph (1), an employer shall provide notice meeting the requirements of subsection (b) to all employees of the employer who are subject to electronic monitoring covered by that paragraph as a result of the change.
''(b) NOTICE.A notice meeting the requirements of this subsection is a clear and conspicuous notice, in a manner reasonably calculated to provide actual notice, describing
''(1) the form of communication or computer usage that will be monitored;
''(2) the means by which such monitoring will be accomplished and the kinds of information that will be obtained through such monitoring, including whether communications or computer usage not related to the employer's business are likely to be monitored;
''(3) the frequency of such monitoring; and
''(4) how information obtained by such monitoring will be stored, used, or disclosed.
''(c) EXCEPTION.An employer may conduct electronic monitoring described in subsection (a) without the notice required by subsection (b) if the employer has reasonable grounds to believe that
''(1) a particular employee of the employer is engaged in conduct that
''(A) violates the legal rights of the employer or another person; and ''(B) involves significant harm to the employer or such other person; and
Page 19 PREV PAGE TOP OF DOC ''(2) the electronic monitoring will produce evidence of such conduct.
''(d) CIVIL ACTION.(1) Any person aggrieved by any act in violation of this section may bring an action in a United States district court.
''(2) Subject to paragraph (3), the court in an action under this subsection may award
''(A) actual damages, but not less than liquidated damages in the amount of $5,000;
''(B) punitive damages;
''(C) reasonable attorneys' fees and other litigation costs reasonably incurred; and
''(D) such other preliminary and equitable relief as the court determines to be appropriate.
''(3)(A) The amount of monetary damages awarded an employee under paragraph (2) may not exceed $20,000.
''(B) The aggregate amount of monetary damages awarded against an employer under paragraph (2) for a given violation of this section may not exceed $500,000.
''(4) No action may be brought under this subsection unless such action is begun within 2 years from the date of the act complained of or the date of discovery of the act complained of, whichever is later.''.
(2) CLERICAL AMENDMENT.The table of sections at the beginning of that chapter is amended by striking the item relating to section 2711 and inserting the following new items:
''Sec. 2711. Electronic monitoring in the workplace.
''Sec. 2712. Definitions for chapter.''.
(b) EFFECTIVE DATE.The amendments made by subsection (a) shall take effect 120 days after the date of the enactment of this Act.
Page 20 PREV PAGE TOP OF DOC
Mr. CANADY. H.R. 5018 and H.R. 4987 would update provisions of Federal communications surveillance law by including forms of electronic information under the protection of the so-called statutory exclusionary rule, which excludes illegally obtained communications from use in evidence. The bills would require the Federal Government to produce the same annual reports regarding its requests for access to electronic information, such as e-mail, that it must currently produce regarding its requests for the use of telephone wiretaps. The bills would also allow law enforcement to obtain e-mail addresses under the statute authorizing it to obtain telephone numbers, but only when the government meets a higher standard of proof.
H.R. 4908 would require that employers give notice to their employees regarding company electronic communications monitoring practices, including notice of the kinds of information that would be obtained from such monitoring, and how the information would be stored or disclosed.
I would like to make one preliminary note of clarification with respect to H.R. 5018. There is a drafting error in section 3 of that bill. The intent of the bill is to impose disclosure requirements on the government only when it seeks the content of communications, and not when it seeks transaction records that are not considered to contain content under the Electronic Communications Privacy Act as currently written.
Consequently, the disclosure provisions of H.R. 5018 are intended to apply to government requests for the contents of electronic communications under 18 U.S.C. section 2703(a) and (b), and not to government requests for transaction records under 18 U.S.C. section 2703(d).
Page 21 PREV PAGE TOP OF DOC
The reference to subsection (d) of section 2703 on page 2, line 17 of the bill was the result of a drafting error. The reference should instead be to subsections (a) and (b) of section 2703.
With that one clarification, we will now turn to our witnesses. I look forward to hearing all of the testimony to be presented by the witnesses today.
[The prepared statement of Mr. Canady follows:]
PREPARED STATEMENT OF HON. CHARLES T. CANADY, A REPRESENTATIVE IN CONGRESS FROM THE STATE OF FLORIDA, AND CHAIRMAN, SUBCOMMITTEE ON THE CONSTITUTION
In recent hearings the Subcommittee has considered issues arising from the development of the Internet as a networked global communications medium. Prior testimony before the Subcommittee has shown that the expansion in the range of transactions that occur ''on-line,'' and the amount of information now stored with third party ''Internet service providers'' have produced a qualitative change in the nature of communications and, accordingly, in the nature and amount of information that may be exposed to interception by the government and by private employers.
As much of the information individuals formerly kept in their homes, file cabinets, wallets, and purses, gravitates toward new locations on the Internet's landscape, Congress must consider whether existing statutes adequately protect the rights of individuals, and whether additional legislation or oversight is necessary to ensure that legal protections of personally sensitive information keep pace with rapidly advancing technology related to electronic communication and information storage.
Page 22 PREV PAGE TOP OF DOC
With these concerns in mind, the Subcommittee is conducting today's hearing on H.R. 5018, the ''Electronic Communications Privacy Act of 2000,'' H.R. 4987, the ''Digital Privacy Act,'' and H.R. 4908, the ''Notice of Electronic Monitoring Act.''
H.R. 5018 and H.R. 4987 would update provisions of federal communications surveillance law by including forms of electronic information under the protection of the so-called ''statutory exclusionary rule,'' which excludes illegally obtained communications from use in evidence. The bills would also require the federal government to produce the same annual reports regarding its requests for access to electronic information, such as e-mail, that it must currently produce regarding its requests for the use of telephone wiretaps. The bills would also allow law enforcement to obtain e-mail addresses under the statute authorizing it to obtain telephone numbers, but only when the government meets a higher standard of proof.
H.R. 4908 would require that employers give notice to their employees regarding company electronic communications monitoring practices, including notice of the kinds of information that would be obtained from such monitoring, and how the information would be stored or disclosed.
One preliminary note of clarification is in order: there is a drafting error in §3 of H.R. 5018. The intent of the bill is to impose disclosure requirements on the government only when it seeks the content of communications, and not when it seeks transaction records that are not considered to contain content under the Electronic Communications Privacy Act as currently written. Consequently, the disclosure provisions of H.R. 5018 are intended to apply to government requests for the contents of electronic communications under 18 U.S.C. §2703 (a) and (b), and not to government requests for transaction records under 18 U.S.C. §2703(d). The reference to subsection (d) of §2703 on page 2, line 17, of the bill was the result of a drafting error. The reference should instead be to subsections (a) and (b) of §2703.
Page 23 PREV PAGE TOP OF DOC
I look forward to hearing the witness' testimony on the legislation to be considered here today.
Mr. CANADY. I now recognize Mr. Watt.
Mr. WATT. Thank you, Mr. Chairman. I thank the chairman for having this hearing today and praise him again for having the prior hearings, and I think what we have found over the course of these hearings is that this is an inordinately difficult issue. It kind of makes me long for the days of 1789 when the original Article IV was put into place with all of its simplistic beauty.
I was just reading it here to try to ground myself. It has kind of an almost surreal simplicity to it. It simply says, the right of the people to be secure in their persons, houses, papers and effects against unreasonable searches and seizures shall not be violated, and no warrant shall issue but upon probable cause, supported by oath or affirmation and particularly describing the place to be searched, and the persons or things to be seized.
Such simplistic beauty, which at the time probably was pretty complex, too, but at least in order to violate sectionArticle IVamendment 4, you had to kick in somebody's door and go inside their houses or grab their persons, and now we have all of this information and the new technology and the phones and the ability to communicate over distances that probably could never have been contemplated or thought about by the original drafters.
Our challenge is to take that simplistic beauty of the fourth amendment and make sure that we stay true to the underlying rationale and the philosophy that impelled the drafters to put it there in the first place.
Page 24 PREV PAGE TOP OF DOC
The more and more electronic and technological advances we make, the more difficult it becomes to try to figure out how they fit into the simplistic beauty of the language.
I think one of our challenges, one of my challenges, has been and continues to be, and I realized this even more today as I was flying back on the plane and reviewing the materials for this hearing, understanding the technology and what the technology does is a challenge in and of itself, and a level of understanding about what the technology does and how it works is necessary to fit it into the parameters of the law and make it fit where we want it to fit.
So the more we can hear about both the technology, which we had a wonderful hearing about, and law enforcement's perception of how it ought to fit, and people's perception of how it ought to fit in the fourth amendment and constitutional context, I think the better informed we are. And so I am thankful that we are having this hearing, and I am thankful that we had the prior hearings. And I hope we will move in a very measured way and try to keep this a bipartisan approach to trying to find a solution. The chairman and I have talked and committed ourselves to that, and I hope we can continue to move in that direction.
I thank you very much for having the hearing, and I look forward to hearing the witnesses.
Mr. CANADY. Thank you, Mr. Watt.
We will now move to our first panel for today's hearing.
Page 25 PREV PAGE TOP OF DOC
I am sorry. Representative Hutchinson, I did not see you come in.
Mr. HUTCHINSON. That is fine, Mr. Chairman. I just want to thank you for holding this hearing, and I wanted to extend a greeting to Senator Schumer. I am glad to have him back over here and look forward to his testimony, and I want to yield back, Mr. Chairman.
Mr. CANADY. Thank you.
On our first panel today will be Senator Charles Schumer of New York, who has introduced S. 2898, the Notice of Electronic Monitoring Act, in the Senate.
Senator Schumer served with great distinction as a member of our committee for a number of years. We are very pleased to have Senator Schumer back with us today, and we look forward to his testimony. We ask that you do your best to confine your remarks to 5 minutes, but I don't think anyone here will insist on strict compliance with the 5-minute rule.
Senator Schumer, you are recognized.
STATEMENT OF HON. CHARLES SCHUMER, A U.S. SENATOR FROM THE STATE OF NEW YORK
Mr. SCHUMER. Thank you, Mr. Chairman. It is good to be back. I will try to stay within the 5-minute rule, particularly since I see this. They say nothing is new under the sun, but I see that new timer there instead of the old red and yellow and green lights, and I noticed as my friend from North Carolina was speaking, he had it perfectly, because a little yellow light that now says ''sum up'' begins, and he began to sum up just as it lit, and he finished as it was going 004, which was 4 seconds left. So I guess it works, and I will try to comply with that.
Page 26 PREV PAGE TOP OF DOC
I just want to say, Mr. Chairman, it is so good to be back here. I have many fond memories both of serving on the Judiciary Committee, being in this room on many, many important occasions. The quality of the members of this committee has always been outstanding and continues to be today in terms of intelligence; and notwe all don't have the same views, but I think the fervor and intelligence with which the issues are debated has been a hallmark of this subcommittee when I was a member of the Judiciary Committee and to this day, and I very much appreciate the opportunity to testify.
I also want to thank you, Mr. Chairman and Congressman Barr, for introducing H.R. 4908, the Notice of Electronic Monitoring Act, or NEMA. As you know, I have introduced NEMA on the Senate side, and I hope we can soon pass this bill which will end the practice of unjustified secret electronic monitoring by workersof employees by their employers.
With the revolutionary changes in technology that my friend Mel Watt had alluded to, the Internet and other technological changes bring new opportunities, but also new threats to individual privacy; and one of those is electronic employee monitoring.
A lot of people don't know this yet, but for all intents and purposes, the computer that you use at work can watch your every move. Over the course of the past year, new software has been developed that makes it easy and cheap for employers to automatically record an employee's e-mail, Web activities, and even an employee's every keystroke. For example, one software product claims that it reviews more than 50,000 e-mail messages an hour, silently, discreetly and continuously, auditing e-mail content moving in and out of a company. It can be run from any work station. It can be set up within a few minutes, and after a free 30-day trial the employer can buy it for a mere $400.
Page 27 PREV PAGE TOP OF DOC
My point is not that such software products are per se bad. Indeed, electronic monitoring sometimes can prove a benefit, protecting corporate secrets, preventing employee harassment. But my point is that new technologies allow just about any employer to monitor any employee without their knowledge, and that these new software packages are becoming ubiquitous, cheap, simple to install and use, and that is what causes the problem.
The number of employers who monitor employee e-mail has doubled in the last 2 years. A recent survey indicates that as of last year nearly three-quarters of large American companies actively record and review either e-mail, Internet usage, computer files or phone usage. NEMA puts a check on business that is moderate, reasonable and fair. It gives employees the right to know whether and when and how their employer is watching; it does not prohibit, but lets the employee know ahead of time.
We would never stand for it if an employer steamed open an employee's mail and read it and put it back without his or her knowledge. Well, the same should be with e-mail. Employees are going to occasionally write personal e-mails, like a message to a spouse about a financial problem, or use the Internet to do a personal search for a medical question that they might have about themselves. All employees should know, before doing such a search or sending an e-mail, whether they have privacy or not.
NEMA requires employers to notify their employees of any monitoring of communication or computer usage. It covers reading or scanning of employee e-mail, keystroke monitoring or programs that monitor employee Web use, as well as the monitoring of telephone conversations.
Page 28 PREV PAGE TOP OF DOC
Importantly, NEMA doesn't prohibit any monitoring techniques. It merely requires employers to give clear and conspicuous notice annually and whenever policies change; and if the employer has a good reason to believe that an employee is causing significant harm to the employer or any other person, the employer can monitor that person without notice at all.
If an employer secretly monitors in violation of the act, they are subject to a suit by the employee for at most $20,000. However, I believe that such lawsuits will be few and far between because employers will simply abide by the modest terms of the act and give annual notice.
New technology has made it cheap and easy for employers to secretly monitor everything an employee does on-line, and this legislation provides workers a first line of defense against a practice that can sometimes amount to nothing more than a blatant invasion of privacy.
I want to thank you, Mr. Chairman, Congressman Barr, for joining in this bipartisan effort. NEMA has already garnered the support of the full spectrum of the privacy community. Where else do you have the ACLU to the CDT to the Eagle Forum all supporting a single piece of legislation? I hope that by working together we can make it law this session.
Mr. CANADY. Thank you, Mr. Schumer.
Page 29 PREV PAGE TOP OF DOC [The prepared statement of Senator Schumer follows:]
PREPARED STATEMENT OF HON. CHARLES SCHUMER, A U.S. SENATOR FROM THE STATE OF NEW YORK
Mr. Chairman, thank you for holding this hearing and for inviting me to testify on an issue that is extremely pressing. I should also thank and commend you, Mr. Chairman and Congressman Barr for introducing H.R. 4908, the Notice of Electronic Monitoring Act or ''NEMA.'' As you know, I have introduced NEMA on the Senate side and I hope that we can soon pass this bill, which will end the practice of unjustified secret electronic monitoring of workers by their employers.
With the revolutionary changes that technology and the Internet are bringing to society, comes new threats to individual privacy. One of those is electronic employee monitoring. A lot of people don't know this yet, but, for all intents and purposes, the computer you use at work can watch your every move.
Over the course of the past year, new software has been developed that makes it easy and cheap for employers to automatically record an employee's email, web activities, even an employee's every key stroke.
For example, one software product claims that it reviews more than 50,000 email messages per hour, silently, discretely, and continuously auditing email content moving in and out of a company. This product can be run from any workstation, and can be set up and running in minutes. After a free 30-day trial of the software, an employer can buy it for a mere $400.
Page 30 PREV PAGE TOP OF DOC My point is not that such software products are per se bad. Indeed, electronic monitoring can sometimes be helpful in protecting corporate trade secrets or preventing employee harassment. My point is that new technologies that allow any employer to monitor employees without their knowledge is becoming ubiquitous, cheap, and simple to install and use.
And it is becoming a problem. The number of employers who monitor employee email has doubled in the last two years. A recent survey indicates that as of last year, nearly three quarters of large American companies actively record and review either email, Internet usage, computer files, or phone usage.
NEMA puts a check on business that is reasonable and fair. It gives employees the right to know whether, when, and how their employer is watching. We would never stand for it if an employer steamed open an employee's mail, read it, and put it back without her knowledge. It should be the same with email.
Employees are going to occasionally write personal emails like a message to a spouse about a financial problem, or use the Internet to do a personal search for a medical question they have. All employees should know before doing a search or sending an email, whether they have privacy or not.
NEMA requires employers to notify their employees of any monitoring of communications or computer usage. It covers reading or scanning of employee email, keystroke monitoring, or programs that monitor employee web use, as well as monitoring of telephone conversations.
Page 31 PREV PAGE TOP OF DOC Importantly, NEMA does not prohibit any monitoring techniques, it merely requires employers to give clear and conspicuous notice annually and whenever policies change. And if the employer has good reason to believe that an employee is causing significant harm to the employer or any other person, the employer can monitor that person without any notice at all.
If an employer secretly monitors, in violation of the Act, they are subject to suit by the employee for at most $20,000 in damages. However, I believe that such lawsuits will be few and far between because employers will simply abide by the modest terms of the Act and give annual notice.
New technology has made it cheap and easy for employers to secretly monitor everything an employee does on line. This legislation provides workers a first line of defense against a practice that can sometimes amount to nothing more than a blatant invasion of privacy. NEMA is a moderate and fair step that addresses an important threat to employee privacy that is quietly but quickly spreading to most workplaces.
Again, thank you Congressmen Canady and Barr for joining in this bipartisan effort. NEMA has already garnered the support of the full spectrum of the privacy communityfrom the ACLU to CDT to the Eagle Forum. I hope that working together we can make it law soon.
Mr. CANADY. As is our custom, we would not ask questions. I certainly don't have any questions, and I understand that you have pressing commitments in the Senate, so we thank you for being here.
Page 32 PREV PAGE TOP OF DOC Mr. SCHUMER. I appreciate the opportunity to testify, Mr. Chairman. Thank you.
Mr. CANADY. Thank you for your leadership on this legislation.
We will now move to our second panel of witnesses. Actually, we will be hearing from one witness on our second panel. On our second panel today we will hear from Kevin DiGregory. Mr. DiGregory is Deputy Associate Attorney General at the Department of Justice, to whom members of Justice Department's Computer Crimes Unit report.
Joining Mr. DiGregory at the table will be David Green, the Deputy Chief of the Computer Crime and Intellectual Property Section of the Department of Justice. Mr. Green will not be making a separate statement, but will be at the table with Mr. DiGregory to answer questions.
I want to thank both of you for being here with us today. Mr. DiGregory, I ask that you do your best to summarize your testimony in 5 minutes or less. Without objection, your written statement as well as the written statements of all of the other witnesses today will be made a part of the permanent record of this hearing.
Mr. DiGregory, we welcome you back. I guess this is your third visit with us
Mr. DIGREGORY. Third time, yes.
Page 33 PREV PAGE TOP OF DOC Mr. CANADY [continuing]. In recent months. We appreciate your being with us here today. We look forward to your testimony.
STATEMENT OF KEVIN DiGREGORY, DEPUTY ASSOCIATE ATTORNEY GENERAL, DEPARTMENT OF JUSTICE
Mr. DIGREGORY. Thank you, Mr. Chairman and members of the committee. Thank you for allowing me this opportunity to testify about the protection of privacy and public safety in cyberspace. Twice before this year I have had the privilege of testifying before you on similar issues, and I am pleased to be here today to continue that discussion.
I appreciate your willingness to meet with members of the Department's Computer Crime Section. Yesterday, as I apologized earlier to the chairman, I am sorry that my schedule didn't permit me to attend that meeting, but I understand that there was a productive exchange of views.
Over the last decade, use of computers and the Internet has grown exponentially and individuals have increasingly come to depend on this use in their daily lives. Yet as people have increasingly used computers for lawful uses, so too have criminals increasingly exploited computers to commit crimes and to harm the safety, security and privacy of others.
Since just the beginning of the year, for example, legitimate e-commerce has been the target of malicious computer hackers in the form of denial of service attacks against Yahoo, eBay and CNN. In addition, in May the I Love You virus infected 45 million files in computer systems all over the globe, causing damages estimated at $2.61 billion.
Page 34 PREV PAGE TOP OF DOC
While the denial of service attacks and viruses have received a great deal of attention, they are but one facet of the criminal activity that occurs on-line today. Criminals use computers to send child pornography to each other through anonymous encrypted communications. Hackers break into financial computers and steal sensitive personal information, including people's Social Security numbers and credit card information. And criminals use the Internet's inexpensive and easy means of communication to commit large-scale fraud on victims all over the globe. Simply put, criminals are exploiting the Internet and victimizing people worldwide every day.
It is important to note, Mr. Chairman, that when law enforcement apprehends a criminal who has stolen a citizen's e-mail and personal information from a computer system, or a hacker who has compromised the financial records of a bank customer, we are protecting the privacy of law-abiding citizens and deterring further privacy violations. Thus, to address the looming threats created by the criminal misuse of the Internet, Congress should consider, we believe, comprehensive amendments to current law to enhance both privacy and public safety by first addressing loopholes in the substantive offenses that define criminal conduct relating to computers and the Internet; secondly, updating the procedural tools that law enforcement investigators use to gather evidence of criminal acts and identify the perpetrators of those acts; and third, by ensuring protection for the legitimate privacy interests of law-abiding Internet users.
Mr. Chairman, my written testimony provides greater detail about the threat of cybercrime as well as the Department's efforts to protect and promote privacy. Because I know the committee's time is limited, I will move directly to the Department's views on the bills that are the subject of today's hearing.
Page 35 PREV PAGE TOP OF DOC
With respect to H.R. 5018, I applaud the members of this subcommittee for your concern about the privacy interests of Internet users and their on-line safety and security. As my testimony today indicates, the Department shares those concerns. The Department, however, has reservations about the way the proposed bills treat these important issues. I hope that you will continue to provide us the opportunity to engage in a constructive dialogue with members of your staff on how to best address these issues in legislation.
Let me begin, as I said, with H.R. 5018, the Electronic Communications Privacy Act of 2000. Although this bill attempts to address a number of important concerns, it is not, we believe, the kind of balanced, comprehensive package that would improve safety, security and privacy of Internet users.
H.R. 5018, as we understand it, would make three significant changes to the law. First, it would amend the laws governing how law enforcement may obtain noncontent information about e-mail under the pen register and trap and trace statutes. It would introduce statutory suppression for certain nonconstitutional violations, and it would create a host of new reporting requirements. I will address each of these features in turn.
First, section 4 of H.R. 5018 would make it more difficult for law enforcement authorities to obtain a trap and trace or pen register order for electronic mail. Law enforcement investigators use such orders to collect the to and from information, source and destination, associated with communications from a particular e-mail account. For example, when a criminal uses e-mail to buy and sale narcotics or to lure children for sex, law enforcement needs to know to whom he is sending messages and from whom he receives them. Under current law, to obtain such an order, a prosecutor must certify that the information likely to be obtained is relevant to an ongoing criminal investigation.
Page 36 PREV PAGE TOP OF DOC
Under this bill, to obtain a pen/trap order for e-mail would require a judge or a magistrate to assess whether the facts reasonably indicate that a crime has or will be committed and that the information likely to be gathered by the order will be relevant to that crime.
By applying this new standard only to e-mail addresses, the amendments would insert a technology-specific term into the statute with far-ranging implications. This definition does not take into account the large number of other ways that electronic communications are sent over computer networks. An electronic letter can be sent using a file transfer protocol, and messages of all kinds are exchanged using Internet mechanisms such as instant messaging and chat rooms. Moreover, because the definition is phrased in terms of e-mail, one of today's technologies, it will likely become outdated as the Internet continues to evolve. It may be that in 10 years, no one will be using what we now call e-mail at all, but will be instead using some new technology not covered by the bill.
Thus, the prudent course, we believe, in amending our laws is to define terms using technology-neutral language. For example, using generic terms such as ''source'' and ''destination of the communication'' avoids this pitfall. An example of such language is contained in the administration's legislative proposal transmitted to Congress in July and entitled the Enhancement of Privacy and Public Safety in Cyberspace Act. That act would provide for judicial review before law enforcement may obtain trap and trace information not just for e-mails, but for addressing information involving both electronic and telephonic communications.
Second, H.R. 5018's trap and trace amendments are problematic because of what they do not contain. To create a balanced bill, we believe, that would enhance public safety as well as privacy, Congress should address a crucial and growing obstacle to the ability of law enforcement to investigate threats to public safety and to business on-line, and that growing threat is the geographical limitation currently found in the trap and trace and pen register statutes.
Page 37 PREV PAGE TOP OF DOC
Under current law, a court can only order the installation of a pen/trap device within the geographical boundaries of that court's district. The changes in telecommunications technology and the telecommunications industry mean that many different companies located in a variety of judicial districts may handle a single communication as it crosses the country. As a result, investigators often have to apply for multiple court orders in multiple jurisdictions in order to trace a single communication, causing, we believe, a needless waste of resources and endangering important investigations by allowing perishable data potentially to be lost.
No privacy interest is enhanced, we submit, by repeatedly applying for identical orders in different parts of the country based upon the same underlying facts. The statute should be amended to ensure that Federal courts have the authority in a single order to require any U.S. Telecommunications carrier to provide law enforcement authorities with the information needed to trace both voice and electronic communications to their source. Language implementing such a change is contained in the administration's bill. As is the case today, a Federal court with jurisdiction over the investigation still would have to approve the application.
Another section of H.R. 5018 would apply the wiretap statute suppression remedy, 18 U.S. Code 2515, in two new circumstances: For real-time interception of the content of electronic communications and for obtaining e-mail in electronic storage. Expanding the reach of the statutory suppression provision in this broad manner may confer an unwarranted windfall on criminals.
Page 38 PREV PAGE TOP OF DOC By suppressing evidence, a court interferes with a core function of a criminal trial, the search for the truth. The exclusion of evidence prevents a jury from hearing all the relevant facts that allow it to determine guilt or innocence. Because suppression of evidence affects the central values of our criminal justice system, it is generally reserved for serious constitutional violations. Congress should consider carefully before creating new suppression remedies by statutes in situations where no criminal violationexcuse me, where no constitutional violation has occurred.
Statutory rules can be enforced through existing civil remedies that do not allow the guilty to escape punishment. As an alternative, this subcommittee may wish to consider the approach taken by the administration's bill, which raises the level of protection for real-time interceptions of the content of electronic communications so that they are equal to the protections afforded to wire and voice, while also eliminating other ambiguities in the law by, for example, clarifying that Internet service providers that provide service through coaxial cable which also is used to provide cable TV service, to provide thatwhen they provide that Internet service, they are subject to the provisions of the Electronic Communications Privacy Act.
Finally, H.R. 5018 also mandates new reporting requirements that would create a significant burden for law enforcement authorities. These reporting requirements would apply to the use of orders for the disclosure of stored communications under section 2703 of title 18. These orders are less intrusive than wiretap authorizations for the real-time interceptions of the content of communications, yet H.R. 5018 would impose reporting requirements even greater than those imposed on law enforcement for wiretap orders.
The imposition of such extensive reporting requirements for cybercrime investigators at a time when law enforcement authorities are strapped for resources to fight cybercrime would hinder our efforts to fight cybercrime.
Page 39 PREV PAGE TOP OF DOC
Let me turn now to H.R. 4987, the Digital Privacy Act of 2000. While the bill addresses important issues, it raises many of the same concerns as H.R. 5018. For example, it creates an extensive new reporting requirement for an even broader set of processes, including search warrants and grand jury subpoenas, threatening once again to perhaps turn crimefighters into bookkeepers. Moreover, H.R. 4987 contains a provision that would greatly restrict the use of cell phone location information by government entities.
Currently we obtain cell site location from providers through an order under 18 United States Code 2703(d), which requires the government to provide to a court specific and articulable facts showing that there are reasonable grounds to believe that the records are relevant and material to an ongoing criminal investigation. The proposed amendment would allow law enforcement to obtain such cell site information only upon a judicial finding that there is probable cause to believe that the equipment has been used, is being used or is about to be used to commit a felony offense. This new restriction, we believe, would prevent location information from being obtained where the phone itself is not being used to commit the offense.
This amendment has the capacity, we believe, to potentially seriously endanger public safety. For example, just last week three defendants in Florida were given life sentences for kidnapping a family and holding them hostage. The family had been rescued by using the location of a cell phone. In another case, cell phone location information allowed investigators to track a fugitive murderer from Florida and arrest him in North Carolina. If the proposed bill were enforced, we would not have been able to find these criminals through cell phone location because the phone was not being used to commit a crime.
Page 40 PREV PAGE TOP OF DOC As you can see, the consequences of the proposed provision are significant.
We believe the current standard adequately protects privacy and should be maintained.
Finally, Mr. Chairman, I want to thank you again for the opportunity to testify today. The public is properly concerned about their on-line privacy and the potential for criminals, private industry and the government to infringe upon it. But the public is also deeply concerned about their safety and security when using the wondrous resources of the Internet. Enhancing the ability of law enforcement to fight cybercrime both promotes Internet user safety and enhances their privacy by deterring and punishing those who would violate that individual privacy.
The Department of Justice stands ready to work with the members of this subcommittee and others to achieve these important goals.
That concludes my prepared statement, and Mr. Green and I would be pleased to try to answer any questions that you have.
[The prepared statement of Mr. DiGregory follows:]
PREPARED STATEMENT OF KEVIN DIGREGORY, DEPUTY ASSOCIATE ATTORNEY GENERAL, DEPARTMENT OF JUSTICE
Mr. Chairman and Members of the Subcommittee, thank you for allowing me this opportunity to testify about H.R. 5018, the ''Electronic Communications Privacy Act of 2000,'' and H.R. 4987, the ''Digital Privacy Act of 2000.'' Twice before this year I have had the privilege of testifying before you on issues relating to the protection of privacy and public safety in cyber-space, and I am pleased to be here today to continue that discussion.
Page 41 PREV PAGE TOP OF DOC
The Internet and Public Safety
Over the last decade, use of computers and the Internet has grown exponentially, and individuals have increasingly come to depend on this use in their daily lives. The Internet has resulted in new and exciting ways for people to communicate, transfer information, engage in commerce, and expand their educational opportunities. These are but a few of the marvelous benefits of this rapidly changing technology. There is no question that the Internet has changed the way we live today. Yet, as has been the case with every major technological advance in our history, we are seeing individuals and groups use this technology to commit serious criminal acts. As people have increasingly used computers for lawful purposes, so too have criminals increasingly exploited computers to commit crimes and to harm the safety, security, and privacy of others.
Since just the beginning of the year, for example, legitimate e-commerce has been the target of malicious computer hackers in the form of ''denial of service attacks.'' These unlawful attacks involved the unauthorized intrusion into a large number of computers, which were in turn used to launch attacks on several, target computers, such as Yahoo, eBay, and CNN. In these cases, the number of victims was substantial, as was the collective loss and cost to respond to these attacks. We have also seen the emergence of fast-moving viruses that have caused damage to computer systems around the world and have disrupted the computer systems of consumers, businesses, and governments. In May, the ''I Love You'' virus infected 45 million files in computer systems all over the globe, causing damages estimated at $2.61 billion. Frighteningly, the ''I Love You'' virus was followed by almost 30 copycat variants.
Page 42 PREV PAGE TOP OF DOC While the denial of service attacks and viruses have received a great deal of attention and are cause for concern, they are but one facet of the criminal activity that occurs online today. Criminals use computers to send child pornography to each other through anonymous, encrypted communications; hackers break into financial computers and steal sensitive, personal information of private consumers, such as names, addresses, social security numbers, and credit card information; and criminals use the Internet's inexpensive and easy means of communication to commit large-scale fraud on victims all over the globe.
Let me share some statistics with you that illustrate the dimensions of the problem. Seventy-four percent of businesses recently surveyed by the Computer Security Institute reported computer security breaches that included theft of proprietary information, financial fraud, system penetration by outsiders, data or network sabotage, or denial of service attacks. Indeed, almost twenty percent of respondents reported 10 or more such incidents. In addition, Internet fraud has increased exponentially. Since it's inception in May of this year, for example, the FBI's Internet Fraud Complaint Center has received 1,200 complaints every week. At this rate, they will receive 62,000 complaints a year. Simply put, criminals are exploiting the Internet and victimizing people, worldwide, everyday.
Responding to the Challenge of Unlawful Conduct on the Internet
The growing threat of illicit conduct online was made clear in the findings and conclusions reached in the report of the President's Working Group on Unlawful Conduct on the Internet, entitled, ''The Electronic Frontier: The Challenge of Unlawful Conduct Involving the Use of the Internet.'' This extensive report highlights some of the significant challenges facing law enforcement in cyberspace. As the report states, the needs and challenges confronting law enforcement, ''are neither trivial nor theoretical.'' The Report outlines a three-pronged approach for responding to unlawful activity on the Internet:
Page 43 PREV PAGE TOP OF DOC
1. Conduct on the Internet should be treated in the same manner as similar conduct offline, in a technology neutral manner.
2. The needs and challenges of law enforcement posed by the Internetincluding the need for resources, up-to-date investigative tools and enhanced multi-jurisdictional cooperationare significant.
3. There should be continued support for private sector leadership in developing tools and methods to help Internet users prevent and minimize the risks of unlawful conduct online.
The report also emphasizes the need to address the privacy issues raised by changes in computer and telecommunications technology. I would encourage anyone with an interest in this important topic to review carefully the report of the Working Group. The report can be found on the Internet by visiting the website of the Department of Justice's Computer Crime and Intellectual Property Section, located at www.cybercrime.gov. That website also contains a great deal of other information relating to cyber-crime and to the laws protecting intellectual property.
The migration of criminality to cyberspace accelerates with each passing day and the threat to public safety is becoming increasingly significant. As Deputy Attorney General Eric Holder told a joint hearing of House and Senate Judiciary Subcommittees in February, this nation's vulnerability to computer crime is astonishingly high and threatens not only our financial well-being and our privacy, but also this nation's critical infrastructure.
Page 44 PREV PAGE TOP OF DOCLegislation That Would Promote the Safety, Security, and Privacy of Internet Users
It is important to note, Mr. Chairman, that when law enforcement successfully apprehends a criminal who has stolen a citizen's personal information from a computer system, or a hacker who has compromised the financial records of a bank customer, we are undeniably working, not just to apprehend the offender, but to protect the privacy of law-abiding citizens and to deter further privacy violations at the hands of criminals.
Thus, in order to address the looming threats created by the criminal misuse of the Internet, Congress should consider a comprehensive package of amendments to current law. Such a package should enhance both privacy and public safety by (1) addressing loopholes in the substantive offenses that define criminal conduct relating to computers and the Internet; (2) updating the procedural tools that law enforcement investigators use to gather evidence of criminal acts and identify the perpetrators; and (3) ensuring protection for the legitimate privacy interests of law-abiding Internet users.
Moreover, such a comprehensive package should not ignore the need for law enforcement to have adequate resources to respond to the continuing growth in cyber-crime. The changing nature of criminal investigations and the need to develop effective computer crime prevention and response strategies requires a focused, national effort that includes local, state, and federal law enforcement entities. Law enforcement is taking steps to respond to this dramatic increase in criminal activity: indeed, he FBI alone opened more than twice as many computer crime investigations in FY 1999 as it had in FY 1998. Unlike traditional methods of equipping and training law enforcement officers, investigators focusing on cyber-crime must receive continuous training and updated equipment in order to stay current with the rapidly changing technology. Criminals undoubtedly understand the latest technology, and so must law enforcement. In order to be able to meet the growing threat, we urge Congress to fully fund the Administration's FY 2001 budget request for increased prosecutive resources for the Criminal Division's Computer Crime and Intellectual Property Section and for United States Attorneys Officesto handle cyber-crime investigations and cases.
Page 45 PREV PAGE TOP OF DOC
We also need to amend existing law in two areas. First, we must make certain that the substantive laws defining what conduct is criminalsuch as the Computer Fraud and Abuse Act (section 1030 of title 18)are adequately refined and updated. Second, we must look critically at the tools law enforcement uses to investigate computer crimessuch as the existing Electronic Communications Privacy Act and the pen register and trap and trace statutesto ensure that they are cast in terms that fully account for the rapid advances in technology. Failure to do both will hamper our efforts. If we have the appropriate substantive laws, but no means to effectuate them, we will be stymied in our pursuit of online criminals. Conversely, if the conduct in question is not covered by the criminal law, the ability to gather evidence is of no value in protecting the safety and privacy of people who use the Internet.
The Administration has been carefully considering these issues for a number of months. As a result of this process, in July the Administration, through the Department of Justice, transmitted to Congress proposed legislation that attempts to resolve the shortcomings in both the substantive and procedural laws, while improving privacy safeguards. In short, this proposal seeks to enhance both online privacy and public safety. I urge Congress to consider this kind of comprehensive legislation that seeks to deal with the full scope of the problem, rather than attempting to address the issues piecemeal.
With that background, I am pleased today to offer the views of the Department of Justice on the legislation recently proposed by Members of this Subcommittee.
Department of Justices Views on H.R. 5018
Page 46 PREV PAGE TOP OF DOC I applaud the members of this subcommittee for your concern for protecting the privacy interests of Internet users and their online safety and security. As my testimony today indicates, the Department shares your concerns about ensuring the privacy interests of those who use computer networks lawfully. The Department does, however, have serious reservations about the way the proposed bills treat these important issues.
Let me begin by discussing H.R. 5018, the ''Electronic Communications Privacy Act of 2000.'' Although this bill attempts to address a number of important concerns, it is not the kind of balanced, comprehensive package that would improve the safety, security, and privacy of Internet users. It does not update the substantive criminal law that defines computer crimes in order to assure that criminals who violate the security and privacy of American citizens are properly punished. Nor does it modernize the investigative tools used to fight cyber-crime in a balanced way. And it does not address the desperate need for resources to assure that investigators and prosecutors have the training and equipment to pursue cyber-crime cases properly.
H.R. 5018 would make three significant changes to the law: (i) it would amend the laws governing how law enforcement may obtain non-content information under the pen register/trap and trace statutes; (ii) it would introduce statutory suppression for a range of non-Constitutional violations; and (iii) it would create a host of new reporting requirements. I will address each of these features in turn.
Proposed Trap and Trace/Pen Register Amendments. Section 4 of H.R. 5018 would make it more difficult for law enforcement authorities to obtain a Trap and Trace or Pen Register Order for electronic mail. Law enforcement investigators use such orders to collect the ''to'' and ''from'' information associated with communications from a particular e-mail account. For example, when a criminal uses e-mail to send a kidnaping demand, to buy and sell narcotics, or to lure children for sex, law enforcement needs to know to whom he is sending messages and from whom he receives them. Current law requires the applying government attorney to certify that the information likely to be obtained through the Order is relevant to an ongoing criminal investigation.
Page 47 PREV PAGE TOP OF DOC
H.R. 5018, like the Administration's bill, would introduce the requirement of judicial review of the factual basis for such orders. Specifically, H.R. 5018 would require such applications to contain ''specific and articulable facts'' that would justify the collection of the data. While the Justice Department can comply with the added administrative burdens imposed by increasing this standard, we have concerns about the amendments. Specifically, the technology-specific manner in which the bill would implement this change, the lack of an emergency exception, and the unrealistic geographic limitations that restrict such orders in the present law all raise serious concerns that should be addressed.
The Administration bill would, while raising the barriers to obtaining pen register and trap and trace orders, also amend those telephone-era statutes in a technology-neutral manner to make clear their relevance to the electronic age. Thus, if amended by that bill, the statute would apply to all ''dialing, routing, addressing, and signaling information'' associated with a given communication. It would thus increase privacy protection for all forms of electronic communicationincluding plain old telephone calls.
H.R. 5018, by contrast, would apply the heightened standard only to devices that identify ''an e-mail address.'' This definition does not take into account the large number of other ways that electronic communications are sent over computer networks. For example, an electronic letter can be sent using ''file transfer protocol'' (or ''ftp''), and messages of all kinds are exchanged using Internet mechanisms such as ''instant messaging'' and ''chat rooms.'' Moreover, because the definition is phrased in terms of one of today's technologies, ''e-mail,'' it will likely become quickly outdated as the Internet continues to evolve. It may be that in ten years, no one will be using what we now call ''e-mail'' at all but will be instead using some new technology not covered by the bill. Thus, the prudent course in amending our laws is to define terms using technology-neutral language, such as that contained in the Administration bill.
Page 48 PREV PAGE TOP OF DOC
We also believe that any amendment to the pen/trap statute should supplement existing legal authority that allows law enforcement to use pen/trap devices in emergency situationssuch as when they encounter an immediate danger of death or serious bodily injury or when they are investigating organized crimewithout getting prior approval from a court, so long as they obtain court approval within 48 hours thereafter. The Administration bill would add two long-overdue exceptions to the prior-approval requirement: (1) immediate threats to national security; and (2) investigations of ongoing intrusions into computer networks under 18 U.S.C. §1030. In the latter case, rapid investigative response is made essential both by the nature of the mediumin which attackers may move seamlessly and almost instantaneously through a series of ''stepping stone'' victim sites, launching attacks from eachand by the quickly disappearing character of network routing evidence.
H.R. 5018 also fails to address a crucial and growing obstacle to the ability of law enforcement to investigate threats to public safety and to business online: the geographical limitations currently found in the trap and trace and pen register statutes. Under current law a court can only order the installation of a pen/trap device within the geographical boundaries of that Court's district. But changes in telecommunications technology and the telecommunications industry means that many different companies, located in a variety of judicial districts, may handle a single communication as it crosses the country. As a result, investigators often have to apply for multiple court orders in multiple jurisdictions in order to trace a single communication, causing a needless waste of resources and delaying and impeding important investigations. Indeed, in computer network investigations, such delays can cause perishable data to be lost and effectively end an investigation.
Page 49 PREV PAGE TOP OF DOC The statute should be amended to ensure that federal courts have the authority to order all telecommunications carriers providing service in the United Stateswhether within a particular judicial district or notto provide law enforcement authorities the information needed to trace both voice and electronic communications to their source. Language implementing such a change is contained in the Administration's bill. It is important to recognize in considering a nationwide trap-and-trace provision that introducing such a change would in no way reduce privacy protections. As is the case today, a federal court with jurisdiction over the investigation would still have to approve the application. No privacy interest is enhanced by repeatedly applying for identical orders in different parts of the country based on the same underlying facts.
New Statutory Suppression Remedies. Section 2 of H.R. 5018 creates two new statutory suppression remedies. It would require that courts exclude evidence from any criminal trialwhether the crime is the distribution of child pornography, a terrorist conspiracy, or murderwhere investigators failed to meet statutory requirements. The statutes at issue define the legal procedures that investigators must use to obtain stored electronic communications and to intercept the content of electronic communications using a wiretap. The Department believes that expanding statutory suppression provisions beyond those that apply to the real-time interception of content would confer an unwarranted windfall on criminals.
By suppressing evidence, a court interferes with the core function of a criminal trial: the search for the truth. The exclusion of evidence prevents a jury from hearing all the relevant facts that allow it to determine guilt or innocence. Because suppression of evidence affects the central values of our criminal justice system, it is generally reserved for the most serious violations of law, such as violations of the Constitution. Congress should be cautious in considering whether to create new suppression remedies by statute in situations where no Constitutional violation has occurred.
Page 50 PREV PAGE TOP OF DOC
Indeed, in the more serious situations intended to be covered by the new statutory suppression provisions, suppression already exists for law enforcement misconduct that rises to the level of a Constitutional violation. For example, if a wiretap affidavit submitted for the interception of the content of electronic communications contained intentionally false statements, any resulting interception would violate the Fourth Amendment, and a court would properly suppress such evidence. Statutory rules, on the other hand, can be enforced through existing civil remedies that do not allow the guilty to escape just punishment. See, e.g., 18 U.S.C. §2707 (setting forth civil and disciplinary remedies for violations of 2703).
Despite these reservations, the Department would, in the proper context, support harmonization of the way in which the law treats voice and electronic communications. Changes in technology and society have militated toward treating these two forms of communication in the same way. Thus, we believe the law could treat electronic communications in the same way as voice communications for purposes of suppressionso long as this change is part of a broader recalibrating of the way that the law treats all communications. For example, the Administration's package proposes that wiretaps for electronic communications should be treated just the same as voice wiretaps, including approval by a high-level Justice Department official, limited to the list of predicate crimes under §2516, and with the availability of suppression under §2515.
New Reporting Requirements. Section 3 of H.R. 5018 mandates extensive new reporting requirements that would create a significant burden for law enforcement authorities. These reporting requirements would apply to the use of orders under section 2703(d) of title 18. Such orders are most commonly used to obtain stored traffic informationsuch as computer logs showing when communications were transmittedand sometimes the content of communications that the user has chosen to save with a third party provider. These orders are far less intrusive than wiretap authorizations for the interception of the content of communications in real time using a wiretap. Yet H.R. 5018 would impose reporting requirements even greater than those imposed on law enforcement for wiretap orders.
Page 51 PREV PAGE TOP OF DOC
Moreover, the imposition of such extensive reporting requirements for cyber-crime investigators would come at a time when law enforcement authorities are strapped for resources to fight cyber-crime. The reporting requirements for wiretaps, while extensive, are less onerous because law enforcement applies for such orders relatively rarely. Extending such requirements to orders used to obtain mere transactional data would dramatically hinder efforts to fight cyber-crime, such as the distribution of child pornography and Internet fraud.
Department of Justices Views on H.R. 4987
Mr. Chairman, let me turn to H.R. 4987, the ''Digital Privacy Act of 2000.'' Again, while the bill addresses important issues, it is not the kind of balanced, comprehensive package that would promote both privacy and effective law enforcement. Indeed, it raises many of the same concerns as H.R. 5018. For example, it creates an extensive new reporting requirement for an even broader set of legal processes, including search warrants and grand jury subpoenas, threatening to turn crime-fighters into bookkeepers. And, while it creates a suppression remedy for wiretaps that involve electronic communications matching the standard for voice wiretaps, H.R. 4987 would not make the other changes to the statute that would allow voice and electronic communications to be treated equally.
Further, H.R. 4987 contains a provision that would unduly restrict the investigative use of cell phone location information. Currently, law enforcement obtains such information through 2703(d) orders, based on presenting ''specific and articulable facts showing that there are reasonable grounds to believe that the [information] is relevant to an ongoing criminal investigation. The proposed amendment to section 2703 of title 18 would restrict law enforcement to obtaining such information only upon a judicial finding that ''there is probable cause to believe that the equipment has been used, is being used, or is about to be used to commit a felony offense.'' This new restriction would prevent location information from being obtained where the phone itself is not being used to commit the offense. For example, in one important investigation, cell phone location information allowed investigators to locate an escaped murderer and arrest him. The proposed bill would forbid investigators from using location information in this kind of situation in the future because the killer's phone was not being used to commit a crime. Similarly, in another investigation, an individual committed murder in one part of a city and lied to create an alibi by stating that he was in a different part of the city at the time of the murder. The records of the location of his cell phone revealed his lies and assisted law enforcement authorities to prove his guilt, even though the phone had nothing to do with the crime itself. Moreover, there may be cases where the location of a victim's phone can provide criticaland, in a kidnaping case, even lifesavinginformation but we may not be able to obtain the victim's consent prior to obtaining and acting on the information.
Page 52 PREV PAGE TOP OF DOC
As you can see, the consequences of the proposed provision are significant. Thus, the Department opposes this provision in its current form.
Mr. Chairman, I want to thank you again for this opportunity to testify today about our efforts to fight crime on the Internet and comment on the legislation proposed by you and members of your subcommittee. The public is undoubtedly concerned about their online privacyand the potential for criminals, private industry, and the government to infringe upon it. But the public is also deeply concerned about their safety and security when using the wondrous resources of the Internet. Enhancing the ability of law enforcement to fight cyber-crime both promotes Internet users' safety and security and enhances their privacy by deterring and punishing those criminals who violate individual privacy. The Department of Justice stands ready to work with the Members of this Subcommittee and others to achieve these important goals.
Mr. Chairman, that concludes my prepared statement. I would be pleased to answer any questions that you may have at this time.
Mr. CANADY. Mr. DiGregory, again I thank you for coming today and for your testimony. I will say that I think your testimony raises issues that are worthy of consideration by this subcommittee.
Let me point out that the legislation that we are considering today was filed with a narrower focus than the administration's proposal. That partly has to do with the jurisdictional issues of what comes to this subcommittee and so on. But I share your concern about the broader range of issues that should be concerned, and it would be my goal to find a way to address the broader range of issues, not necessarily all of them in exactly the way the administration has proposed, but I think that broader range of issues is worthy of and needs consideration. So I want to make that point clear.
Page 53 PREV PAGE TOP OF DOC
I am hopeful that we will be able to, after today's hearing, continue our discussion and perhaps be able to reach a consensus. I have talked with Mr. Watt about working on such a process, and I am committed to doing what I can to find common ground between the members of the subcommittee and the administration, Members on both sides of the aisle, so that we could come forward with a work product from the subcommittee sometime soon, because if we don't do it sometime soon, this Congress will be over.
Earlier we had announced a markup for tomorrow. We will not be conducting that markup. Instead we would anticipate a markup in the subcommittee next Thursday, that is Thursday of next week, and I think that will give us more time to work through the range of concerns that have been raised by all of the folks who are concerned about these issues.
Now, let me focus on a couple of things. On the standard for obtaining trap and trace and pen register orders, your primary concern seems to be that we have created a separate category for e-mails, and you think that is inappropriate. Well, we can have a discussion about that, but I want to focus on not that aspect of it, but on the standard.
Now, you in the administration proposal seem to recognize that the way things are going now is really not quite enough oversight, or you are at least willing to have the level of oversight or judicial involvement raised.
Currently, based on certification of law enforcement, it is a ministerial act for a court to issue an order that allows trap and trace or pen register, the information pursuant to those statutes. Now, I will tell you candidly that I think if most Americans knew that all someone from law enforcement had to do was to certify that essentially they want to get that information, and then they go before a court, and a court as a ministerial act issues that order for either telephone numbers or e-mail addresses, I don't think most Americans understand that there is that power of law enforcement. So you, perhaps in recognition of the sensitivity of even that sort of information, recommend in your proposal that the court at least make a finding that the information is relevant to an ongoing criminal investigation.
Page 54 PREV PAGE TOP OF DOC
Now, in our proposal, which focuses not on the telephone calls, but just on e-mail, we go a little further and require a finding of specific and articulable facts. Well, let me read it: A finding that there are specific and articulable facts reasonably indicating that a crime has been, is being or will be committed.
Now, do you have a problem with that standard? I want to get a sense of whether you think that standard of specific and articulable facts would impose an undue burden on law enforcement.
You may well be right that this shouldn't be limited to e-mail. It should be perhaps an across-the-board technology-neutral standard, whatever the standard is, but is this higher standard that is involved here, is it going to impose, in your view, an undue burden on law enforcement? And if you think it would, explain why. Your testimony doesn't seem toit seems to kind of skirt around that issue a little bit. So I want to draw you out on that some, and for that purpose I will grant myself an additional 3 minutes.
Mr. DIGREGORY. Let me just tell you what my concern is, and I will let David speak to this as well, because we each have a number of years of experience as a prosecutor. I am concerned about what that standard means and what I would have to say to a court in saying to them that a crime has been, is being or will be committed. And that is because the pen register and trap and trace orders are usually obtained, and David can correct me if I am wrong on this as well because he has more experience on these orders than I do, but they are usually obtained at the very outset of a criminal investigation.
Page 55 PREV PAGE TOP OF DOC Let me give you what I think is a relatively simple example. You have information from a confidential informant that Joe Jones is operating a gambling business out of his home and using the telephone in his home to do that. Now, you wouldn't ordinarily go from that piece of information that is given to you by the source and seek a title III order for content. You couldn't.
The first step that you would take would be to seek the pen register and trap and trace orders to determine things like the numbers of phone calls that are going in and out of Joe Jones's private residence, and that might be an indication of whether or not he is engaged in a gambling business, and that might substantiate the information that your source has brought to you.
Now, would I be able to say under this standard that a crime is being, has been or will be committed, or would I be able to say that I have got a reason to at least begin preliminarily a criminal investigation into the matter because of the information that has come to me? So I don't know if that answers your question, but I am concerned about what those words about a crime being committed means, and how much they will restrict the prosecutor in his ability to obtain the pen register or trap and trace order when he has got some information and enough information, I would submit to you, to get that, to at least confirm what his source is telling him or try to begin to confirm that and proceed further with his investigation, but not really enough information to conclude that a crime is being committed.
Mr. CANADY. Well, I guess the thing that concerns me is under the existing standard certainly, and perhaps under your situation, you don't really change the standard. You just change the role of the judge.
Page 56 PREV PAGE TOP OF DOC
Mr. DIGREGORY. You at least have the judge take a look at the facts that the prosecutor submits, and the judge make a determination that the information to be obtained from the order is likely to assist in this ongoing criminalis likely to be relevant to the ongoing criminal investigation.
Mr. CANADY. The thing that concerns me, and this doesn't just apply to e-mail, this would apply equally to the traditional trap and trace or pen register on a telephone, that you can justsomebody can get in his mind, well, I wonder who he is calling or I wonder who is calling him, maybe he is doing something illegal and let's find out. It is hard for me to see what keeps you from doing that under the existing scenario.
My time has run out. Depending on how many questions others have, we may do a second round, but I will turn to Mr. Watt now.
Mr. WATT. Thank you, Mr. Chairman.
I think the chairman has put his finger on the basic issue here. The issue is not whether we want to try to find some technology-neutral language. I think we all can agree to that very easily. But if the standard is not right, finding technology-neutral language just makes it a broader improper standard.
I am having a lot of trouble with your standard. I can understand it from the prosecutor's perspective, but my Constitution wasn't written for the protection of the prosecutor.
Page 57 PREV PAGE TOP OF DOC
While you are worried about what you have got to say to a court and whether you have got to demonstrate that some crime is in process or not, the Constitution doesn't require you to do that. All it requires you to have is reasonable causeprobable cause to believe that something is going on.
Right now you have got a standard under 18 U.S.C. 3123 that I think it puts you way out there on that statute. What you are saying now is that we should take that same standard, which I think is an inappropriate standard, and multiply the egregiousness of it by applying it to everything else that law enforcement does.
I, for the life of me, can't see anything in my Constitution that talks about the term ''relevant to an ongoing criminal investigation.'' that isn't in my Constitution. So unless we can come together on what the standard ought to be, I mean, we are going to have a hard time moving. I mean, I find myself very close to Mr. Barr on this issue, and if the left is there and the right is there, him being the left and me being the right, of course, I mean I think what you are trying to do is to get the Constitution Subcommittee to write a prosecution standard as opposed to a constitutional standard.
Mr. DIGREGORY. Let me respond in this way: We wouldn't be asking for this admittedly lesser standard to be applied to everything that we do with respect to electronic surveillance. What I would suggest to you is that the premise from which you must begin, whether you agree with that premise or not, is that the United States Supreme Court has saidand you mentioned earlier, Mr. Chairman, that most Americans would be shocked to know that the pen register can be obtained under this standardthey may also be shocked to know that there is no reasonable expectation of privacy in the information obtained from the pen register. That may be a guess that people would make, but nevertheless the Supreme Court has determined that there is no reasonable expectation of privacy in source and destination information.
Page 58 PREV PAGE TOP OF DOC
And if I may, because I have suggested you begin from that premise, I could read from that opinion because they talk about there being not only no objective expectation of privacy, but no subjective expectation of privacy.
They said in pertinent part, first we doubt that people in general entertain any actual expectation of privacy in the numbers they dial. All telephone users realize that they must convey telephone numbers to their telephone company since it is through telephone company switching equipment that their calls are completed. All subscribers, moreover, realize that the phone company has facilities for making permanent records of the numbers they dial. In fact, pen registers and similar devices are routinely used by telephone companies for purposes of checking billing operations and detecting fraud.
Although most people may be oblivious to a pen register's esoteric functions, they presumably have some awareness of one common use, to aid in the identification of persons making annoying or obscene calls.
Further language in the opinion, this court has consistently held that a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.
Now, I know thatall I am suggesting to you is that that is whatthat is the premise from which we must begin the analysis because that is what the law is. I am not suggesting to youand certainly you have the power to change the law. We have suggested that a certain change be made and, in fact, this opinion issued. And there is nevertheless a standard in Federal law for obtaining a pen register trap and trace when this opinion suggests that maybe there doesn't even need to be because there is no reasonable expectation of privacy in this information.
Page 59 PREV PAGE TOP OF DOC
So the point that I am trying to make with this lengthy discussion is that when you consider what standard to apply, I would submit you must also consider the level of, for lack of a better way of putting it, intrusion involved with respect to the information being sought. I would suggest to you that the lesser the intrusion, the lesser the standard need be in making that balance between public safety and individual privacy.
Mr. CANADY. The gentleman's time has expired. Without objection, the gentleman will have 3 additional minutes.
Mr. WATT. I don't know that I need 3 additional minutes, Mr. Chairman. I want to listen to the rest of the conversation, but I am having a lot of trouble getting where this gentleman is on this issue.
I hear what you are saying. I mean, it is very practical, but I think the public has a reasonable expectation in not having the government, without beliefprobable cause for believing that some crime is taking place, eavesdropping on keeping track of their phone numbers, keeping track of where they are sending e-mails to.
I don't think that that would be an impossible burden. I mean, in the case where you talked about the informant telling you that some criminal conduct is taking place, if that is a reliable informant, and you can convince the judge that that is a reliable informant, then maybe that is probable cause. If it is not probable cause, then I will be damned if I can see how you have the right to go and start monitoring my phones or my e-mails, notwithstanding what the United States Supreme Court said.
Page 60 PREV PAGE TOP OF DOC
Mr. DIGREGORY. But, of course, you know that when we monitor the content of your telephone conversations or the content of your e-mails, we are required to meet a probable cause standard, and, in fact, statutory law requires us to do much more than that. It requires us to state to the Court that it is necessary to the investigation that we take this route and that we must minimize the interceptions to only those conversations or exchange of e-mails, if you will, which relate to the criminal conduct.
So I take the point that we have got a disagreement on this, but we are always willing to continue to discuss this.
Mr. WATT. Yes, but the disagreement is so basic that I think this is what is going toyou know, all this other stuff that we are talking about, whether you use technology-neutral language, all theif we cannot agree on what the standard ought to be, then I think we are just whistling in the wind about whether we are going to be able to get to a point where we canand, you know, I see the disagreement developing not so much along political lines or partisan lines, but along philosophical lines and constitutional lines and what the standard ought to be.
If we cannot forge beyond this basic question, how are we going to come to any consensus about what the legislation ought to cover? That is the problemthe real bind we have.
Mr. CANADY. If I could enter into that?
Page 61 PREV PAGE TOP OF DOC Mr. WATT. I am happy to yield to the gentleman.
Mr. CANADY. In fairness to the administration, I think that we need to recognize that even though we may not agree with the administration's standard, they are actually increasing the protections that are provided over and above what current law is, because currently the judge plays only a ministerial role. At least under the administration's proposal, and I am not here specifically to defend their proposal, but at least under their proposal there is going to be a judge who would be making a finding. So I think that
Mr. WATT. What would the finding be though?
Mr. CANADY. A finding with respect to the relevance.
Mr. DIGREGORY. The finding would be that the information that would be obtained from the orders would have to be believed by the judge to be relevant to the ongoing investigation.
Mr. WATT. Why should that be the standard? That is the question I am asking. Why should that be the standard as opposed to having a baseline belief that some criminal conduct is taking place? And if it is, then why wouldn't that be as easy to demonstrate to a judge that you have got an investigation going on? I mean, that is all you are saying: We have an investigation going on. You go in and you march in and you tell the judge that, and then the judge enters an order saying, yes, you have an investigation going on; no probable cause, nothing else.
Page 62 PREV PAGE TOP OF DOC Mr. DIGREGORY. It may be that we can meet the standard that Mr. Canady has proposed by simply saying that I have got an informant, and that informant tells me that Joe Jones is running a gambling business out of his house, and I want a pen register and trap and trace order to begin to corroborate my informant and to begin to establish whether or not I can build a case against Joe Jones. It may be that that is enough.
What I was saying in response to Mr. Canady's question was that as a prosecutor I am not sure what that standard means. I don't think that there is perhaps as much of a difference in what Mr. Canady has related in his legislation with respect to the belief that a crime is being committed and the standard that we have put forward with respect to relevancy to an ongoing criminal investigation.
Ultimately it would all depend, I think, on what a judge requires, but I think one of the reasons we are having this discussion is to try to figure out exactly what is meant by a crime is being committed or will be committed.
Mr. GREEN. But the trade-off is exact. If you set up a probable cause standard to get this kind of information, addressing information, then we will follow that standard, obviously, but we will be less able to protect public safety on-line, and that is the trade-off that the Constitution puts in this Congress.
Mr. CANADY. Well, the gentleman's time has expired. At this point, with the subcommittee's leave, we are going to go out of order and go to the gentleman from Michigan, who has to leave momentarily, but would like to take his 5 minutes now if that is okay.
Page 63 PREV PAGE TOP OF DOC I recognize the gentleman from Michigan.
Mr. CONYERS. Thank you, Mr. Chairman and members.
I will not take 5 minutes. I want to put my statement in the record, with your permission, and commend all the people that have been working on this idea.
[The prepared statement of Mr. Conyers follows:]
PREPARED STATEMENT OF HON. JOHN CONYERS, JR., A REPRESENTATIVE IN CONGRESS FROM THE STATE OF MICHIGAN
There is no denying that the Internet has taken its place alongside the telephone and ''snail'' mail as a central means of communication. So it's no surprise that illegal activities are migrating there as well.
As a result, law enforcement needs tools to intercept unlawful communications by terrorists, cyber-criminals, and others who will use the Internet for illegal conduct in the hope they can conspire in cyberspace without leaving any fingerprints.
At the same time, Americans are becoming wary that they sacrifice their privacy each time they log on to the Internet. And with good reason. While we want to ensure that law enforcement has the tools it needs, we must balance this interest with the Constitution so that individuals retain the privacy they cherish.
Page 64 PREV PAGE TOP OF DOC In July, this subcommittee held a hearing to examine the FBI's use of its new Carnivore electronic surveillance technology. To many of us, the hearing confirmed our fears that our current laws are insufficient to protect constitutional rights and privacy in the Internet age. Therefore, Congress must act now to amend those laws to bring them up to date.
To this end, I'm gratified that my colleagues Chairman Canady and Representative Barr have taken the first steps in drafting legislation to better safeguard the privacy rights of online users. The Administration has also developed a proposal over the course of a year that addresses these issues.
I understand that yesterday the Administration, Chairman Canady and our staffs held a productive meeting. There is a lot of common ground among these three proposals. If the Majority is serious about working with us to craft a good bill, I am committed to working together to reach an agreement on this legislation before Congress adjourns.
Most importantly we need to set clear standards for law enforcement even when it seeks only the most basic identifying information regarding the flow of e-mail trafficthrough what are known as pen register and ''trap and trace'' orders. Rather than a mere executive branch administrative subpoena for such orders, law enforcement should seek judicial sanction for them. On that, I believe there is widespread agreement.
However, I think the Clinton Administration with its keen sensitivity to technology, has made an important point in its draft legislation. Such heightened protection should be ''technology neutral'' and should apply whether a communication is transmitted via the traditional email or some other web transmission.
Page 65 PREV PAGE TOP OF DOC
The Administration has also raised an thoughtful point about technology asking for judicial orders to be enforceable nationwide, rather in just the jurisdiction in which a federal court resides. That is because web traffic often touches down in multiple file servers in multiple jurisdictions prior to landing in its final destination.
Mr. Canady, in my judgement an important question has been raised as to whether there needs to be a statutory requirementto buttress the Constitutional requirementfor suppression in the case of unauthorized eavesdropping of unopened, e-mails. I don't know of many scenarios in which such a statutory addition is needed, but I am open to argument on it.
The bottom line is this. This is an important opportunity for the Congress and for the nation. We can and should protect privacy on the Internet. But the only way we will do it is if we draft legislation in a bipartisan manner that can win administration support. I pledge my willingness to do so.
Mr. CONYERS. I really think you have put together a good witness list. I commend particularly Chairman Canady and Mr. Barr, for working with our staff and our side on this matter. I am happy that our old friend Chuck Schumer was here earlier, and I just wanted to leave one little comment that my staff has impressed on me, and that is that there may be an advantage in having technology-neutral language that should apply whether a communication is transmitted through e-mail or other Web transmission. And the seeking of judicial orders to be enforceable nationwide, I think, has some attraction to myself because the Web traffic often touches down in many file servers.
Page 66 PREV PAGE TOP OF DOC
The other point that would come up, and I hope it will be discussed, has been raised as to whether there needs to be a statutory requirement to buttress the constitutional requirement for suppression in the case of unauthorized eavesdropping of unopened e-mails. I don't know of many scenarios of such a statutory suppression and if an addition is needed, but I will be looking to hear about it. But I think this is an important hearing, and it is plowing into some of that new high tech, never-never land that the Judiciary Committee is uniquely responsible for in our jurisdiction.
So I welcome the witnesses and thank the chairman and return any time left.
Mr. CANADY. Thank you, Mr. Conyers.
The gentleman from Arkansas Mr. Hutchinson is now recognized for 5 minutes.
Mr. HUTCHINSON. Thank you, Mr. Chairman. I appreciate your willingness to continue working with the administration in drafting agreeable language, and I do think there is some agreement.
Following up on the discussion in regard to the standard for a trap and trace device or a pen register, Mr. Green pointed out that there is a trade-off. Presently we have a statutory standard that law enforcement, the Justice Department, is meeting. I think there is a question as to whether that statutory standard should be changed, despite the fact that the Supreme Court has indicated there is no expectation of privacy in that information.
Page 67 PREV PAGE TOP OF DOC
I agree with Mr. Canady that I think the public, regardless of what the Supreme Court says, has some expectation of privacy that who they call and who they receive calls from, those numbers which reveal who the calls are coming from and going to, is confidential.
It is scary to think about someone knowing everybody I call and who I receive calls from without there being an indication that a crime is being committed.
Mr. DiGregory, does that seem reasonable to you, that approach, that view?
Mr. DIGREGORY. It does seem reasonable to me, and it really is a question of
Mr. HUTCHINSON. A trade-off?
Mr. DIGREGORY. Certainly there is a trade-off, but I guess it isand I don't mean to be splitting hairs, or maybe I do mean to be splitting hairs, but I guess it depends on what the difference is between relevant to an ongoing criminal investigation and whether or not a crime has been, is being or will be committed.
Mr. HUTCHINSON. I think there is a huge difference. I mean, one you have got a reasonable indication that a crime is being committed. That certainly merits an investigation and a legitimate public concern versus a law officer's statement that ''I have an ongoing investigation.'' My goodness, there are all kinds of ongoing investigations. That is just real, real broad.
Page 68 PREV PAGE TOP OF DOC
But let me come back to the trade-off question. I want to know if you raise the standard as indicated by this proposed legislation, where is the harm? Tell me how this is going to impact law enforcement. How is it going to impact our crimefighting ability? Tell me where the problems are in this and what is going to be the cost to the public safety issue if we raise the standard.
Mr. DIGREGORY. I don't think that it would becertainly with the standard that is put forth in the administration's proposal would be terribly burdensome
Mr. HUTCHINSON. All that standard is saying is that the court has to satisfy that there is some relevance.
Mr. DIGREGORY. The court has to look at the factual statements submitted by the prosecutor and make a determination that the information that will be made available through the pen register and trap and trace order will be relevant to an ongoing criminal investigation.
Mr. HUTCHINSON. Our standard is ''reasonably indicate that a crime has been or is being committed.'' Now there is the standard that I am speaking of, which is a lower standard than a probable cause standard requiring a wiretap. So we are still making it easier to get this pen register information. So tell me, what is the cost to law enforcement if you impose ''specific articulable facts that reasonably indicate that a crime has been, is being or will be committed.''
Page 69 PREV PAGE TOP OF DOC
Mr. DIGREGORY. It may make it difficult. I am saying it may make it difficult to take that first significant step in an investigation where ultimatelyultimately if you develop your investigation, a title III may be worthwhile in providing information to you. It may be difficult to take that first step to get the pen register or the trap and trace order to determine the to and from, the source and destination information, because as I tried to point out in my example, maybe I didn't do it terribly effectively, what does it mean when somebody comes to me? Does that meet the test that is in H.R. 5018 if somebody comes to me and says, I believe that so and so is operating a gambling business, and he is doing it out of his home and
Mr. HUTCHINSON. Let me suggest to you
Mr. DIGREGORY. Shouldn't I be allowed to take that first step? That is the question. I can't take that under the current standard and under the administration's proposal, I believe.
Mr. HUTCHINSON. I would suggest to youand I request this information. You can review your files and cases. You can talk to the U.S. attorneys and tell me what cases would be impacted. Historically, give me some examples of where an investigation would have been shut down because you were not able to meet this type of standard; and go to the next step, that this standard would have been too high. I think that is what I would like to see that would be helpful to illustrate the potential cost to law enforcement.
Now, let me move on here. Another objection that you raised.
Page 70 PREV PAGE TOP OF DOC
Mr. CANADY. The gentleman's time has expired. The gentleman will have 3 additional minutes.
Mr. HUTCHINSON. Thank you, Mr. Chairman.
You indicate in your testimony what the reporting requirements under H.R. 5018 are greater than required under wiretap authority, and I was readingjust tell me what your view is here, but the staff report states that this section requires the Federal Government to produce annual reports. I guess that is an annual report requirement reflecting virtually identical disclosure requirements the Federal Government must meet regarding the use of electronic wiretaps to intercept telephone conversations. But are these disclosure requirements different than what is required under wiretaps?
Mr. GREEN. They are close. We believe there are a couple of provisions here that are different than the wiretaps, but they are very similar. The difference is we are expecting that the wiretaps are used in very few cases and in veryand are rarely used. We would expect that this statute would be used more often and used in perhaps different times of the investigation so that the impact of these kind of reporting requirements would be greater.
Mr. HUTCHINSON. So the impact of this reporting requirement would be a greater burden on law enforcement, but the reporting requirements themselves are very similar to the reporting requirements required under the wiretap statute.
Page 71 PREV PAGE TOP OF DOC Mr. GREEN. They are very similar.
Mr. HUTCHINSON. Thank you, Mr. Chairman. I yield back.
Mr. WATT. Before he yields back, can I justcould you yield to me?
Mr. HUTCHINSON. Certainly.
Mr. WATT. Because I was struck by what Mr. Green said there. You are saying that your problem with this reporting requirement is that you would use this statutory provision a lot more, which is exactly what our concern is, I think. I mean, that is a scary proposition you just kind of blatantly and casually put on the record, isn't it?
Mr. GREEN. We think over time we will be gettingI mean the standard now, forgetting the content of communications, either in electronic storage or stored by the user's discretion on a remote computing service, over time as more and more crime migrates to online, we will be using this method of getting that content more often.
Mr. WATT. So you are not saying because the standard is lower, you are going to have more; it is because the technology is higher, and more crime is going to migrate.
Mr. GREEN. More crime is migrating online.
Page 72 PREV PAGE TOP OF DOC Mr. WATT. That is fair. Thank you.
Thank you, Mr. Hutchinson.
Mr. CANADY. The gentleman from Virginia Mr. Goodlatte, the cochairman of the Internet Caucus, is recognized.
Mr. GOODLATTE. Thank you, Mr. Chairman. With your permission, I would like to diverge a little bit to a hearing we held some time ago there have been some developments on since then, and Mr. DiGregory might be able to tell us if he can talk about the technical review that Attorney General Reno has recently ordered for the Carnivore program, the reasons for the review, and the time line for it.
Mr. DIGREGORY. The time line, I believeand let me check my notesI believe that the procurement of the bidding period ends today at 5:00, if I understand correctly. The information I have on thatlet meand as I understand it, we hope to have thein the reviews being conducted, as you know, under the leadership of Steve Colgate, who is the Assistant Attorney General for our Justice Management Division. We believe to have a final decision on the membership of the team by September 22nd, and the review should be completed, we hope, by December 1st.
The other part to your question is the purpose of the review. The purpose of the review is to basically have an independent team determine that Carnivore does what the FBI says it does in terms of being able only to capture that information that is mandated by the court order that was obtained, whether it was a pen register or trap and trace or a full-blown title III.
Page 73 PREV PAGE TOP OF DOC
Mr. GOODLATTE. I noted in the news in the last couple of days a number of universities have withdrawn their competition for that program, accusing the description of the review as being essentially a whitewash or a rubber stamp of the program rather than being a truly independent review. I wonder if you would comment on that.
Mr. DIGREGORY. Well, because the procurement period or the bidding period is still open, there is very little that I can say about that, if anything, because I understand that there are laws which prohibit you from discussing or commenting on it. So I would fall back on that, if I could, for the moment. But as I said, that period is supposed to end at 5 this afternoon, as I understand, and if there is more information that you desire about the review, we can try to make available to you or your staff folks from the Justice Management Division and from Steve Colgate's shop to discuss it with you.
Mr. GOODLATTE. If you are still here, we will grab you before.
Can you tell me is the program continuing during this review, or is it suspended?
Mr. DIGREGORY. No, there has been no decision to suspend it, not at all.
Mr. GOODLATTE. Why is that? If there have been so many questions raised about the program, and it is being subjected to this so-called independent review, why won't you suspend the use of it if there is as much concern as there is about the invasion of privacy of law-abiding citizens who are not subject to an investigation?
Page 74 PREV PAGE TOP OF DOC
Mr. DIGREGORY. I understand that there are concerns, and the concerns are the reasons that the Attorney General asked for the independent review to take place. But there are no indications that in the times that Carnivore has been used, and I think that laboratory Director Kerr testified earlier today there have been some 25 times, there is no indication that there has been any abuse and no indication that Carnivore is not doing what the FBI claims it is. It only captures that information which it is permitted to capture under the court order.
Mr. GOODLATTE. In that regard can you tell us whether the program differentiates between data packets to only pull out e-mails, or does it simply pull out packets and then differentiate once they are translated?
Mr. DIGREGORY. What I think the best way to get that question answered would be to have the FBI brief you on that, whether it is Don Kerr or whether it is Marcus Thomas of the FBI laboratory to do that for you. That may beI am not certain, but it may be available in public information at the FBI.
Mr. GOODLATTE. Mr. Chairman, I would ask that they provide that information to the committee since we had held a hearing on this earlier, and I am sure the interest is ongoing. My concern is this: That I believe it is all packets, and if it is indeed all packets, that means that the program could be pulling out voice IP telephony and other data when it is trying to get to e-mails, and that would indeed conflict with existing laws regarding voice traffic and procedures to be followed for wiretapping.
Page 75 PREV PAGE TOP OF DOC So, I think this is a very concerning matter that you are going to continue this program while this review takes place, number one; and number two, if it is as broad-based as I believe it is, I think it is, it may well be outside the bounds of our Constitution.
Mr. DIGREGORY. Just as may be of some help to you, Dr. Kerr testified this morning before the Senate Judiciary Committee, and his testimony is availableI don't know if the FBI has got it on a Website, but it is available, and if you would like, we can try and get a copy over to you that sheds some light on the question.
Mr. GOODLATTE. We would very much like to have that.
[The information referred to follows:]
PREPARED STATEMENT OF DONALD M. KERR, ASSISTANT DIRECTOR, FEDERAL BUREAU OF INVESTIGATION BEFORE THE UNITED STATES SENATE, THE COMMITTEE ON THE JUDICIARY, SEPTEMBER 6, 2000
Good morning, Mr. Chairman and Members of the Committee. I am grateful for this opportunity to discuss with you the FBI's Carnivore systema system specially designed for effectively enforcing the law while at the same time fully complying with the law. Carnivore is a system which we are counting on to help us in critical ways in combating acts of terrorism, espionage, information warfare, hacking, and other serious and violent crimes occurring over the Internet, acts which threaten the security of our Nation and the safety of our people. In my statement, I will touch upon five points: why we need a system like Carnivore; why the public should have confidence that the FBI is lawfully using Carnivore; how Carnivore, as a special purpose electronic surveillance tool, works; why computer network service providers, with whom the FBI always work closely, should not be fearful about Carnivore's use with their networks; and, as an overarching matter, why the public should have trust in the FBI's conduct of electronic surveillance and in its use of the Carnivore system. In addressing these important points, we hope to set the record straight and allay any legal, privacy, network security, and trustworthiness concerns.
Page 76 PREV PAGE TOP OF DOC
WHY DOES THE FBI NEED A SYSTEM LIKE CARNIVORE?
By now, it has become common knowledge that terrorists, spies, hackers, and dangerous criminals are increasingly using computers and computer networks, including the Internet, to carry out their heinous acts. In response to their serious threats to our Nation, to the safety of the American people, to the security of our communications infrastructure, and to the important commercial and private potentialities of a safe, secure, and vibrant Internet, the FBI has responded by concentrating its efforts, including its technological efforts and resources, to fight a broad array of Cyber-crimes.
While the FBI has always, as a first instinct, sought to work cooperatively and closely with computer network service providers, software and equipment manufacturers, and many others to fight these crimes, it also became obvious that the FBI needed its own tools to fight this battle, especially where legal, evidentiary, and investigative imperatives required special purpose tools. One such tool is Carnivore, which I will discuss at length today. However, before discussing Carnivore, it is important to identify and briefly discuss some of the types of Cyber-crime threats which we in law enforcement have been encountering, and will encounter in the future, and concerning which Carnivore, and tools such as Carnivore, are of critical importance to the FBI.
Terrorist groups are increasingly using new information technology (IT) and the Internet to formulate plans, raise funds, spread propaganda, and communicate securely. In his statement on the worldwide threat in the year 2000, Director of Central Intelligence George Tenet testified that terrorist groups, ''including Hezbollah, HAMAS, the Abu Nidal organization, and Bin Laden's al Qa'ida organization are using computerized files, E-mail, and encryption to support their operations.'' As one example, convicted terrorist Ramzi Yousef, the mastermind of the World Trade Center bombing, stored detailed plans to destroy United States airliners on encrypted files on his laptop computer.
Page 77 PREV PAGE TOP OF DOC
Other terrorist groups, such as the Internet Black Tigers (who are reportedly affiliated with the Tamil Tigers), engage in attacks on foreign government websites and E-mail servers. ''Cyber terrorism''the use of Cyber tools to shut down critical national infrastructures (such as energy, telecommunications, transportation, or government operations) for the purpose of coercing or intimidating a government or civilian populationis emerging as a very real threat.
Recently, the FBI uncovered a plot to break into National Guard armories and to steal the armaments and explosives necessary to simultaneously destroy multiple power transmission facilities in the Southern United States. After introducing a cooperating witness into the inner circle of this domestic terrorist group, it became clear that many of the communications of the group were occurring via E-mail. As the investigation closed, computer evidence disclosed that the group was downloading information about Ricin, the third most deadly toxin in the world. Without the fortunate ability to place a person in this group, the need and technological capability to intercept their E-mail communications' content and addressing information would have been imperative, if the FBI were to be able to detect and prevent these acts and successfully prosecute.
Not surprisingly, foreign intelligence services have adapted to using Cyber tools as part of their espionage trade craft. Even as far back as 1986, before the worldwide surge in Internet use, the KGB employed West German hackers to access Department of Defense systems in the well-known ''Cuckoo's Egg'' case. It should not surprise anyone to hear that foreign intelligence services increasingly view the Internet and computer intrusions as useful tools for acquiring sensitive U. S. government and private sector information.
Page 78 PREV PAGE TOP OF DOC
The prospect of ''information warfare'' by foreign militaries against our Nation's critical infrastructures is perhaps the greatest potential Cyber threat to our national security. We know that several foreign nations are developing information warfare doctrine, programs, and capabilities for use against the United States or other nations. Knowing that they cannot match our military might with conventional weapons, nations see Cyber attacks on our critical infrastructures or military operations as a way to hit what they perceive as America's Achilles heelour growing dependence on information technology in government and commercial operations. Two Chinese military officers recently published a book that called for the use of unconventional measures, including the propagation of computer viruses, to counterbalance the military power of the United States. And a Russian official has also commented that an attack on a national infrastructure could, ''by virtue of its catastrophic consequences, completely overlap with the use of [weapons] of mass destruction.''
Child Pornography and Sexual Exploitation of Children:
Through the FBI's ''Innocent Images'' case, and others, it has become abundantly clear that certain adults are using computers and the Internet widely to disseminate child pornography and to entice young children into illegal and often violent sexual activity. Such sexual predators find the Internet to be a well-suited medium to trap unwary children. Since 1995, the FBI has investigated nearly 800 cases involving adults traveling interstate to meet minors for the purpose of illegal sexual relationships, and more than 1850 cases involving persons trading child pornographyalmost all of these involve the exchange of child pornography over the Internet.
Page 79 PREV PAGE TOP OF DOC
One of the most serious criminal threats facing the Nation is the use of the Internet for fraudulent purposes. For example, securities offered over the Internet have added an entirely new dimension to securities fraud investigations. The North American Securities Administrators Association has estimated that Internet-related stock fraud results in a loss to investors of approximately $10 billion per year (or nearly $1 million per hour). In one case, on March 5, 2000, nineteen people were charged in a multimillion-dollar insider trading scheme. At the core of the scheme, the central ''insider'' figure went online and found others in ISP chat rooms. He soon was passing inside information on clients of several brokerage firms to two other individuals in exchange for a percentage of any profits they earned by acting on it. For 2 years, this person passed inside information, communicating almost solely through online chats and instant messages, with the insider receiving $170,000 in kickbacks while his partners made $500,000.
WHY SHOULD THE PUBLIC HAVE CONFIDENCE IN THE FBI'S LAWFUL USE OF CARNIVORE?
There are a number of reasons why the public should have confidence in the FBI's lawful use of Carnivore. First of all, since 1986, with the enactment of the Electronic Communications Privacy Act of 1986 (ECPA), which amended Title III of the Omnibus Crime Control and Safe Streets Act of 1968 (Title III), Congress created statutory legal protection for all types of wire and electronic communications' content, including computer and Internet-based communications' content, consistent with the Constitution. The ECPA also created statutory privacy protection for ''transactional records'' pertaining to an electronic communications provider's provision of services to a customer or subscriber consistent with the Constitution. The term ''transactional records,'' as used here, includes addressing (e.g., in the context of E-mail communications, the ''to'' and ''from'' linesbut not the ''subject'' or ''re'' lines) routing, billing, or other information maintained or generated by the service provider. ''Transactional records'' do not include the content (substance, purport or meaning) of E-mails or other communications. Correspondingly, in the ECPA, Congress regulated all governmental electronic surveillance interceptions of communications' content and all acquisitions of communications addressing and transactional record information consistent with the Constitution. Under the ECPA, all such electronic surveillance efforts require some form of court order, either a full Title III (probable cause-based) court order for obtaining communications' content or an ECPA-created court order based upon relevancy for communications' addressing and transactional record information. Of course, there are ''emergency'' provisions whereby surveillance is permitted to proceed immediately, when high-level Department of Justice authorization is obtained, so long as a court order is filed within 48 hours.
Page 80 PREV PAGE TOP OF DOC
Under Title III, applications for electronic surveillance must demonstrate probable cause and state with particularity and specificity: the offenses being committed, the communications facility regarding which the subject's communications are to be intercepted, a description of the types of conversations to be intercepted, and the identities of the persons committing the offenses and anticipated to be intercepted. Clearly, the criminal electronic surveillance laws focus on gathering hard evidencenot intelligence. Under this law, the FBI cannot, and does not, ''snoop.'' In obedience of the law, the FBI obtains judicial authorization, in terms of always obtaining the appropriate court order required when intercepting wire and electronic communications' content or when acquiring addressing information and transactional record information, or lawful consent, regardless of whether they are occurring over a computer or telecommunications network. The FBI's use of the Carnivore systemapproximately 25 times in the last two yearshas in every case and at all times been pursuant to such a judicially-granted court order or lawful consent. In every case, we only deploy Carnivore after serving a court order on an ISP (or after obtaining lawful consent of a party to the communication) and then only after working closely with the ISP technicians or engineers in installing it. Parenthetically, where the ISP is equipped to fully and properly implement the court order or consensual authorization, the FBI leaves the interception to the ISP and does not rely upon Carnivore. Moreover, if an FBI employee were to attempt to acquire such content or information using Carnivore without obtaining a court order or appropriate consent, it would be a serious violation of the lawa federal felony, thereby subjecting the employee to criminal prosecution, civil liability, and termination. Finally, FBI employees fully understand that the unlawful interception of the content of private communications will lead to the suppression of any and all tainted evidence and any evidence or fruits derived therefrom. In short, the penalties for violating the electronic surveillance laws are so severe as to dissuade any such unlawful behavior, even if someone were so inclined.
Page 81 PREV PAGE TOP OF DOC
Those who have raised legal concerns regarding Carnivore have principally asserted that (1) through its use of Carnivore, the FBI is collecting more information than a given pen register or trap and trace court order permits, or (2) while using Carnivore, the FBI is acquiring more information under such order than that order should lawfully permit.
As to the first assertion (as will be explained in detail below), in many investigative situations (principally those involving pen register or trap and trace court orders), Carnivorefar better than any commercially-available snifferis configurable so as to filter with precision certain electronic computer traffic (i.e., the binary computer code, the fast-flowing streams of O's and 1's) such that, in each case, FBI personnel only receive and see the specified communications addressing information associated with a particular criminal subject's service, concerning which a particular ECPA court order has been authorized. Further, to our knowledge, there are few, if any, electronic surveillance tools that perform like Carnivore, in terms of its being able to be tailored to comply with different court orders, owing to its ability to filter with precision computer code traffic.
In fact, the genesis for some of the technological functionality of Carnivore was the result of the FBI's decision, made in light of privacy and investigative concerns, that prudent practice, with regard to computer network-based electronic surveillance, dictated that the communications' addressing information gleaned through technical equipment the FBI would be using should, to the fullest extent possible, correspond to that information authorized for acquisition and use under law. In this regard, prior to our development of Carnivore, the FBI, consistent with the Constitution and the legal mandate found in 18 U.S.C. 3121, was using ''technology reasonably available to it'' which permitted the acquisition of communications' addressing information, but which necessitated minimization. However, while the technology then available (principally commercial sniffers) worked as well as could be expected, as discussed in greater detail below, such equipment had never been designed as a law enforcement electronic surveillance tool, and hence had shortcomings. Not knowing if, or when, market forces would lead to the development of a law enforcement electronic surveillance tool, the FBI took the initiative. In this context, we want to make sure that both the Congress and the public understand that, in using Carnivore, there is no broad-brush acquisition by either Carnivore or by FBI personnel of the ''contents of the wire or electronic communications'' of all ISP userssuch as to constitute an unauthorized Title III ''intercept.'' Carnivore only intercepts the communications of that particular criminal subject for which a Title III order has been obtained. Similarly, we want everyone to understand that, in using Carnivore, there is no broad brush collection, storage, or review, by either Carnivore or by FBI personnel, of the addressing or transactional information regarding any ISP user beyond that pertaining to the criminal subject's service for which an ECPA court order under 18 U.S.C. 3123 and 18 U.S.C. 2703(c)(d) has been obtained.
Page 82 PREV PAGE TOP OF DOC
As to the second assertion, some have stated that, in their opinion, the FBI is acquiring more information when it uses Carnivore to acquire communications addressing and transactional record information than it should be entitled to under the Constitution or under the ECPA statutory regimes found in Chapters 206 and 121 of Title 18 of the United States Code, and, in particular, under the court order authorities within 18 U.S.C. 3123 and 18 U.S.C. 2703(c)(d). By way of response, and more to the point, it appears that much, if not most, of this contention regarding governmental access to communications addressing and transactional information emanates from concerns about the use of electronic surveillance generally, as opposed to the FBI's use of Carnivore in particular. However, there is little or nothing in law or Federal jurisprudence to support the contention that has been asserted in this regard.
In 1979, the U.S. Supreme Court ruled that, because there was no justifiable or reasonable expectation of privacy in the electronic impulses dialed and transmitted over the telephone lines of a service provider to initiate a telephone call, no Fourth Amendment search or seizure was implicated, and, accordingly, that no legal right or protection regarding governmental acquisition of such information was cognizable or afforded under the Constitution (see, Smith v. Maryland, 442 U.S. 735 (1979). Similarly, the U.S. Supreme Court had earlier found no Constitutional right or protection against the Government's warrantless acquisition of banking information that had been disclosed by a customer to a third party financial institution (see, United States v. Miller, 425 U.S. 435, 442444 (1976)). Hence, then, at least as a matter of Constitutional law, the Supreme Court has found no Constitutional requirement for a probable cause-based warrant in order to acquire transactional records or information that a customer conveys or transmits to third parties such as banks and telephone service providers. In 1986, in enacting the ECPA's Title II and Title III provisions, the Congress was aware of the foregoing Supreme Court rulings and sought to ''create'' new privacy protection in statute to protect a subscriber's communications addressing and transactional record information. Also, just as it intended to afford statutory privacy protection for such information, Congress also created appropriate and commensurate court order authorities for lawful governmental use in acquiring such information. In doing so, Congress made very reasonable, considered, and balanced determinations as to the level of privacy protection that was appropriate for each type of information at issue. Now, although it is true that there have been great changes in computer technology since 1986, the core statutory privacy principles and fault lines applicable to protecting computer-based communications content, on the one hand, and communications addressing information, on the other, as well as to their lawful interception or acquisition, have remained quite stable.
Page 83 PREV PAGE TOP OF DOC
Since 1986, and long before the advent and use of Carnivore, the FBI and many other Federal, State, and local governmental authorities having been lawfully acquiring computer network-based addressing and transactional information from both telecommunications carriers and Internet Service Providers (ISPs) under court order as anticipated by Congress within the ECPA, i.e., the court order authorities set forth within 18 U.S.C. 3123 and 18 U.S.C. 2703(c)(d). Governmental surveillance in this area has proceeded based upon the rightful premise that, with the appropriate ECPA court order(s), each and every type of communications addressing and transactional record information found within telecommunications and computer networks could be lawfully acquired. Since the ECPA was enacted, federal courts throughout the country have consistently authorized ECPA-based court orders applied for by the Department of Justice and the United States Attorneys' Offices, under the authorities set forth within 18 U.S.C. 3123 and 18 U.S.C. 2703(c)(d), with regard to the types of governmental access to and acquisition of computer network addressing information currently being complained of, without finding Constitutional or statutory impediment.
Finally, with specific reference to Carnivore, in the approximately 25 instances wherein its use has occurred, the courts have approved the applications, in terms of what was lawfully obtainable through the federal statutory regime(s) and/or court orders cited above, and in terms of the information which Carnivore, through its filtering, enables FBI personnel to lawfully receive or see under these regimes. In the only case challenging Carnivore's intended use (in a case involving the acquisition of E-mail addressing information under the court order authorities set forth within 18 U.S.C. 2703(c)(d) and 18 U.S.C. 3123), the court sided with the Government, finding that the addressing information to be acquired through the Government's use of Carnivore was no more intrusive than the information acquired through a conventional pen register under 18 U.S.C. 3123.
Page 84 PREV PAGE TOP OF DOC
HOW DOES CARNIVORE WORK, AND WHY THE FBI BELIEVES CARNIVORE IS SUPERIOR FROM A LEGAL, PRIVACY, INVESTIGATIVE, EVIDENTIARY AND TECHNOLOGICAL PERSPECTIVE TO COMMERCIAL SNIFFERS?
Carnivore is a very effective and discriminating special purpose electronic surveillance system. Carnivore is a filtering tool which the FBI has developed to carefully, precisely, and lawfully conduct electronic surveillance of electronic communications occurring over computer networks. In particular, it enables the FBI, in compliance with the Constitution and the Federal electronic surveillance laws, to properly conduct both full communications' content interceptions and pen register and trap and trace investigations to acquire addressing information.
For many electronic surveillance purposes, Carnivore is superior to any commercially-available ''sniffer'' tool which ISP network administrators typically might use for network oversight, management, and trouble-shooting. In the ISP world, such sniffers are the closest thing to what would be considered an electronic surveillance interception device. Such sniffers, however, were never designed or intended to be a special purpose electronic surveillance tool, and therefore they are not best suited to protect the privacy rights afforded by the Constitution or by statute.
It's important to describe the context of when and how Carnivore is used and the way Carnivore works. It's most critical to clearly understand what Carnivore discloses and, more importantly, what it does not disclose to the FBI personnel who use it.
First of all, as emphasized above, Carnivore is only employed when the FBI has a court order (or lawful consent) authorizing a particular type of interception or acquisition regarding a particular criminal subject user, user address, or account number. Second, when an ISP can completely, properly, and securely comply with the court order on its own, the FBI does not need to deploy Carnivore.1 Third, if a decision is made to use Carnivore, the FBI never deploys it without the cooperation and technical assistance of the ISP technicians and/or engineers. Fourth, through working with the ISP, Carnivore is positioned and isolated in the network so as to focus exclusively upon just that small segment of the network traffic where the subject's communications can be funneled. This is roughly analogous to using an electronic surveillance device only within in a single trunk or cable within a telephone network. Stated differently, and contrary to the statements of some critics, Carnivore is not positioned to filter or access ''in a Big Brother mode, all subscriber traffic throughout an ISP network.''
Page 85 PREV PAGE TOP OF DOC
In illustrating its functionality, it is important to understand that Carnivore's filtering operates in stages. Carnivore's first action is to filter a portion of an ISP's high speed network traffic. Specifically, it filters binary codestreams of O's and 1's that flow through an ISP network, for example, at 40 mega-bits per second, and often at much higher speeds. Carnivore operates real time with these speeds. To visualize this, imagine a huge screen containing 40 million O's and 1's flashing by on this screen for one second, and for one second only. Carnivore's first effortentirely within the Carnivore boxis to identify within those 40 million O's and 1's whether the particular identifying information of the criminal subject (for which a court order has been authorized) is there.
If the subject's identifying information is detected, the packets of the subject's communication associated with the identifying information that was detected, and those alone, are segregated for additional filtering or storage. However, it's critically important to understand that all of those 40 million O's and 1's associated with other communications are instantaneously vaporized after that one second. They are totally destroyed; they are not collected, saved, or stored.
Hence, FBI personnel never see any of these 40 million O's and 1's, not even for that one second. Continuing the illustration, if the subject's identifying information is not in that screen, then the next screen of 40 million O's and 1's flashes by at the same rate, and the process described above is repeated in identical fashion until the subject's identifying information is detected.2 After exclusively segregating the subject's information for further machine processing, then a second stage of filtering is employed. At this point, and again all within the Carnivore box, Carnivore checks its programming to see what it should filter and collect for processing. In other words, it determines, as required by the specific wording of the court order, if it's supposed to comprehensively collect communications contentin a full Title III or FISA modeor, alternatively, whether it's only to collect pen register or trap and trace transactional and addressing information. Only information specified in the court order is being collected by Carnivore.
Page 86 PREV PAGE TOP OF DOC
Importantly, this is where some of Carnivore's key legal, evidentiary, and privacy-enhancing features really kick in. To address the particular concerns that have been raised regarding what is filtered and processed, and what FBI personnel see and don't see, its useful to illustrate how Carnivore operates, for example, in a pen register or trap and trace transactional and addressing information mode, pursuant to authorities set forth within 18 U.S.C. 3123 and 18 U.S.C. 2703(c)(d). Under these circumstances, Carnivore only collects transactional and addressing information. It is programmed to filter out all content, including subject line and ''re'' information.
For example, certain pen register or trap and trace orders will authorize collection of simply ''source,'' ''destination,'' date, time, and duration of the message. Others will authorize collection of ''source,'' ''destination,'' ''user account address,'' date, time, and duration. Again, each collection, and the filters being employed, are tailored to a particular court order's authorization.
At this point, an explanation on a more technological and functional level is warranted as to why, with regard to pen register and trap and trace transactional and addressing information usage, Carnivore's use was necessitated by certain privacy, evidentiary, and investigative concerns. Commercially-available sniffers do a very good job in many circumstances of filtering and segregating ISP information, especially in Title III interceptions. However, in other cases, where more stringent legal, evidentiary, and law enforcement investigative requirements exist, many sniffers would collect either too much information, such as collecting all of the information regarding a given criminal subject's account, or, alternatively, fail to collect the authorized information at all.
Page 87 PREV PAGE TOP OF DOC
For example, because of differences and vagaries in network protocols and header addressing information and their implementations by ISPs, collections with these commercial sniffers often do not cut off the header addressing information at the precise point. This can lead to a small amount of a communications' content being included (such as the ''subject line'') which then must be minimized by human review. Hence, resort to commercial sniffers alone under certain circumstances raises privacy concerns and interferes with the FBI's investigative resources. While such sniffer capabilities might suffice for non-law enforcement network administration purposes, it is less than perfect from a law enforcement point of view. Carnivore's development was driven by a need to address such issues.
In another area with significant legal, evidentiary, and investigative ramifications, Carnivore is superior to commercial sniffers. Commercial sniffers are typically designed to work only with fixed IP addresses. Unfortunately, dynamic addressing within ISPs occurs probably in 9899% of the cases. Hence, the use of commercial sniffers, without more, would be ineffective in 9899% of court authorized collections. Carnivore was specifically designed to interface with ISP networks so that when dynamic addressing occurs it can immediately respond to it. Finally, while it is true that other efforts with ISPs can address this problem, this problem is effectively and efficiently resolved technically by Carnivore.
In still another area with significant legal, evidentiary, and investigative ramifications, Carnivore has the ability to filter and collect Simple Mail Transfer Protocol (SMTP) traffic sent to or from a specific user. Most, if not all, commercial sniffers would collect all E-mails and then require a human visual search to find the targeted E-mail. This obviously is wanting from a privacy and operational perspective. Carnivore, on the other hand, has the ability to conduct very surgical acquisitions of only a targeted criminal subject's E-mail.
Page 88 PREV PAGE TOP OF DOC
To repeat, during all the filtering/processing noted above, no FBI personnel are seeing any informationall of the information filtering/processing, and purely in a machine-readable format, is occurring exclusively ''within the box.''
Now, at the end of all the filtering and processing, there, of course, is information that ultimately is collected and stored for human review. Hence, what finally reaches the hands of FBI personnel in every case is simply and only that particular information lawfully authorized by the court orderand no more.
Finally, Carnivore includes another piece of important functionality. For evidentiary purposes, and as an audit history, Carnivore was also designed to append to an event file for each collection the filter configuration that was used in that collection. This information tells the FBI personneland indeed it tells the world, including a court, defense counsel, and a jurywhat mode the device was operating in (what it was programmed to collect), so as to allay any suspicion that more information was being passed along to FBI personnel.
As you know, Rule 901 of the Federal Rules of Evidence requires the authentication of evidence as a precondition for its admissibility. The use of the Carnivore system by the FBI to intercept and store communications establishes, with much less human interaction and without the potential for human error, a trustworthy machine-based memorialization of the evidence. It also establishes a reliable first link in an undisturbed chain of custody, and it facilitates the ease and accuracy of a witness' testimony by permitting the witness to testify as to the retrieval of the evidence and as to the purely technological method by which the evidence was acquired and recorded. Finally, Carnivore is being upgraded by adding an integrity feature which will further demonstrate the authenticity of the information, by imprinting on the evidence the collection mode being used. It thus helps prove authenticity, by demonstrating that no alteration has been made to the filter settings employed or to the information obtained. As an evidentiary matter, such features strengthen showings of ''chain of custody,'' authenticity, and non-alteration.
Page 89 PREV PAGE TOP OF DOC
WHY COMPUTER NETWORK SERVICE PROVIDERS SHOULD NOT BE FEARFUL ABOUT CARNIVORE'S USE WITH THEIR NETWORKS
Notwithstanding assertions to the contrary, the Carnivore system is safe to operate with IP networks. As noted above, Carnivore is only installed in that small segment of the computer network through which the criminal subject's communications traffic will pass. The Carnivore system is connected with the network by a bridging device that physically prevents Carnivore from transmitting into the network. Thus, as a technological certainty, there is absolutely no way it could possibly have any ability to transmit any information or thing into the network.
Importantly, Carnivore is only attached to the network after consultation with, and after obtaining the agreement and assistance of, technical personnel from the ISP. It is worth noting that, to date, the FBI has never installed Carnivore with an ISP's network without first obtaining the assistance of the ISP's technical personnel. The Internet is a highly complex and heterogeneous environment in which to conduct electronic surveillance, and I can assure you that without the technical knowledge of the ISP's personnel, it would be very difficult, and in some instances impossible, for law enforcement agencies to act unilaterally and successfully in implementing such a technical effort. Moreover, the FBI particularly depends upon the ISP personnel to understand the protocols and architecture of their particular networks.
Some critics have also asserted that the use of the Carnivore system introduces significant new vulnerabilities for hacking access. But such assertions miss the mark. With regard to hacking, and considering the hacking methodologies most commonly employed, there would be absolutely no greater qualitative value in trying to use the Carnivore system as an access point than any other access point or node in the Internet, concerning which there are literally millions. Indeed, recognizing that Carnivore is a law enforcement surveillance tool, a hacker's attempted use of it as an access path would be particularly foolish inasmuch as access to Carnivore, as noted above, would never create an actual transmission path into the network.
Page 90 PREV PAGE TOP OF DOC
Lastly, there has been the suggestion, in prior Congressional testimony, that the Carnivore system had caused a network crash or other problems in the network of a particular ISP. Let me emphasize that such a suggestion is simply factually incorrect. In the instance cited, the cause of the network problem (there was no crash)it was in the nature of a network slowdownwas programming steps undertaken exclusively by that ISP's technicians, and entirely on their own.
WHY SHOULD THE PUBLIC HAVE TRUST IN THE FBI'S CONDUCT OF ELECTRONIC SURVEILLANCE, AND, IN PARTICULAR, IN ITS USE OF THE CARNIVORE SYSTEM?
We believe that the American public should have trust in the FBI's conduct of electronic surveillance, principally because it has an outstanding record of lawfully complying with the Federal electronic surveillance laws which the Congress first enacted over thirty years ago, in 1968. Although the assertion of widespread 'illegal FBI wiretapping' is frequently made, and is an article of faith for some, the facts in no way support it. Any careful review of the dockets of the Federal courts offers no support to the assertion of FBI electronic surveillance abuse during these years. Indeed, all FBI electronic surveillance is authorized and carefully supervised by many different ''outside'' entities.
To begin with, in every FBI investigation involving electronic surveillance, all surveillance efforts are approved, monitored, and overseen at each step of the way by both the local United States Attorneys Office and the appropriate U.S. District Court Judge (for Title IIIs) or Magistrate (for ECPA court orders). In surveillance conducted under the Foreign Intelligence Surveillance Act (FISA), FBI surveillance efforts are approved, monitored, and overseen by the Department of Justice's Office of Intelligence Policy and Review, and by the Foreign Intelligence Surveillance Court, respectively. Moreover, before any full-blown Title III or FISA electronic surveillance involving the interception of communications' content is approved, lengthy, multi-layered, and thorough reviews occur both within the FBI and within the Department of Justice, and, as a statutory mandate, high-level Department of Justice approval is required for all such surveillance.
Page 91 PREV PAGE TOP OF DOC
For more than three decades now, FBI electronic surveillance has been closely supervised and monitored by the Department of Justice. There has been no indication of FBI abuse. Indeed, the Department of Justice typically points to the FBI as an agency model with regard to how to carefully and lawfully conduct electronic surveillance.
Aside from Executive and Judicial Branch review of FBI electronic surveillance efforts, the Congress itself exercises frequent and ongoing oversight over the FBI's conduct of electronic surveillance in a number of ways. Year in and year out, numerous Congressional Committees (and their staff) involved in authorizations and appropriations scrutinize FBI expenditures, programs, and even equipment. Committees on the Judiciary and Intelligence frequently hold hearings, such as this, and submit written questions to be addressed by the FBI. Further, since Title III's enactment in 1968, the Congress has revisited the Federal electronic surveillance laws on a number of occasions: in 1978 (FISA), in 1986 (ECPA), and in 1994 (CALEA). And, as the Committee is well aware, each time the Federal electronic surveillance laws are updated there is a substantial subtext to the legislative initiative wherein the Congress considers and reconsiders whether such laws are working well and whether there is any significant indication of abuse such as to warrant the laws' curtailment or modification. However, with each of these pieces of legislation, the Congress has never found or suggested that the law enforcement community, in general, or the FBI, as an agency, in particular, was abusing the electronic surveillance authorities.
Further, in recent years, it has become somewhat commonplace for members of the Congress to request a visit to the FBI's Engineering Research Facility (ERF) to permit themselves and/or their staff to understand FBI surveillance methodologies, etc., better. Beyond these, every year the Administrative Office of the United States Courts sends to the Congress the yearly ''Wiretap Report'' which specifies Federal, State, and local law enforcement's Title III electronic surveillance activities. Likewise, and also pursuant to Federal statute, every year the Department of Justice submits to the Congress a report regarding the use of pen register and traps and traces conducted by law enforcement agency components within the Department. Further, several years ago, as a part of the Anti-terrorism and Effective Death Penalty Act of 1996, the Congress requested a Report from the Department of Justice which was to specifically include a review of any abuse in law enforcement's conduct of electronic surveillance. In the Report submitted by the Department of Justice, it was pointed out that law enforcement errancy in this area was rare, and did not suggest any significant problem. In particular, there was no citation as to abuse by the FBI.
Page 92 PREV PAGE TOP OF DOC
At this point, it may be useful to briefly discuss another vital component in the overall electronic surveillance/Carnivore mix: the FBI personnel who use it.
In this regard, the Committee would truly be missing a significant part of the story if we failed to point out the quality of the FBI personnel involved and the ways in which they perform their tasks. To begin with, to become an FBI employee requires a substantial showing of trustworthiness, lawfulness, and personal and professional integrityall of which must be demonstrated through the conduct of an extensive and very thorough national security-level background investigation. To be sure, the structure of the FBI would quickly collapse if the agency and all of its onboard employees could not trust without reservation its new employees. And the FBI certainly does not recruit honest and law-abiding people only to turn around and employ them in corrupt and dishonest ways. Indeed, in contrast with the requirements placed upon many of the personnel employed by telecommunications and computer network service providers (who may have some role in implementing electronic surveillance orders), all FBI employees are specifically sworn to uphold the Constitution, obey the law, and to faithfully execute the laws of the land.
Of course, and as noted above, it is emphasized to all FBI employees that any type of illegal electronic surveillance would be a serious violation of the lawa federal felony, thereby subjecting the employee to criminal prosecution, civil liability, and termination. Further, FBI employees are made to fully understand that any unlawful surveillance will likely lead to the suppression of any and all tainted evidence and any evidence or fruits derived therefrom. In short, it is made clear that any such unlawful behavior will not be tolerated.
All FBI personnel involved in conducting electronic surveillance are thoroughly and specifically trained about the Federal electronic surveillance laws. This is particularly so for the FBI Technically Trained Agents (TTAs) who receive specialized training in the conduct of electronic surveillance, including legal instruction, at the FBI's Engineering Research Facility (ERF) in Quantico, Virginia. This training weds together the black letter law with the ''hands on'' technical level implementations of electronic surveillance. Moreover, FBI personnel involved in electronic surveillance are involved in ongoing consultation with attorneys from the FBI's Office of the General Counsel, the FBI Field Office's Chief Division Counsel, the Department of Justice, and the Offices of United States Attorneys.
Page 93 PREV PAGE TOP OF DOC
Access to and the use of FBI electronic surveillance equipment is controlled administratively, and usually requires a trained specialist to operate it. Hence, the large pool of FBI Special Agents and support employees never have access to, or competency in the use of, such highly-specialized pieces of surveillance equipment.
In sum, over the last 32 years, the FBI's record of properly conducting court authorized electronic surveillance is a very good oneone that we believe should command the trust of the public and the Congress.
With regard to Carnivore, it is a relatively new electronic surveillance tool, and has only been used within the last two years. Trust in the FBI's use of Carnivore, we believe, should at least in part rest upon the FBI's openness and willingness to discuss this device. Indeed, perhaps the most telling fact about Carnivore, as an electronic surveillance tool, is that, in an unprecedented fashion, the FBI has shared with numerous entities in the public Carnivore's (and/or some of its technical counterparts') purpose and basic functionalitylong before any concerns were raised and before any Congressional hearings were scheduled.
Ironically, the most central fact and aspect of the entire matter has gotten lost: that the FBI has spent a considerable amount of time, money, and energy in developing an electronic surveillance tool with the exclusively laudable purposes of better satisfying the Constitutional standard of particularity, the Title III and ECPA precepts of minimization, as well the legal, privacy-based, and societal concerns associated with careful, precise, and lawful surveillance efforts.
Page 94 PREV PAGE TOP OF DOC As the Committee may be aware, the FBI has briefed a wide-ranging variety of entities: governmental attorneys, leading ISPs, leading Information Technology (IT) companies, leading telecommunications service providers, academic labs, and software manufacturers as to the functionality of the Carnivore system. Hence, if, for the sake of argument, the FBI had ever possessed any untoward intentions, in terms of using Carnivore in a stealthy, illegal, or abusive way, it certainly went about pursuing them in the wrong way. In fact, the FBI's openness with regard to Carnivore should, in and of itself, properly and reasonably instill public confidence and trust, notwithstanding that some of its detractors may disagree with some aspect of Carnivore.
Of course, with regard to Carnivore, the same strict personnel, legal, training, and security practices apply. Further, given that relatively few of these devices are even available throughout the entire FBI, those in existence are under the custody and control of but a few FBI technically-trained personnel.
Finally, the FBI, in concert with the Department, has welcomed a review of the Carnivore system. The FBI believes that when all is said and done the FBI and the Carnivore device will receive a clean bill of health, and thereby hopefully more fully instill public confidence and trust in this important and critically needed investigative tool.
In conclusion, I would like to say that over the last ten years or more, we have witnessed a continuing, steady growth in computer and Internet-related crimes, including extremely serious acts in furtherance of terrorism, espionage, infrastructure attack, as well as the more conventional serious and violent crimes, to include child pornography and exploitation. These activities which have been planned or carried out, in part, using computers and the Internet pose challenges to the U.S. law enforcement community that we dare not fail to meet. In turn, the ability of the law enforcement community to effectively investigate and prevent these serious crimes is, in part, dependant upon our ability to lawfully and effectively intercept and acquire vital evidence of these crimes, and our ability to promptly respond to these harms that so threaten the American public. As the Internet becomes more complex, so too do the challenges placed upon us to keep pace. Without the continued cooperation of our industry partners and important technological innovations such as the Carnivore system, such a task would be futile.
Page 95 PREV PAGE TOP OF DOC
I look forward to working with the Committee staff to provide more information and welcome your suggestions on this important issue. I will be happy to answer any questions that you may have.
Mr. GOODLATTE. Thank you, Mr. Chairman.
Mr. CANADY. Thank you, Mr. Goodlatte.
The gentleman from Georgia Mr. Barr is now recognized.
Mr. BARR. Thank you, Mr. Chairman.
One of our later witnesses, I am stealing a little bit of his thunder here, but I think it is relevant to explain the context. Mr. Corn-Revere, who will be testifying, I think, in the next panel, lays out some very significant figures in terms of the tremendous increase in electronic surveillance applications, intercept applications over the last 10 years, not only in terms of their number increasing, but the type. He says, for example, that prior to 1989, the most common method of surveillance was the telephone wiretap. Now, however, the most common form of surveillance is the electronic wiretap, which includes eavesdropping on devices such as digital display pages, voice pages, cellular phones and e-mail. And I think he is very accurate in talking about not only the tremendous increase in the numbers of applications by the Feds having increased, but also a significant shift in the type of surveillance that is being applied for. That is why we are looking at this.
Page 96 PREV PAGE TOP OF DOC
Would you agree in your heart of hearts, Mr. DiGregory, that the notion ofthat the Supreme Court has used and that the Department of Justice cites whenever questioned about an expectation of privacy, that the notion that there is no reasonable expectation of privacy in an electronic communication is really a judicial myth? People do, in fact, have in the real world a very reasonable economic expectation of privacy, don't they? That is why they use electronic forms of communication.
Mr. DIGREGORY. I wouldn't concede that point with respect to the information.
Mr. BARR. Your testimony doesn't surprise me then, because it really gives very short shrift to that notion.
What kind of cell phone do you use?
Mr. DIGREGORY. Government phone?
Mr. BARR. No, I don't care whether government or private. I suspect that both of them are digital, aren't they?
Mr. DIGREGORY. I am not sure. My wife uses the private phone mostly. I am not sure that it is.
Mr. BARR. So she has an expectation of privacy, and you don't?
Page 97 PREV PAGE TOP OF DOC
The point I am trying to make is technology, in responding to the marketplace, and the marketplace is private citizens in this country, individuals, they do have an expectation of privacy. Whether the Department of Justice concedes it or not, they do. That is why, for example, when you get a cell phone nowadays, people are buying more and more digital cell phones because it does provide a greater degree of protection for the privacy of communications. People do have an expectation and a reasonable one that when they use a form of electronic communication, it is going to be private, and therefore the government ought to satisfy certain minimum level before it can intrude on that.
And really what we are trying to do here is try and get to the bottom of why you all are fighting us so vehemently on such things as using cell phones as tracking devices. You know, in all honesty, to say that more murders are going to be committed if you all can't use cell phones as tracking devices regardless of whether the cell phone itself is being used as an instrumentality of the crime isn't really accurate. I mean, you could use that argument for any new technology. Murders were committed before cell phones, and they will be committed long after we have moved into the next phase of whatever technology there is out there. The Department, I guess, is arguing that despite current law, or perhaps because of current law, which sets a certain standard for a noncellular communication intercept, the Department really does want to use cell phones as a tracking device, and that worries a lot of people.
The example that you cited, for example, I think is a little bit disingenuous also, because would not emergency provisions of the laws and the proposals as well as consent give the government ample opportunity if there is such a scenario as you have described where there is a cell phone at the location where a crime is being committed, even though the cell phone isn't being used for itif a person, if a victim has a cell phone, they certainly are going to give their consent by using it or turning it on so it can be used as a tracking device. So this law, the bill that we are proposing here, would not prohibit the government from using it in that situation, and it could very well be considered an emergency.
Page 98 PREV PAGE TOP OF DOC
So I think really what the government is saying is they want to use cell phones as tracking devices, and I don't think that is consistent with the intent of current law, and I think that it probably would not be consistent with the view of a majority of members of the American public and their Representatives.
We also have some concerns about your opposition to the exclusionary rule. It seems to me what the government is saying, what you are saying today, is that you don't mind extending the exclusionary rule to electronic communications intercepted in real time, but not for stored communications. You know, that creates here anothera sleight of hand and splitting hairs, as I think you said earlier.
If you leave in place an exception to the statutory exclusionary rule for access to stored electronic communications, wouldn't that undermine the position of the government, which I think is that in terms of real-time electronic communications, you support the exclusionary rule? They would just have to wait that one instant when it goes from the actual transmission to stored momentarily, and then you wouldn't be bound by the exclusionary rule.
Mr. CANADY. The gentleman's time is expired. Without objection, the gentleman will have 3 additional minutes.
Mr. BARR. Thank you.
Mr. DIGREGORY. I am sorry, there were lots of questions in there. I can only say
Page 99 PREV PAGE TOP OF DOC
Mr. BARR. Take the last one first specifically on the exclusionary rule. That was the real question that I had. The other, I think, wasn't really a question, just my proposition, after looking at all the evidence and hearing you all's testimony and listening to the FBI, that you all do want to use cell phones as tracking devices. But address the exclusionary rule with regard to not making it applicable to stored communications.
Mr. DIGREGORY. Well, there is still an exclusionary rule in existence if there is a constitutional violation. What we are saying in our testimony is simply that please consider very carefully that when you are extending the exclusionary rule to apply through a statute, just please consider doing that carefully because of that constitutional protection that already exists. If law enforcement
Mr. BARR. But as long as you can do that, you all have no objection to it.
Mr. DIGREGORY. I think it depends on what the final product is. I couldn't commit. But I think you need to consider whether or not you believe that constitutional protection is adequate.
Mr. GREEN. As a broad base, the statutory exclusionary rule of 2515 is very broad-based. It has no good faith exception, for example. So to the extent that there are violations of sectionof section 2703, there are remedies, there are civil remedies proposed by 2707. There are disciplinary remedies, and assumingly for constitutional violations, there could be remedies under the fourth amendment. So we would oppose extending the statutory remedy of 2515 to the nonintercept context of stored data.
Page 100 PREV PAGE TOP OF DOC
Mr. BARR. So what Mr.you are disagreeing with what Mr. DiGregory said. He says basically just please consider this. You are saying you are opposed to it, period.
Mr. GREEN. I don't believe that is what
Mr. BARR. You are opposed to it whether we consider it carefully or not.
Mr. DIGREGORY. I think it is fair to say that we are opposed to any broad-based exclusionary rule.
Mr. BARR. Just disregard that. You all are opposed to that.
Mr. DIGREGORY. I am still saying please consider those things carefully, and we are opposed to a broad-based statutory exclusionary rule, but we would be willing to listen to whatever you propose and review whatever you propose.
Mr. BARR. Abide by it if it is enacted into law.
Mr. DIGREGORY. Certainly.
Mr. BARR. Does the Department of Justice or does the government currently use pen registers or trap and trace devices in preliminary inquiries as opposed to full investigations under the AG guidelines on general crimes, racketeering and domestic security terrorism investigations?
Page 101 PREV PAGE TOP OF DOC
Mr. DIGREGORY. I will have to get back to you on that question. I will have to find out whether or not those things are obtained in what are termed preliminary inquiries. But as you know what the standard is, they have to be relevant to an going criminal investigation.
Mr. BARR. But you don't know the answer.
Mr. DIGREGORY. I do not.
Mr. BARR. Do you, Mr. Green, make use of pen registers, of trap and trace devices in preliminary inquiries?
Mr. GREEN. We can review that and get back to you.
Mr. BARR. Any of the folks that are with you, do they know the answer to that? Nobody knows. Maybe one of the other witnesses will. Thank you.
Mr. CANADY. The gentleman's time has expired.
I will now go to Mr. Nadler. He will be recognized for 5 minutes.
Mr. WATT. Could I just make sure that when this information is provided in response to Mr. Barr's question, that it be provided to the all the members of the committee, because that is just not an inquiry that Mr. Barr is interested in.
Page 102 PREV PAGE TOP OF DOC
Mr. CANADY. It is so requested.
Mr. NADLER. Thank you, Mr. Chairman. First let me apologize for being late to the hearing. The airplane on a 1-hour flight was an hour and a half late. And I ask unanimous consent to submit my opening statement.
Mr. CANADY. Without objection.
[The prepared statement of Mr. Nadler follows:]
PREPARED STATEMENT OF HON. JERROLD NADLER, A REPRESENTATIVE IN CONGRESS FROM THE STATE OF NEW YORK
I want to thank the Chairman for holding hearings on legislation to enhance personal privacy in the Information Age.
I support the notion that employers, at a minimum, ought to inform their employees if they monitor their electronic behavior. I expect there will be strong support for this proposal and I want to commend Senator Schumer for championing this issue and for testifying before us today.
I think Senator Schumer's proposal attempts to address a legitimate fear that is rising across the countrythe loss of personal privacy. Many people feel a growing suspicion that their everyday activities are being monitored without their consent. Whether it be surfing the Internet, emailing friends, or simply buying groceries at the supermarket, no one wants to feel as if they are being watched.
Page 103 PREV PAGE TOP OF DOC
Some of the monitoring may indeed be harmlesslike the tracking of consumption used to improve goods and services. But when you talk about medical records, financial records, or even personal correspondence people expect and deserve much more substantial privacy. Yes, law enforcement needs to be able to fight crime, but they shouldn't have to unduly violate personal privacy to do so.
Some law enforcement professionals argue that people don't really expect much privacy. They don't expect records of whom they called or emailed to be private, they don't expect certain emails left on an AOL server to be private, and they don't expect their email addresses to convey anything more than a phone number does. That is utterly ridiculous!
I don't happen to agree with the members of law enforcement who believe personal privacy doesn't matter. I don't believe the American people would agree with them either. The Fourth Amendment to the Constitution states clearly, ''the right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated . . .'' That goes for computer files too. People expect their emails to be private. They expect their computer files to be private. They expect their phone records to be private. And it is up to us to make sure that they are private.
Congress needs to listen carefully to all sides of the debate and act responsibly to protect privacy and public safety at the same time. We cannot allow law enforcement to simply say ''trust us'' as they cull through reams of highly sensitive information of innocent citizens while they search out criminals. Projects like Carnivore should be scrutinized, and efforts to provide a legal justification for Carnivore will not gain much support in Congress. We need institutionalized standards to safeguard privacy.
Page 104 PREV PAGE TOP OF DOC
I will also say that I believe the Supreme Court has failed in its obligation to ensure the Fourth Amendment is not trampled upon. I forsee Congress strongly disagreeing with the Supreme Court over privacy protections. We will not go along with their theories that individuals expect less privacy when it comes to matters of electronic communication, be it email or phone calls. We will not invite distinctions in privacy that don't really exist. For example, Americans don't believe an unread email deserves more protection than one that has been opened and read.
It is time we took action to restore the privacy protections that have already been gutted by the Supreme Court. I look forward to this hearing and working to restore personal privacy protections to the American people. Thank you.
Mr. NADLER. Thank you.
I also apologize in advance. The questions I am about to ask are based on my legislative directors briefing of me as to your testimony, which I haven't read or heard.
Let me ask, you are objecting to one of the bills that expands suppression to cover stored e-mail on the grounds that you don'tif somebody has asked this question, I apologize, tooon the grounds that the people havedon't have an expectation of privacy; that if I read an e-mail on my computer, and I press the switch to save it, not delete it, at that point it is fair game, and I have no expectation that is still private? Is that an accurate summation of what you said?
Page 105 PREV PAGE TOP OF DOC Mr. GREEN. No, I don't believe that is. The testimony, what was talked about in the testimony, was that there is now a statutory suppression remedy in 2515, which is a very harsh statutory remedy that goes beyond that of the fourth amendment.
Mr. NADLER. And says what?
Mr. GREEN. Well
Mr. NADLER. Basically.
Mr. GREEN. It says it cannot be usedno fruits can be used. This has been interpreted by some courts as having no good faith exception.
Mr. NADLER. To what?
Mr. GREEN. No fruits of an illegal intercept.
Mr. NADLER. Isn't that the general law, that no fruits can be used of illegal searches and seizures?
Mr. GREEN. It would depend in part on, for example, if there is a good faith exception, the exclusionary rule is sometimes not applied. There would be no good faith exception under 2515.
Mr. NADLER. Let me say I have always opposed good faith exceptions at all in the fourth amendment search and seizure cases. I think 2515whose bill is that?
Page 106 PREV PAGE TOP OF DOC
Mr. GREEN. 2515 is the statutestatutory suppression remedy.
Mr. NADLER. So you are saying there is no good faith exception to that statute?
Mr. GREEN. It is a very strong exclusionary rule. The questionthe question would be whether we should apply that strong an exclusionary rule for violations of obtaining one type of stored content where that rule wouldn't be applied, for example, of an illegal search of someone's home. That would be
Mr. NADLER. Illegal search of someone's home you wouldn't apply that rule.
Mr. GREEN. You would not. You would apply the constitutional rule of the fourth amendment.
Mr. NADLER. Which is?
Mr. GREEN. Which is an exclusionary rule that in certain circumstances does allow for a good faith exception.
Mr. NADLER. What kind of a good faith exception could you have to an illegal search of my house?
Page 107 PREV PAGE TOP OF DOC
Mr. GREEN. Well, the question would be under if an officer inadvertently violates one of the
Mr. NADLER. Went to the wrong address.
Mr. GREEN. That might be an example of a good faith exception. Or provides wrong information, but does so unintentionally, there may be a good faith exception to not apply the exclusionary rule. So the question
Mr. NADLER. And 2515 applies to e-mails and does not have this exception, which you think it should.
Mr. GREEN. 2515 currently applies only to wire or voice communication. The administration has submitted a bill that would apply 2515 to real-time intercept of the content of e-mails as well as in other ways.
Mr. NADLER. That would apply the harsh exclusionary rule to real-time interceptions.
Mr. GREEN. That is correct.
Mr. NADLER. But it wouldn't apply it to stored e-mail.
Mr. GREEN. That is correct.
Page 108 PREV PAGE TOP OF DOC
Mr. NADLER. Let me ask you why you think there is a distinction between real-time and stored e-mails?
Mr. GREEN. I believe that stored e-mails are more like any other kind of stored information that may be taken from a place where there is a reasonable expectation of privacy. So in that circumstances, and, in fact
Mr. NADLER. Wait a minute. Give me a policy reason why you should distinguish between a real-time intercept of an e-mail and a stored e-mail with respect to the protection you are given. Either way, what is the distinction?
Mr. GREEN. The distinction would be we don't believe that there should be greater protections for a stored e-mail than there would be to a search of your home.
Mr. NADLER. Why should there be a greater protection for a real-time intercept of an e-mail than for a stored e-mail? What is the difference?
Mr. GREEN. What Congress has recognized in the past in passing title III is that the real-time interception of communication is the greater intrusion that you can have, and, therefore, that is why the statutory remedy was
Mr. NADLER. It is a greater intrusion for you to takesee, in an e-mailI don't understand the distinction here. In an e-mail my friend or brother or business associate, whoever sends me an e-mail, it is sitting on my computer. I haven't read it yet. That is a real-time interception if you were to read it now before I read it. Once I read it, and I don't hit the delete button, I hit the save button, now it is stored and then somehow different?
Page 109 PREV PAGE TOP OF DOC
Mr. GREEN. No, the real-time interception would be if I get a title III order, that I would essentially get a duplicate of your e-mail, so I would know as you send it what you sent and what you have received. That would be
Mr. NADLER. Because you are listening in effect.
Mr. GREEN. Yes. And for that we do need a title III order, and the Justice Department has taken the position
Mr. NADLER. Why would I have a greater expectation of privacy on the e-mail as I am receiving it than when I later read it? Why is there a distinction at all? Why should the law treat those two things differently?
Mr. GREEN. I think the law makes a sensible distinction between this real-time interceptive content and all other
Mr. NADLER. But why? Give me a policy reason why you think it is more likely than less likely thatI have less of an expectation of privacy in the one situation or the other. Maybe the law shouldn't make a distinction. Give me a reason why there should be a distinction one way or the other between a real-time e-mail and the e-mail after it has been sent and I haven't yet read it or I have read it and saved it?
Page 110 PREV PAGE TOP OF DOC Mr. CANADY. The gentleman's time has expired. Without objection, the gentleman will have 3 additional minutes.
Mr. BARR. Would the gentleman yield so I could ask him a clarification?
I think the gentleman makes it even worse. I think what we are talking about here is an instantaneous difference between being in transit, which is real time, and being stored, even though instantaneously, with an ISP. The government is drawing an even finer line than the gentleman does. That is what worries me.
Mr. NADLER. Even so, whether it is that line or a later line, give me a rational reason, if you can, why the law should treat any differentlywhy should it treat any differently the e-mail that, as it is going through, the e-mail that went through but I haven't read yet, the e-mail that I went through and I have read yet and is stored because I didn't want to print it out for some reason.
Mr. DIGREGORY. I don't know if this will be a satisfactory answer for you, but whenapparently when the Congress considered whether or not to apply a statutory exclusionary rule to electronic communications, including stored electronic communications, they chose not to. We see that there is an inconsistency in the law with respect to
Mr. NADLER. But ismaybe that was the wrong decision. Excuse me. You are not answering my question.
Page 111 PREV PAGE TOP OF DOC
Mr. DIGREGORY. In electronic communications
Mr. NADLER. Hold on. Excuse me. You are not answering the question. I am not interested in what Congress did. Maybe Congress was wrong. You are asserting that we should maintain that distinction and extend it to a new area. Tell me why such a distinction makes sense in this area? That is all I am asking. Never mind what Congress did or didn't do. Maybe they were wrong 5 years ago whenever they passed it. Just tell me why you thinkwhat is the distinction here? Why does such a distinction make sense?
Mr. GREEN. I think the distinction makes sense because we don't believe thatwe believe that the same protection, the fourth amendment exclusionary rule, that protects papers in your home should protect messages that are stored, and that that is the physical world analogy that makes sense. You have a reasonable expectation of privacy in the papers of your home. If we violate that, the fourth amendment could apply. You have a reasonable expectation of privacy in messages that are being stored in an ISP you haven't read, and if we violate that, the fourth amendment, the Constitution should apply.
Mr. NADLER. I should have a greater reasonable expectation of privacy in the transmission itself?
Mr. DIGREGORY. Again, that is a policy determination that was made with respect to wire and oral communications by the Congress when it imposed the strict statutory exclusionary rule that is contained in 2515 which prohibits the use of that information, good faith.
Page 112 PREV PAGE TOP OF DOC
Mr. NADLER. So I would take from that that although you are not advocating it as a matter of logic, you really support that we shouldn't do that there either.
Let me just ask you this, then, just to clarify. What you are saying in effect is that Congress, for reasons logical or not logical, made a distinction, and during the instantaneous transmission we have a harsh, as you characterize it, statutory protection that goes beyond the fourth amendment protection. The difference is that there is no good faith exception, whereas in stored papers and, you think, in stored e-mails there should be a good faith exception.
Mr. GREEN. That is correct.
Mr. NADLER. And if I don't think there is a good faith exception anywhere, I would naturally oppose what you are suggesting.
Mr. GREEN. That is correct.
Mr. NADLER. Thank you.
Mr. CANADY. Thank you.
Well, weI think everyone hasall the members have participated. We thank you for being here.
We will now move to our next panel, but we will look forward to continued discussions with the Department on these issues, and I reiterate my hope that we can ultimately find at least some common ground, and although we may not be able to fashion something that satisfies everyone's concerns, we may be able to make a step forward in improving on the status quo. And that, I think, is always worth doing if that is possible.
Page 113 PREV PAGE TOP OF DOC
So I thank you, and I ask the members of our third panel to now come forward.
We will now proceed with the third panel. The witnesses on this third panel will focus their comments on two bills, the two bills we have been discussing that would update the Federal surveillance laws, H.R. 5018, which I introduced along with Representative Hutchinson, and H.R. 4908, which was introduced by Representative Barr.
Our first witness on this panel will be Mr. James Dempsey. Mr. Dempsey is senior staff counsel for the Center for Democracy and Technology, where he works on fourth amendment electronic surveillance issues. Prior to joining the center, Mr. Dempsey was the assistant counsel to the House Judiciary Subcommittee on Civil and Constitutional Rights from 1985 to 1994. His primary areas of responsibility were oversight of the Federal Bureau of Investigation, privacy and civil liberties. That subcommittee, of course, was the predecessor of this subcommittee.
Next we will hear from Gregory Nojeim. Mr. Nojeim is legislative counsel for the American Civil Liberties Union, where he specializes in Internet privacy.
Next we will hear from Mr. Robert Corn-Revere. Mr. Corn-Revere is an attorney at Hogan & Hartson specializing in first amendment Internet and communications law. Mr. Corn-Revere is also the coauthor of a three-volume treatise entitled Modern Communications Law.
Page 114 PREV PAGE TOP OF DOC Our final witness on this panel will be Marc Rotenberg, the director of the Electronic Privacy Information Center. Mr. Rotenberg teaches information privacy law at the Georgetown University Law Center. He was recently named to the Advisory Council for the Law, Science and Technology Program at Stanford law school. He is editor of the 1999 Privacy Law Source Book and coeditor of Technology and Privacy, the New Landscape, published by the MIT Press.
I believe that all of our witnesses with the exception of Mr. Rotenberg have recently testified before the subcommittee. I want to welcome you back, and Mr. Rotenberg for the first time we look forward to your testimony.
STATEMENT OF JAMES X. DEMPSEY, SENIOR STAFF COUNSEL, CENTER FOR DEMOCRACY AND TECHNOLOGY
Mr. DEMPSEY. Mr. Chairman and Mr. Watt, thank you very much for holding this hearing. I congratulate you, Mr. Chairman and members of the subcommittee, for having held a successful series of hearings to get us to this point, really going in deeply into these issues.
And it showed today in the questioning of the Justice Department, because many of the points that I wanted to make came out in the questioning.
In my prepared testimony I also express our support for H.R. 4908, the Notice of Electronic Monitoring Act, which you, Mr. Chairman and Mr. Barr, submitted, and which Senator Schumer has cosponsored in the Senate. We support that, strongly, but I will not refer to it further here.
Page 115 PREV PAGE TOP OF DOC
We also support the thrust and intent of the other two bills, which I will focus on, H.R. 5018 and H.R. 4987. These are complementary bills. I think they can easily be melded into a very reasonable and modest, but important piece of legislation.
Let me focus if I could, first, on the pen register question. I would break that down into five issues. The first is the question of whether the judge should act as a true judge, or whether the judge should be a rubber stamp. And on that question, we now have a consensus. The Justice Department agrees that the 1986 standard is not a meaningful standard in any way, that that judge actually needs to make a finding and to actually have discretion to say yes or no to the government request.
The second question, then, is what is the standard? And I really have to say I was astonished to hear Mr. DiGregory say that he didn't know what the reasonable indication standard was, the standard that is in both H.R. 5018 and H.R. 4987, because that standard is directly drawn, practically word for word, from the Attorney General guidelines on general crimes and racketeering and terrorism investigations, the guidelines under which every single component of the Department of Justice lives. The words that are in the legislation''reasonable indication that a crime is being, has been or is about to be committed''is the standard that the Justice Department itself lives under in deciding whether or not to open an investigation in the first place. So I don't see how Mr. DiGregory can say that he doesn't know what that means since that is the Justice Department's own standard.
It is a standard, by the way, that was promulgated by Attorney General William French Smith in the Reagan administration, reconfirmed by Attorney General Thornburgh in 1989, and has been continued in effect throughout the entire Clinton administration under Attorney General Janet Reno. So that is a very clear standard.
Page 116 PREV PAGE TOP OF DOC
And if you look back at the pen register statute, it says that the prosecutor must certify that there is an ongoing investigation. Well, what is the standard for opening an investigation? How can they have one in the first place? There has to be reasonable indication that a crime has been, is being or is about to be committed.
The third issue is does or should the pen register statute apply to Internet communications? The pen register standard was drafted in 1986. It is part of ECPA. But we know that the language of the pen register statute currently refers to ''numbers dialed on the telephone line to which the device is attached.''
The Justice Department has a proposal that would extend the pen register statute to Internet communications, and one of the bills pending before you today would extend it to e-mail addresses. On this issue I actually agree with the Justice Department that a technology-specific approach is not going to be sustainable given the way the technology is changing, and that we are going to have to have a uniform application.
The fourth question, though, becomes the question what does the pen register collect on the Internet, because it is not just numbers dialed. Internet addresses are sometimes expressed in numbers, or computers on the Internet are identified by numbers, but there are e-mail addresses, there are URLs, the House-dot-gov-slash-Canady or House-dot-gov-slash-Judiciary, and those addresses go on and actually identify individual documents. With certain search engines, the URLs will identify your search terms. They will show the specific pages that you have read on the Internet. Having the address, what we would call an address, is as good as having the document.
Page 117 PREV PAGE TOP OF DOC
The Justice Department proposal completely evades that issue. In fact, the Justice Department would sweep in all addressing, signaling, dialing and routing information relevant to a communication, and I don't think anybody knows what that means. And I think that would be throwing the issue wide open again for the government to claim what it wants.
The fifth aspect of this is the question of nationwide service of pen register and trap and trace orders. There is some logic to that, but the Justice Department has absolutely no standards in its proposal. In fact, their proposal would take the pen register order and turn it in every case into, in essence, a blank subpoena. Their proposal would mean that there would be no name, no party to whom the order is directed, but an agent could take it, nationwide, from service provider to service provider, serving it on anybody. I think that is a leap and an expansion that this subcommittee should not be willing to make.
Notwithstanding Congressman Conyers's comments, which are correct, that communications move around on the Internet, there has to be some particularity to the pen register order. Again, getting back to the simple language of the Constitution, the fourth amendment talks about particularity as to the places to be searched.
My time has expired here. I think that the suppression issue has been well dealt with by Mr. Nadler and by others before him. The Justice Department admits that an e-mail seized illegally in real time should be kept out of evidence, and yet they are trying to say that an e-mail illegally seized when it is in storage can be used in evidence, and that is not a meaningful distinction. I think what they are trying to hold onto this notion that information held in storage with a third party is not constitutionally protected. And they say, well, we will rely upon the constitutional protections, but they also maintain that records held by third parties are not constitutionally protected, which means that any fourth amendment rule might not apply there.
Page 118 PREV PAGE TOP OF DOC
I would be happy to address the cell phone location provision, which I think is a long overdue provision, and also address the recordkeeping requirements. But, Mr. Watt, you hit that one out of the ballpark when you said their only explanation for not wanting to report on this is that they do so many of them. And the whole point of getting the reports is to find out how many they do, because we don't have that report now. As the foundation of oversight and accountability, we at least need to have some basic reporting as to what the government is doing seizing e-mails.
So I will leave it there, Mr. Chairman and members of the subcommittee.
Mr. CANADY. Thank you, Mr. Dempsey.
[The prepared statement of Mr. Dempsey follows:]
PREPARED STATEMENT OF JAMES X. DEMPSEY, SENIOR STAFF COUNSEL, CENTER FOR DEMOCRACY AND TECHNOLOGY
Mr. Chairman and members of the Subcommittee, thank you for convening this important hearing. I am pleased to testify on behalf of the Center for Democracy and Technology(see footnote 1) in support of the three privacy-enhancing bills that are the subject of this hearing.
These three bills, H.R. 5018, H.R. 4987, and H.R. 4098, are part of the answer to one of the major concerns of the American public todaythe loss of privacy in the face of new technology. These bills address some of the most egregious and unjustifiable weaknesses in our privacy laws. Yet at the same time, these are modest bills. Wisely, they do not purport to tackle all the privacy issues that face our society today. They address some glaring deficiencies in current law, leaving some harder issues for resolution later. In contrast, the Administration has a very complicated bill that covers some of the same ground, but also goes much farther and has buried in it some provisions that would severely erode privacy. The Administration bill is clearly not ready for Congressional consideration at this time. Given the controversy over Carnivore, and given the overwhelming public sense that government surveillance needs to restrained, not expanded, and that privacy needs to be protected, not eroded, we urge the Subcommittee to focus on these narrow bills.
Page 119 PREV PAGE TOP OF DOC
Also, it must be stressed that nothing in the three bills under consideration today will deny law enforcement agencies the tools they need to fight crime and defend the national security. No law enforcement agency will be prohibited by these bills from locating a criminal suspect or monitoring a terrorist's email. In fact, these bills do not prohibit any form of monitoringall they will do is to set clear and strong privacy guidelines for use of electronic surveillance techniques and require public reporting of surveillance statistics as the foundation of oversight and accountability.
Two of these bills (5018 and 4987) address Fourth Amendment privacy issuesthe rules for government monitoring of electronic communications. They will make important improvements in the enforcement of the Constitutional guarantee against unreasonable searches and seizures. I will deal with these two bills together, for their complementary provisions could easily be combined. The third bill deals with a somewhat different, often ignored issue, privacy in the workplace, and I will explain our support for it separately.
H.R. 5018, ELECTRONIC COMMUNICATIONS PRIVACY ACT OF 2000
H.R. 4987, DIGITAL PRIVACY ACT OF 2000
These two bills address the fact that our privacy laws have become outdated in the face of two developments: the continually growing surveillance potential of communications and computer technologies, and the federal government's expanding use of electronic monitoring and data collection techniques of all kinds. To an important extent, these bills are a response to this Subcommittee's ground-breaking hearing last April on the Fourth Amendment and the Internet. At that hearing, I joined a diverse panel of witnesses from civil liberties organizations, industry and academia who testified that our privacy laws needed to be updated to keep pace with technological change. I pointed out, and several witnesses agreed, that far more information than ever before is available to the government under minimal or inadequate legal standards. The panel agreed that it was time for Congress to strengthen the privacy laws to restore a balance between government surveillance and personal privacy, to build user trust and confidence in these economically vital new media, and to afford both law enforcement agencies and online service providers the clear guidance they deserve. http://www.house.gov/judiciary/con0406.htm.
Page 120 PREV PAGE TOP OF DOC
Last month, this Subcommittee held an equally important hearing on the FBI's Carnivore monitoring program, which specifically illustrated how much information law enforcement claims it is entitled to access under the low, rubber-stamp standard of the pen register statute. http://www.house.gov/judiciary/con07241.htm
It is not necessary today to repeat the details of those earlier hearings; they provide ample support for the two bills before the Subcommittee today. It is sufficient to note that the privacy laws underwent their last major update in 1986 with enactment of the Electronic Communications Privacy Actwell before email, cellular phones, and the World Wide Web became the fixtures of business and personal lives that they are today.
Reporting requirement: The main provision of H.R. 5018 amends section 2703 of Title 18 to require the compilation and publication of annual reports on the extent of government monitoring of private email. This is a long-needed provision, for the information covered is crucial to Congressional and public oversight. In order to evaluate the propriety and usefulness of government surveillance, it is first necessary to understand the extent and consequences of government monitoring, and we cannot do that without some basic facts.
In 1968, when Congress adopted Title III, the wiretap law, it recognized the importance of oversight. It required the Administrative Office (AO) of the United States Courts to compile and publish annually a report on wiretap activity. 18 USC 2519. These reports, which come out around April of each year and which are now available on the AO Web site, offer a wealth of information to Congress, civil liberties organizations, the media and the public. They have shown a steady increase in the number of wiretaps yearly, in the average length of wiretaps, in the number of conversations intercepted per tap, and in the number of persons whose conversations are intercepted per tap. Interestingly, they have shown a significant decrease in the percentage of incriminating conversations per tap.
Page 121 PREV PAGE TOP OF DOC
In 1986, when Congress adopted the Electronic Communications Privacy Act (ECPA), Congress brought real-time interception of email under Title III, so that interception of email is reported under the Title III reporting provisions of section 2519. However, ECPA created an entirely new chapter 121 for government access to email and other electronic communications ''in storage.'' 18 USC 2701 et seq. Section 2703 is the main section setting out the standards for government access to electronic communications in storage. However, Congress did not include a reporting requirement in the stored records chapter.
Access to email under section 2703 does not require many of the strict legal protections of Title III. (The Justice Department has recently proposed lowering the standard for access to some email, certainly not what the American public wants.) And technically, it is often far easier to seize a person's email while it is neatly stored on the server of an ISP than to intercept it in real-time under Title III. Therefore, it turns out, most of the time when the government wants to seize email, it does so not under Title III, but under section 2703. And therefore, no data is ever collected on the amount of email seizures that the government performs, and there is no opportunity for Congressional or public oversight of email surveillance.
Recently, a reporter for USA Today.com, Will Rodger, took the initiative and went out to the local courthouse in Loudon County, Virginia, and searched by hand through the court records. America Online has its headquarters in Loudon County, so government investigators from around the country serve their warrants there to obtain email and other information on AOL customers. Will Rodger found that the number of warrants seeking citizens' online data has soared during the past several years. In 1997, AOL was served with 33 search warrants. That number jumped to 167 in 1998 and 301 in 1999, an increase of more than 800% since 1997. A copy of the Will Rodger story is attached to my testimony.
Page 122 PREV PAGE TOP OF DOC
This kind of journalism is what the First Amendment is all about, but it shouldn't take a reporter culling through local court filings to inform Congress and the public of government actions affecting the privacy of American citizens. And AOL is only one ISP. The records of government seizure of email from other service providers lie in other courthouses around the country. It is time to create a systematic way of compiling this information, so that the same type of oversight can be accorded to email that is now given to telephone conversations.
Section 3 of H.R. 5018 remedies that problem by requiring the compilation and publishing of basic information on the activity of federal, state and local agencies in seizing email and other customer records. The provision is based directly on the reporting requirements of Title III, 18 USC 2519. It assigns to the Administrative Office the coordinating role.
I would note that one change is needed in the bill to address what must be an unintended oversight: in the bill as introduced, the reporting requirement, in what would be a new subparagraph (g)(1), refers only to orders issued under subsection (d) of 2703. This is too narrow, since subsection (d) of 2703 only covers government access to addressing data. Government access to the text of email is covered by subsections (a) and (b) of 2703 and that is the more important category of seizures for which we need reporting. Therefore, the words ''under subsection (d)'' in lines 1617 on page 2 need to be changed to ''under this section.''
Section 2 of H.R. 4987 has a similar goal, but the reporting requirements of H.R. 5018 are more comprehensive in that, like the wiretap law, they require prosecutors to report on the results of seizures of email. We are most likely to get the most useful information by combining reports from the courts with reports from investigators, which is what H.R. 5018 would do. For this reason, we prefer the language of section 3 of H.R. 5018 over the language of section 2 of H.R. 4987.
Page 123 PREV PAGE TOP OF DOC
Barring use of illegally seized email: H.R. 5018 would address a second omission in ECPA, by bringing electronic communications within the scope of the statutory suppression rule of Title III, 18 USC 2515. When Congress adopted Title III in 1968, it established certain protections for interception of communications that went beyond normal Fourth Amendment requirements, to compensate for the fact that contemporaneous notice was not provided and to otherwise address the uniquely intrusive nature of electronic surveillance. Congress then established a statutory suppression rule, to exclude evidence seized in material violation of those protections, which is section 2515. But in 1986, when Congress added the word ''electronic'' to most of the provisions of Title III, it did not do so in section 2515. Section 2 of H.R. 5018 will take the long-overdue step of closing this gap. I note that this is a step supported by the Administration, and also found in H.R. 4987. H.R. 5018 takes an additional step and adds a reference to stored electronic communications disclosed in violation of chapter 121, so it will extend the statutory suppression rule to illegal seizures of email in violation of chapter 121. This is especially important since it is conceivable that the government would argue that there are no Fourth Amendment protections in email, only the statutory protections of ECPA, so it is important to have some consequences for violation of those statutory protections. So in this respect, section 2 of H.R. 5018 is preferable to section 3 of H.R. 4987.
Enhanced Privacy Protections in the Pen Register Statute: Section 4 of H.R. 5018 and section 4 of H.R. 4987 address another defect in existing privacy protections under another electronic surveillance law, namely the lack of adequate privacy safeguards in the pen register and trap and trace statute, 18 USC 3121 et seq. Pen registers and trap and trace devices collect information identifying callsin the case of telephone calls this consists of the numbers dialed on outgoing calls and the number of origin of incoming calls. In ECPA, Congress required a court order for use of a pen register or trap and trace device, but the standard Congress set was ludicrous: the court is required to approve every request by a government official claiming that use of the pen register is ''relevant to an ongoing investigation.'' The judge is a mere rubber stamp.
Page 124 PREV PAGE TOP OF DOC
There is widespread agreement that this standard does not offer any meaningful privacy protection. The Administration supports giving some teeth to the standard. H.R. 5018 and H.R. 4987 are both intended, we believe, to improve the privacy protection accorded to pen register information by requiring the government to actually demonstrate, and the approving judge to actually find, that the information sought is relevant to a criminal investigation.
Section 4 of H.R. 4987 would amend the pen register and trap and trace statute to require a finding that the factual evidence underpinning the government's application for a surveillance order ''reasonably indicates that a crime has been, is being, or will be committed, and information likely to be obtained by such installation and use [of the pen register or trap and trace device] is relevant to the investigation of that crime.'' The reasonable indication standard is a low standard, but at the same time is a very practical and well tested standard. In fact, the reasonable indication standard is the standard used in the Justice Department's guidelines for criminal and terrorist investigations. See ''The Attorney General's Guidelines on General Crimes, Racketeering Enterprise, and Domestic Security/Terrorism Investigations,'' reprinted in FBI Domestic Security Guidelines: Oversight Hearings before the Subcomm. on Civil and Constitutional Rights of the House Comm. on the Judiciary, 98th Cong, 67 (1985). The reasonable indication standard was adopted by Ronald Reagan's Attorney General, William French Smith, in 1983 and reaffirmed by Attorney General Thornburgh in 1989. It has sufficed for all DOJ investigations ever since. So it is the appropriate standard for a judicial finding of justification for use of a pen register or trap and trace device. Pen registers could still be used at the earliest stages of an investigation, but they could not be used for fishing expeditions.
Page 125 PREV PAGE TOP OF DOC We note that the amendment in section 4 of H.R. 5018, which we think has the same basic intent, does not accomplish this purpose as well. H.R. 5018 would raise the standard to reasonable indication, but only with respect to email addresses. First, we think it is unwise in this context to be so technology specific. Singling out email addresses leaves open the question of many other types of Internet addressing information, such as URLs (Uniform Resource Locators, the addresses we use on the World Wide Web). Moreover, H.R. 5018 jumps into the middle of a much larger and yet unresolved debate about the extent to which the pen register statute is appropriate for the Internet at all. At this point, we have not even had a full debate on whether the pen register statute should apply to the Internet and if so what information should be collected and what the standard should be. For these reasons, we prefer section 4 of H.R. 4987 over section 4 of H.R. 5018.
Finally, H.R. 4987 addresses an issue of vital concern to the 60 or 70 million Americans who carry wireless phones with themthe government's ability to turn those cell phones into tracking devices without the knowledge or consent of the user. Everybody agrees that the police, ambulance crews and firefighters need to locate people calling 911 on a wireless phone. The recent case of a kidnapping victim in Northern Virginia who was located and rescued through use of her cell phone when she called 911 is a perfect example of an extremely positive tracking feature. But cell phones also can be used to find a person who is not calling 911, but just making an ordinary call. Recently, the District of Columbia Court of Appeals held that this ability to locate the cell site at the beginning and end of a call is a requirement under the Communications Assistance for Law Enforcement Act. United States Telecomm Assoc. v. United States, No. 991442 (D.C. Cir Aug. 15, 2000). Some if not many cell phone systems have a more intrusive capability, and can be used to track a person's movements without her knowledge or consent whenever the phone is turned on, whether or not she is even making and receiving calls.
Page 126 PREV PAGE TOP OF DOC
Yet what is the standard for government to access location informationwhat legal justification does it take for the government to turn your cell phone into a tracking device? Bizarrely, nobody knows. CALEA says what the standard isn'tit says that that location information cannot be obtained under a mere pen registerbut it doesn't say what the standard is. 47 USC 1002(a)(2). The FBI has claimed at times that 18 USC 2703(d) can be used to compel disclosure of real-time location information, but all of section 2703 clearly applies only to stored records, not to real-time interception. So we have an strange situationthere is a powerful surveillance technology in the hands of the government and the standard for utilizing it is unclear.
Section 6 H.R. 4987 addresses this gap with a simple and clear standard: the government should be able to turn a cell phone into a tracking device only on a showing of probable cause. This is the proper standard, for people carry their cell phones into places where they have a reasonable expectation of privacy. Section 6 also includes an exception for consent. Therefore, nothing in the bill affects the use of location information to locate people who are calling 911, since they are consenting to be found by the mere act of calling the government and asking for assistance. (The Office of Legal Counsel at the Justice Department already has an opinion to that effect.) Nor, it must be stressed, would the bill in any way deny the government the ability to track suspected drug traffickers, kidnappers, or terrorists. It would establish an appropriate standard for use of this highly sensitive technique.
To summarize, we would urge that H.R. 5018 and H.R. 4987 be melded as follows:
Page 127 PREV PAGE TOP OF DOC sec. 2 of H.R. 5018 (exclusionary rule)
sec. 3 of H.R. 5018 (reporting requirements)
sec. 4 of H.R. 4987 (issuance of pen register and trap and trace orders)
sec. 6 of H.R. 4987 (government access to location information)
Administration proposal: I would like to briefly comment on the bill the Administration has sent to the Hill. The Administration draft is very complicated. It contains probably 80 different ''cut-and-bite'' amendments to the electronic surveillance statutes. It is very tedious to figure out what each of these means. We have not yet finished parsing them all. We know that the bill includes some privacy improvements, including some reflected in H.R. 5018. But it also includes other provisions weakening privacy. I will highlight just one. Section 4(b)(7) of the Administration bill will amend 18 USC 2703 to allow an ISP to disclose to the government the contents of communications and subscriber information (and a telephone company to disclose subscriber identifying information and toll records) whenever the service provider reasonably believes that an emergency involving immediate danger of death or serious physical injury to any person justifies the disclosure. In support of this, the DOJ cites what sounds like a compelling case where a threat against someone's life has been received, but upon reflection, the justification for this type of procedure evaporates. There is no similar exception to the Fourth Amendment; in the most serious emergency situations a warrant is required. In fact, the Federal Rules allow for search warrant to be applied for and issued over the telephone. The Rule in fact allows the judge to direct the agent to sign the judge's name on the warrant. Such procedures are available under 2703. This Administration proposal allows the government to go to any service provider (ISP or telephone company) and claim that there is a life-threatening emergency. Hearing that, any ISP is permitted to disclose any communication and a telephone company is permitted to disclose months of toll records and any other stored information they have. This is really a return to the days when law enforcement officers would ask for all kinds of information and telephone companies and banks and credit card companies would provide it with no subpoena or warrant or court order. It is a huge exception to ECPA and one that is ripe for abuse and collusion.
Page 128 PREV PAGE TOP OF DOC
H.R.4908, THE NOTICE OF ELECTRONIC MONITORING ACT
H.R. 4908, introduced in the House by Chairman Canady and Rep. Barr, is the simplest and most modest of bills, yet it addresses one of the most common and least appreciated forms of electronic surveillancesecret monitoring in the workplace. The bill merely requires employers to tell their employees in advance what types of monitoring they will be subject to. Yet this alone will go a long way to restoring to workers their sense of dignity, which is a large part of the concept of privacy. It is also likely that the mere requirement to give notice will rein in the more intrusive forms of workplace monitoring, as employers will find that some practices cannot withstand even the simple act of open disclosure and acknowledgment.
This bill is necessary because the same computer and communications technology that has reshaped our workplaces, spawning the information economy and improving the productivity of workers, can be used for surreptitious monitoring. Indeed, workplace monitoring has become rampant. More than 73 percent of large U.S. firms monitor the email, computer files, and phone calls of their workers, twice as many as reported doing so in 1997, according to an April 2000 survey by the American Management Association. http://www.amanet.org/research/stats.htm. In many instances, the monitoring technology is installed and used without warning.
In the last year, software has become more advanced, enabling companies to automatically record, filter and sort every word of every email that employees type. See Lisa Guernsey, You've Got Inappropriate Mail; Monitoring of Office E-Mail Is Increasing, New York Times, Apr. 5, 2000, C1. The power of the technology is quite impressive: Cameo, an e-mail monitoring system developed by MicroData Group Inc., is able to search for words and key phrases in documents, and can scan up to 50,000 messages per hour. One workplace monitoring software program is even called ''Little Brother'' by its developer. http://www.kansmen.com/products/lb/index.htm.
Page 129 PREV PAGE TOP OF DOC
H.R. 4908 has a simple response: employers should tell their employees in advance what type of monitoring they will be subject to. To demonstrate the narrow focus of the bill, let me summarize its provisions. The bill requires employers to give to their employees prior notice of electronic monitoring of wire, oral or electronic communications or other computer usage. The bill does not apply to ordinary visual supervisionit applies only to monitoring by electronic means. It covers surveillance techniques such as keystroke monitoring, listening in on telephone calls, hidden microphones to pick up conversations, and programs to monitor email or Web surfing. Notice must be given before the first instance of monitoringwhen the employee is hired or during the first day on the job or when the monitoring practice is first institutedand then once again annually as a reminder. Notice must also be given before an employer implements a material change in its monitoring practices.
The notice must specify the form of communication or computer usage that will be monitored; the means by which monitoring will be accomplished; the kinds of information that will be obtained through such monitoring; the frequency of monitoring; and how information obtained by such monitoring will be used. The notice must be clear and conspicuous. It can be provided in an employee manual, so long as it is not buried. It can be provided on a computer screen, for example, when an employee logs on.
There are some reasonable exceptions: Employers can monitor without notice when they reasonably believe that a particular employee is engaged in conduct that significantly violates the rights of the employer or another person.
The bill establishes significant but not onerous civil damages: $5,000 liquidated damages per violation, but the bill caps the damages at 20,000 per employee and $500,000 per employer. This means for example, that if an employer had violated the act with respect to thousands of employees, it damages would still be limited to $500,000. This is significant, but can hardly be called oppressive for large companies. There are no criminal penalties.
Page 130 PREV PAGE TOP OF DOC
Employers have a justified interest in monitoring their employees and H.R. 4908 would not interfere with any above board employer practice. The bill does not give employees the right to refuse to be monitoredby accepting and continuing employment, an employee consents to the form of monitoring. The bill does not create due process rights for employees to content disciplinary or promotional decisions. The bill's notice requirement is merely a matter of sound management practice. Indeed, the American Management Association, a leading management development organization with approximately 70,000 individual members and 10,000 corporate members, recommends that employers give clear notice of electronic monitoring practices. http://www.amanet.org/research/specials/elecmont.htm
As I noted earlier, the bill does not address all the issues raised by workplace monitoring. It is often said that there are four components of privacy or fair information practices: notice, choice, access and security. H.R. 4908 addresses only the first of these. The bill recognizes that the workplace is different in some respects and that the four components of privacy do not apply there in the same way they do, for example, in the consumer context. It may be that the other elements of privacy need to be addressed in union negotiations or through other avenues. For now though, it should be clear that the notice issue is a pressing one and can be addressed by Congress without limiting employers' authority to supervise and discipline their workers.
We believe there is one oversight in the drafting of the bill that should be addressed, and that has to do with monitoring in the workplace through the use of hidden video cameras. As the bill is currently drafted, it does not cover video cameras that do not pick up sound. Yet there have been some truly egregious cases of employers using hidden cameras to secretly spy on their employees. Consider the following cases from the ACLU's web site: A few years ago, postal workers in New York City were horrified to discover that management had installed video cameras in the restroom stalls. Female workers at a large Northeastern department store discovered a hidden video camera installed in an empty office space that was commonly used as a changing room. Waiters in a large Boston hotel were secretly videotaped dressing and undressing in their locker room. http://www.aclu.org/library/pbr2.html
Page 131 PREV PAGE TOP OF DOC
With the changes we have outlined above, the three bills before the Subcommittee today constitute a modest improvement in privacy protections without in any way denying the government any investigative tools. There are other steps that need to be taken in the future:
Require notice and an opportunity to object when civil subpoenas seek personal information about Internet usage.
Improve the notice requirement under ECPA to ensure that consumers receive notice whenever the government obtains information about their Internet transactions.
Define clearly what transactional information can be collected on Internet communications and under what standard, making it clear that Internet queries are content, which cannot be disclosed without consent or a probable cause order.
Provide enhanced protection for information on networks: probable cause for seizure without prior notice, opportunity to object for subpoena access.
These issues, like the harder issues in the Administration bill, can wait for another day. We have not yet reached consensus on them. For now, the Congress has the opportunity to take some modest steps to improve privacy in the closing days of this session. There will be pressure from the Administration to expand government surveillance authority. We urge you to resist that pressure. All of the evidence shows that the government already has too much power and too much access to private information. We urge you take some modest steps now and later, next year, we can return to a broader package that will balance other privacy protections with law enforcement enhancements.
Page 132 PREV PAGE TOP OF DOC
Mr. CANADY. Mr. Nojeim.
STATEMENT OF GREGORY T. NOJEIM, LEGISLATIVE COUNSEL, AMERICAN CIVIL LIBERTIES UNION
Mr. NOJEIM. I am pleased to testify today on behalf of the ACLU about these three bills that would increase the privacy of electronic and voice communications. As you all know, ACLU is a nonpartisan membership organization with 275,000 members dedicated to protecting the principles of freedom and the Bill of Rights.
Let me cut to the quick. The two billstwo of the bills are very similar, the Electronic Communications Privacy Act and the Digital Privacy Act. They contain three important provisions that are similar. We urge you to take the best of each of the three and add the location information from the Digital Privacy Act and mark up these bills. I think given the testimony that you heard in the previous panel, you could do this tomorrow.
I want to focus on the pen registers first. As Mr. Dempsey pointed out, the standard that is being suggested in the two bills, reasonable indication of criminality is one that has been around for a long time. It appears in the Attorney General guidelines.
The answer to your question, Mr. Barr, about whether the government uses pen register and trap and trace devices in preliminary inquiries should have been no, because they can't use a pen register or trap and trace device unless they have a full investigation pending. That is what the statute currently says. They might not know, though, because they don't ever get challenged on it under current law. There is just a rubber stamp. They don't really have to make a showing about it. The preliminary inquiries are designed to determine whether there is enough evidence to launch a full investigation. So I thought it was telling that the witnesses didn't know the answer to that question, and I sure hope that the answer is no.
Page 133 PREV PAGE TOP OF DOC
The reasonable indication standard comes from the Terry case, whether a law enforcement official has enough evidence to stop a person and demand ID. They callthe language in that case was whether the facts reasonably indicate thatwhat was the language? I don't have the exact language. It is the reasonable indication standard. It comes from the Terry case.
We believe that the Electronic Communications Privacy Act, which extends the reasonable indication standard only to e-mail addresses, is not the appropriate approach, but rather that that standard ought to be imposed for pen register and trap and trace across the board.
A lot of time was spent discussing the statutory exclusionary rule. The differences between the statutory exclusionary rule for electronic surveillance and the constitutional exclusionary rule relate to what they cover. The statutory exclusionary rule can apply in administrative proceedings. It can apply in grand jury proceedings. The constitutional exclusionary rule doesn't. The other big difference is, as the previous panel indicated, the good faith exception. There is no good faith exception to the statutory exclusionary rule for wiretapping.
It was also astounding to hear the government argue that the statutory exclusionary rule ought to be extended to real-time e-mail communications, electronic communications, but not to stored communications. In reality, if a person was evil, acting evilly, and they were a law enforcement official, and they wanted to violate the law, all they would have to do is wait an instant until the communication was stored and then illegally obtain it. Then they wouldthey would avoid the statutory exclusionary rule. That doesn't make much sense as a way to encourage compliance with the law.
Page 134 PREV PAGE TOP OF DOC
Finally, the interception of voice and electronic communications in transit must already be reported under current law. Both bills extend to stored electronic communications such as e-mail the requirement for annual reporting about the disclosure of such information to law enforcement pursuant to a court order.
To prevent underreporting, we urge the subcommittee to ensure that disclosure of such communications be regardlessbe reported regardless of whether the disclosure was made pursuant to a court order warrant or subpoena on location information. Currently the government gets location information under section 2703(d) of title 18. That section talks about only stored information. So it is kind of not consistent with the theme of that section to allow for location information to be provided in real time.
We believe that cell phones should not become tracking devices, and that the better approach is to prohibit law enforcement access to location information altogether, but if access to this information is to be granted, given its sensitivity, probable cause should be required.
That concludes my statement. Thank you.
Mr. CANADY. Thank you Mr. Nojeim.
[The prepared statement of Nojeim follows:]
PREPARED STATEMENT OF GREGORY T. NOJEIM, LEGISLATIVE COUNSEL, AMERICAN CIVIL LIBERTIES UNION
Page 135 PREV PAGE TOP OF DOC
The ACLU applauds the Subcommittee for conducting the hearings and supports the intent of each bill to increase the privacy of electronic communications. Electronic surveillance is at record levels, and law enforcement officials intercept approximately two million innocent conversations each year. The legislation could have the effect of focusing law enforcement efforts on those communications more likely to involve criminal activity.
The three bills the Subcommittee considers today are modest. None of them directly address the FBI's Carnivore program, about which the Subcommittee conducted hearings on July 24. Under this program, the Bureau obtains access to all, or to a substantial part of, the electronic communications of the customers of a particular Internet Service Provider in order to intercept the communications of a particular target. Congress should outlaw Carnivore and any similar approach to electronic surveillance this year.
The ''Electronic Communications Privacy Act'' (H.R. 5018) and the ''Digital Privacy Act'' (H.R. 4987) include many similar provisions, and the best of each should appear in the bill that the Subcommittee ultimately adopts. These provisions include:
Increased Reporting Requirements. Both bills would extend to stored electronic communications, such as e-mail, the requirement that the Administrative Office of the United States Courts report annually about the disclosure of such communications to law enforcement pursuant to a court order. The interception of voice communications and electronic communications in transit must already be reported under 18 U.S.C. 2519. Unlike H.R. 4987, H.R. 5018 fails to explicitly extend the reporting requirements to electronic communications disclosed by an Internet Service Provider to law enforcement in response to a subpoena or warrant. To prevent under-reporting, we urge the Subcommittee to ensure that disclosure of such communications to law enforcement be reported regardless of whether they are disclosed pursuant to a court order, warrant or subpoena.
Page 136 PREV PAGE TOP OF DOC
Extension of Statutory Exclusionary Rule. Both bills strengthen the statutory exclusionary rule and would thereby encourage law enforcement officials to comply with the electronic surveillance laws. Current law provides that illegally intercepted voice communications cannot be used in court or in agency hearings. 18 U.S.C. 2515. This statutory provision supplements the exclusionary rule created by the courts to help ensure law enforcement compliance with the Fourth Amendment with respect to both physical searches and electronic surveillance. The statutory exclusionary rule for electronic surveillance is more comprehensive than the Fourth Amendment-inspired rule in at least two ways: (i) there is no ''good faith'' exception to the statutory exclusionary rule; and (ii) the statutory exclusionary rule can apply in non-criminal cases, including administrative hearings. Both bills would extend the statutory exclusionary rule to electronic communications in transit. The Administration has proposed a similar extension. H.R. 5018 also extends the statutory exclusionary rule to stored electronic communicationsan improvement to the approach in H.R. 4987 that we hope the Subcommittee will support.
Strengthened Standards for Pen Register and Trap and Trace Orders. A pen register records telephone numbers dialed from a telephone. A trap and trace device acts like caller ID, and records the phone numbers of incoming calls. Under current law, the standard for obtaining a court order authorizing placement of a pen register or trap and trace device is extremely low. The statute provides that the court shall issue an order authorizing the placement of a pen register or trap and trace device whenever any attorney for the Government or an investigative officer merely certifies in an ex parte proceeding that information likely to be obtained is relevant to an ongoing criminal investigation. 18 U.S.C. 3123. The court acts as a rubber stamp, instead of as an impartial check on law enforcement.
Page 137 PREV PAGE TOP OF DOC
Reasonable Indication of Criminality Standard. H.R. 4987 would strengthen the standards for issuing pen register or trap and trace orders for by requiring a finding that factual evidence ''reasonably indicates'' that a crime has been, is being, or will be committed, and information likely to be obtained by such installation is relevant to an investigation of that crime. We favor this approach. The ''reasonable indication'' standard is not new, is substantially less than full ''probable cause,'' and the courts should have no problem applying it. This level of suspicion is already required before a law enforcement officer on the streets can stop a person, demand ID, and conduct a limited pat down search to ensure officer safety. Moreover, the Department of Justice should have no objection to this standard either: it already requires a similar finding by law enforcement officials before a full criminal investigation (as opposed to a preliminary inquiry) can be even be conducted, and a pen register or trap and trace order sought under current law. Section II(c)(1) of The Attorney General's Guidelines on General Crimes, Racketeering Enterprise and Domestic Security/Terrorism Investigations provides in relevant part: ''A general crimes investigation may be initiated by the FBI when facts or circumstances reasonably indicate that a federal crime has been, is being, or will be committed.''
Applying the Reasonable Suspicion Standard to E-mail Addresses. Unlike H.R. 4987, H.R. 5018 would expand electronic surveillance by explicitly authorizing access to e-mail address information under the ''reasonable suspicion'' standard discussed above. The bill would also leave in place the extremely low standards for issuing a pen register or trap and trace order for voice communications. We oppose this approach, and will oppose the bill if this provision (Section 4) remains in the legislation. Though it has no statutory authority to do so, the FBI seeks e-mail address information under the pen register and trap and trace provisions in current law. It does thiswith some successeven though those provisions allow access only to ''numbers dialed'' and e-mail addresses usually include letters and are not ''dialed.'' A standard lower than probable cause is inappropriate because e-mail address information is more revealing than are the numbers dialed on a telephone. We urge the Subcommittee to take up this issue in the next Congress, and to reject Section 4 of H.R. 5018 and instead favor Section 4 of H.R. 4987. That would have the effect of affording a higher standard of protection for pen register and trap and trace information, and deferring for the time being the question about whether that standard is appropriate for e-mail addresses and other electronic communications such as clickstream data.
Page 138 PREV PAGE TOP OF DOC
Access To Location Information. H.R. 4987 would require a court order based on probable cause before law enforcement could obtain access to location information generated in connection with the use of a cellular telephone. Currently, law enforcement obtains location information under 18 U.S.C. 2703(d). This section allows access to some information without probable cause. We believe that cell phones ought not become tracking devices, and that the better approach is to prohibit law enforcement access to location information altogether. However, if access to this information is to be granted, probable cause should be required.
Notification of Electronic Surveillance of Employees. The ACLU supports H.R. 4908 as a modest down payment on what needs to be done to protect privacy in work place. The bill would require employers to notify employees annually of their policies regarding electronic surveillance of employees, including their E-mail, Internet use and telephone calls. This modest proposal does not give employees a right to block monitoring. It provides for notice only, and for a private right of action should an employer engage in the monitoring of communications and computer use in a manner inconsistent with its notice. We urge the Subcommittee to strengthen the notice requirements to ensure that they preclude generalized notices that fail to provide adequate information to employees about how they may be monitored.
Mr. CANADY. Mr. Corn-Revere.
STATEMENT OF ROBERT CORN-REVERE, ATTORNEY, HOGAN & HARTSON L.L.P., WASHINGTON, DC
Mr. CORN-REVERE. Mr. Chairman, members of the subcommittee, thank you for inviting me to testify on these important legislative proposals. The views I express today are mine alone. I am not testifying on behalf of any client.
Page 139 PREV PAGE TOP OF DOC
These hearings today, as the two before it, are timely. First, as Congressman Barr earlier recognized, there has been a general increase in the level of electronic surveillance. Consequently, there should be more publicly compiled information to help ensure accountability in its use.
The distressing lack of information about Carnivore addressed by this subcommittee in this and the two previous hearings has served as a wake-up call in this regard. For example, despite the increasing focus by investigating authorities on Internet surveillance, the law currently does not require compilation of statistics on the number of court-ordered warrants or subpoenas issued to acquire stored electronic data or subscriber records under 18 U.S.C. section 2703. In addition, despite the fact that the Department of Justice obtains about nine times as many pen register and trap and trace orders each year as there are title III intercepts authorized for all Federal agencies combined, current law does not require a detailed accounting of their use.
Mr. DiGregory testified that reporting requirements in the proposed bills would be burdensome, and Mr. Green testified further that this is because the amount of use of that part of the statute is the reason such requirements would be burdensome. But this is the point. As both Congressman Watt and Mr. Dempsey pointed out earlier, the more surveillance technology is used, the greater the public's interest in accountability. The very reason that the government wants to rely more on these sections is the reason why there should be greater reporting requirements, as the proposed legislation recognizes.
In addition to information requirements, it is vitally important to strengthen the privacy protections governing electronic surveillance to protect the reasonable privacy expectations of the American public, as patterns of communications evolve. The assumptions made by the Supreme Court more than 2 decades ago, that pen registers do not reveal private information, simply are no longer correct.
Page 140 PREV PAGE TOP OF DOC
Now, Mr. DiGregory cited the Supreme Court precedents and said that they establish the premise from which we must begin, because they are the law. But the very assumptions expressed in those Supreme Court opinions, that pen registers only obtain sending and receiving information, certainly are no longer true. The public's use of communications technologies has vastly changed. The capabilities for compiling information based on ''digits dialed'' is far different and far more intrusive than it was in 1977 and 1978. The D.C. Circuit in United States Telecom Association v. the FCC, on August 15th, recognized this fact when it struck down several of the FCC's provisions adopted to implement the Communications Assistance for Law Enforcement Act. It required carriers to provide all ''dialed digits'' in response to a pen register order, and the court said that this FCC decision failed to protect the privacy and security of communications not authorized to be intercepted. It pointed out that ''digits dialed'' include things like passwords for voice mail, prescription drug numbers that are entered by telephone, banking information, paging messages and so on. Similarly, the analogy between Internet surveillance and traditional pen registers and trap and trace devices is strained at best given the vast amounts of personal data that may be available on the Internet. This subcommittee should carefully consider whether this model is appropriate for Internet surveillance.
Finally, during his earlier testimony Mr. Green claimed that there is a direct trade-off between protecting privacy and the needs of law enforcement. He said that if there is a higher standard for privacy, it will affect public safety. But as the D.C. Circuit commented when it struck down the CALEA requirements in the United States Telecom decision, ''any privacy protections burden law enforcement to some extent.'' The court nevertheless found that ''the FCC orders failed to take appropriate consideration of the statutory privacy considerations that were written into CALEA.''
Page 141 PREV PAGE TOP OF DOC
The same is true here with respect to the fourth amendment considerations that apply to the Internet and the pen register issue.
The two bills that have been put forward, H.R. 5018 and 4987, generally represent a step in the right direction toward increasing accountability and strengthening the requirements for acquiring surveillance orders. There have been a few points that have been made about the bills that require some adjustment in the legislation. For example, it would be sensible to make the language technology neutral, and a carefully drafted emergency exception may make some sense, so long as it is carefully drafted. But the overall thrust of both bills, to increase accountability by increasing information about surveillance and to heighten the standard for acquiring a pen register, makes a great deal of sense.
Now, since the government has already asserted authority to implement pen register and trap and trace devices for e-mail information, the proposed language already represents stronger protection for privacy than currently exists. But at the same time I think the subcommittee should carefully consider whether it should ratify extending the pen register regime to intercept of Internet communication even if the technologies used for this surveillance are designed to be restrictive or tailored to certain information.
One possible approach to this problem might be as follows: If the government is seeking an order requiring an Internet service provider to disclose only ''to'' and ''from'' addressing information regarding a subscriber's use of the service, the current standard, the heightened standard under section 2703 of the Electronic Communications Privacy Act, for stored data would suffice. This language is picked up in H.R. 5018. However, when the government seeks to install a device, such as Carnivore, at an Internet service provider to intercept and filter traffic flow as part of its proposed use of a pen register, it should obtain an order pursuant to the more stringent probable cause requirements of title III.
Page 142 PREV PAGE TOP OF DOC
Finally, with respect to reporting requirements, the subcommittee should consider expanding the requirements with regard to pen register and trap and trace devices to include the same details that are currently provided as part of the annual wiretap report. And in addition, where new sophisticated technologies such as Carnivore are used to implement pen registers, that fact should be reported and highlighted in the annual report.
I will leave the rest of my discussion of the specific legislation to my written testimony. I applaud the subcommittee's efforts and will be ready to answer any questions you might have.
Mr. CANADY. Thank you, Mr. Corn-Revere.
[The prepared statement of Mr. Corn-Revere follows:]
PREPARED STATEMENT OF ROBERT CORN-REVERE, ATTORNEY, HOGAN & HARTSON L.L.P., WASHINGTON, DC
Mr. Chairman, and Members of the Subcommittee. Thank you for inviting me to testify on these significant legislative proposals. The views I express today are mine alone; I am not testifying on behalf of any client.(see footnote 2) My testimony will focus principally on H.R. 5018, the Electronic Communications Privacy Act of 2000 and H.R. 4987, the Digital Privacy Act of 2000.
This hearing, and the legislative proposals that prompted it, come at an opportune time because the amount of electronic surveillance conducted on U.S. citizens is increasing steadily. The 1999 Wiretap Report, issued annually by the Administrative Office of the U.S. Courts, reported last May that the number of federal intercept applications increased 94 percent between 1989 and 1999.(see footnote 3) In 1999, there were 601 federal intercept orders issued, and 749 orders at the state and local level.(see footnote 4) Not only is the number of surveillance orders increasing, the type of surveillance being authorized is changing as well. Prior to 1998, the most common method of surveillance was the telephone wiretap. Now, however, the most common form of surveillance is the electronic wiretap, which includes eavesdropping on devices such as digital display pagers, voice pagers, cellular phones and email.(see footnote 5) Most notably, this type of electronic surveillance showed the largest rise among the reported categories, with a 17 percent increase from 1998 to 1999. Such trends tend to heighten concerns about the development of new sophisticated forms of surveillance, such as Carnivore, which this Subcommittee already has begun to investigate.
Page 143 PREV PAGE TOP OF DOC
The growth of electronic surveillance of newer technologies such as email is particularly significant as people increasingly lead much of their lives online. Accordingly, the privacy issues facing us now are of a far different magnitude than when Congress first adopted the Omnibus Crime Control and Safe Streets Act in 1968 or when it updated the law in 1986 to include electronic communications through passage of the Electronic Communications Privacy Act (''ECPA''). A growing number of U.S. citizens send (and store) sensitive personal and business correspondence, consult confidential databases relating to personal finances or health, shop, read and/or buy magazines and books, browse websites for information and entertainment, and a host of other uses too numerous to list. The Internet revolution has altered the calculus for what may be considered a reasonable expectation of privacy.
This is particularly true for the type of surveillance conducted by pen registers and trap and trace devices, generally considered to be the least intrusive form of eavesdropping. Such devices historically could obtain only the phone numbers dialed on a target's telephone and the phone numbers of incoming callers, and consequently were subject to the least rigorous legal proscriptions. The Supreme Court previously found that individuals do not have a reasonable expectation of privacy in the information that could be gathered by such means, noting that ''pen registers do not acquire the contents of communications.'' Smith v. Maryland, 442 U.S. 735, 742 (1979). The Court emphasized that ''[n]either the purport of any communication between the caller and the recipient of the call, their identities, nor whether the call was even completed is disclosed by pen registers.'' United States v. New York Tel. Co., 434 U.S. 159, 167 (1977). Federal law has imposed some procedural protections in this area, but they are minimal. The law provides that a court ''shall enter an ex parte order authorizing the installation and use of a pen register or trap and trace device'' where a law enforcement officer certifies that the ''information likely to be obtained is relevant to an ongoing criminal investigation.''(see footnote 6)
Page 144 PREV PAGE TOP OF DOC
The debates over Carnivore and Internet surveillance generally have focused attention on the question of what privacy expectations should be considered ''reasonable'' and provided greater legal protection. A recent decision by the United States Court of Appeals for the District of Columbia Circuit highlights this issue. In United States Telecom Ass'n. v. FCC, 2000 WL 1059852 (Aug. 15, 2000), the D.C. Circuit vacated portions of an FCC order that required telecommunications providers to implement certain advanced surveillance capabilities pursuant to the Communications Assistance for Law Enforcement Act of 1994 (''CALEA''). The court held that the FCC had given insufficient weight to CALEA's requirement that, in requiring carriers to provide all ''dialed digits'' in response to a pen register order, the Commission ''protect the privacy and security of communications not authorized to be intercepted.''(see footnote 7) The court noted that:
Post-cut-through dialed digits can also represent call content. For example, subjects calling automated banking services enter account numbers. When calling voicemail systems, they enter passwords. When calling pagers, they dial digits that convey actual messages. And when calling pharmacies to renew prescriptions, they enter prescription numbers.
Id. at *12.
Similar privacy concerns apply to electronic surveillance of Internet communications. Any analogy between Internet surveillance and traditional pen registers or trap and trace devices is strained at best, given the vast amounts of personal data that may be available on the Internet. The Supreme Court's understanding over two decades ago that a pen register cannot obtain either the identities of those engaged in communication or whether a ''call'' was ''completed'' is outmoded in an age of email where email addresses often contain the names of the parties and where there is no question about whether the message was delivered to the recipient's mailbox. Additionally, where technologies such as Carnivore can obtain (in its pen register mode) the numbers associated with FTP logins, the information collected implicates some of the privacy concerns that troubled the court in U.S. Telecom Ass'n.(see footnote 8) Even more significantly, electronic surveillance on packet-switched networks, such as the Internet, is potentially far more intrusive than that conducted on circuit switched networks, such as the traditional telephone system. Because of these differences, it is appropriate to recognize a reasonable expectation of privacy in such information and to establish a higher evidentiary threshold to obtain a surveillance order than currently exists.
Page 145 PREV PAGE TOP OF DOC
In this regard, H.R. 5018 and H.R. 4987 represent a step in the right direction. Accountability regarding the use of electronic surveillance has been a critical part of the current law, and the annual wiretap reports mentioned earlier play an important role in monitoring its use. However, there have been gaps in the reporting requirements that both bills address. Section 3 of H.R. 5018 and Section 2 of H.R. 4987 would require inclusion in the annual wiretap reports of data regarding government acquisition of stored data, such as email. Without such a requirement it is virtually impossible to obtain a comprehensive picture of the current extent of electronic surveillance. Moreover, since government increasingly is seeking to obtain information regarding email it is only appropriate to expand the reporting requirements accordingly.
The Subcommittee might also consider expanding the reporting requirements regarding the use of pen registers and trap and trace devices. Although the Attorney General is required pursuant to 18 U.S.C. §3126 to report annually to Congress on the raw number of pen register and trap and trace devices applied for by DOJ, the reports include none of the details that must be included in the annual wiretap report, nor is the report to Congress included in the wiretap report. In addition, where new, sophisticated technologies, such as Carnivore, are used to implement pen registers, that fact should be reported and highlighted in the annual report. Such information is important to ensure accountability, since Carnivore can be modified while it is in use to intercept far more information than could ever be authorized by a pen register order. Another possible requirement would be to notify the target of the investigation after the order has expired and before any information may be used at trial, as currently required under 18 U.S.C. §2518(9) for Title III interceptions.
Page 146 PREV PAGE TOP OF DOC H.R. 5018 and H.R. 4987 also would create a stricter standard for the issuance of orders authorizing the use of pen registers and trap and trace devices. In contrast to the current certification of ''relevance'' to an ongoing criminal investigation, Section 4 of H.R. 5018 and Section 4 of H.R. 4987 would require a showing of factual evidence before an order may be issued. In this regard, I think the proposed language of H.R. 5018 is superior because it requires a showing of ''specific and articulable facts [that] reasonably indicate that a crime has been, is being, or will be committed, and information likely to be obtained by such installation and use is relevant to an investigation of that crime.'' This evidentiary requirement tracks the current standard for a court order authorizing the acquisition of stored electronic data under 18 U.S.C. §2703(d).
Other provisions of H.R. 4987, which are not contained in H.R. 5018, would enhance privacy protections and I think are worthy of serious consideration. Section 5 of H.R. 4987 would expand from 6 months to one year the period that stored data would be considered in short term storage. This would mean that requests to acquire the contents of such data would be required to be supported by a warrant rather than a court order. In addition, Section 6 of H.R. 4987 would require a court order in order to obtain the physical location of a telecommunication subscriber. Such court order would be issued only upon a showing of probable cause to believe that the equipment has been or will be used to commit a felony.
The history of electronic surveillance law in the United States has involved a continuing effort to reconcile the needs of law enforcement with the Fourth Amendment imperative of protecting individual privacy. In my opinion, the proposals contained in H.R. 5018 and H.R. 4987 would help restore the balance between legitimate law enforcement interests and the need to protect the privacy of U.S. citizens.
Page 147 PREV PAGE TOP OF DOC
Mr. CANADY. Mr. Rotenberg.
STATEMENT OF MARC ROTENBERG, EXECUTIVE DIRECTOR, ELECTRONIC PRIVACY INFORMATION CENTER
Mr. ROTENBERG. Thank you very much, Mr. Chairman, members of the subcommittee. My name is Marc Rotenberg, and I am executive director of the Electronic Privacy Information Center. We have played a leading role in many of the emerging electronic privacy issues, including questions concerning Carnivore, the implementation of CALEA and so forth. We also are frequent users of the reports that are generated by the administrative office of the U.S. courts that provide the opportunity, for example, to observe the dramatic increase in the use of pen registers over the last couple of years or the increasing use of nonwireless intercept, as Mr. Corn-Revere noted. But with your permission today, for a few minutes I would like to focus on a few key historical points in the development of wiretap law. I do this because I think it will help put this process in context and also help answer some of the questions that Mr. DiGregory made onsome of the points Mr. DiGregory made on the prior panel.
Congressman Watt mentioned the year 1789 and the simple language of the Bill of Rights which established the basic right of privacy for Americans. There is another critical year in the development of this law, and that is 1928, when the U.S. Supreme Court was asked to consider whether that fourth amendment would extend to new forms of electronic communications, which meant, in the 1920's, telephony.
Now, in a 5-to-4 opinion, the Court at that time said, no, it did not, and that as a practical matter it would not be necessary for law enforcement to obtain judicial approval before it conducted a search of an electronic communication. But two of greatest Justices of the 20th century wrote in dissent in that opinion. Justice Brandeis said that this was wrong. The law must evolve as technology evolves to ensure that these constitutional protections continue to have their meaning served. The Court reversed itself in 1967, followed Justice Brandeis's analysis, and it was, of course, the following year that the Feds' wiretap statute, section 119 of title 18, was established by Congress.
Page 148 PREV PAGE TOP OF DOC
There was a second dissent, and I think this is an important one for Mr. DiGregory to keep in mind. It was Justice Holmes who described wiretapping as a dirty business. Now, it wasn't the use in that case of the electronic surveillance tools that Justice Holmes was commenting on. It was, in fact, the fact that Federal agents were violating the Washington State law which prohibited this type of wiretapping at the time that they conducted the electronic communications. Justice Holmes said, in effect, that the agents of government should not be allowed to profit from the violations of law.
It is on that basis that in 1968 Congress established section 2515, the statutory exclusionary rule, which says that when evidence is wrongfully obtained, it should not be used in the subsequent proceeding.
It was in 1986 when the language was amended in title 18 that Congress did not address the question at that time in moving from wire and oral communication to electronic communication of whether the statutory rules should be extended. I think it is clear from the history, both from Holmes's opinion and from the act as passed in 1968, that the intent is to make sure that such information should not be used.
The second point I wish to address concerns the expectation of privacy analysis, and there has been some discussion of the pen register case. That is Smith v. Maryland, another opinion which I should point out was decided 5 to 4, and an opinion which has been roundly criticized by such scholars as Professor Tribe. It was in that case Justice Thurgood Marshall wrote in dissent that individuals, of course, would have an expectation of privacy in the telephone numbers that they would dial.
Page 149 PREV PAGE TOP OF DOC
Now, I agree also with Mr. Corn-Revere, who pointed out that given the recent developments in new technology and how that pen register standard is applied with respect to Internet communication, that it cannot be reasonably argued today that an expectation of privacy does not follow from a person's disclosure of call detail information in the electronic context. I think that is a very difficult argument to maintain, frankly.
The final point that I wish to address concerns the reporting requirements, and going forward in this area I think the reporting requirements are extraordinarily important to evaluate how law enforcement is using this authority and to provide you the opportunity to determine whether it is consistent with the spirit of the fourth amendment and the wiretap statute as originally adopted.
Now in this statement we express support, as have the other witnesses on the panel, for H.R. 5018 and H.R. 4987, and I would also agree with the comments that have been made that when the two proposals are in conflict, the stronger provision should be endorsed.
I note in my statement some concerns about the third measure, the Notice of Electronic Monitoring Act, but I will not discuss those at this time. They are contained in my statement. Thank you.
Mr. CANADY. Thank you very much.
[The prepared statement of Mr. Rotenberg follows:]
Page 150 PREV PAGE TOP OF DOCPREPARED STATEMENT OF MARC ROTENBERG, EXECUTIVE DIRECTOR, ELECTRONIC PRIVACY INFORMATION CENTER
My name is Marc Rotenberg. I am the Executive Director of the Electronic Privacy Information Center (EPIC) and an adjunct professor at Georgetown where I teach the law of information privacy. I appreciate the opportunity to appear before the Subcommittee to discuss privacy legislation.
EPIC has a long-standing interest in the protection of privacy and a particular interest in the scope of electronic surveillance by the federal government and the application of the wiretap statute. We opposed adoption of the Communications Assistance for Law Enforcement Act of 1994 (CALEA). We argued that it was a costly and unnecessary extension of federal wiretap authority. We believe that history has demonstrated that we were correct.
EPIC was also the lead civil liberties plaintiff in the recent litigation concerning the implementation of the CALEA, and we are currently seeking the documents describing the Carnivore surveillance systems in a widely reported Freedom of Information Act case.(see footnote 9)
We have reviewed closely the annual reports produced by the Administrative Office of the US Courts on the electronic surveillance.(see footnote 10) We were the first to note the significant increase of federal wiretapping by the Clinton Administration, and also the first to argue that new reporting requirements would be necessary for the new types of electronic surveillance undertaken by the government.
Page 151 PREV PAGE TOP OF DOC
We have also worked closely with labor organizations on emerging technology issues and recently published a report that discusses developments in the area of workplace privacy.
We believe there is a clear need to strengthen the federal wiretap statute and to clarify the scope of existing law, particularly in light of recent law enforcement practices. surrounding the FBI's Carnivore system and law enforcement access to locational information. We share the views expressed in the editorial pages of the nation's newspapers that these proposals require a response from Congress.(see footnote 11)
We also note the recent decision Appeals Court in CTIA v. FCC (implementation of CALEA) in which the court indicated that the highest standard should apply to new forms of electronic surveillance. At the same time, a recent opinion from the Tenth Circuit in US West v. FCC has suggested that Congress should be very clear when it uses the term ''consent'' to make sure that the courts understand that consent has to be meaningful.
ASSESSMENT OF PROPOSED WIRETAP LEGISLATION
Clarification of Exclusionary Rule
Central to the operation of the federal wiretap statute is the need to ensure that information that is unlawfully obtained not be used in a court proceeding. This principle goes back to the dissent of Justice Oliver Wendell Holmes in Olmstead v. United States in which he referred to the use of evidence obtained in violation of state law as a ''dirty business.''(see footnote 12) This principle is just as important today, but the technology has changed and the current law fails to make clear that the exclusionary rule applies to ''electronic communication,'' the term introduced in 1986, as it does to ''wire and oral communication,'' the original phrase from the 1968 Act.
Page 152 PREV PAGE TOP OF DOC
We support the proposed changes, contained in HR 5018 [Sect. 2] and HR 4987 [Sect. 3], to section. 2515 that would clarify that the exclusionary rule covers ''electronic communication'' as well as ''wire and oral communication'', and also the proposed change in HR 5018 [Sect. 2], that would extend the statutory exclusionary rule to ''any stored electronic communication'' in HR 5018 [Sect. 2].
Extension of Reporting Requirements
Over the last several years EPIC has made frequent use of the annual report of the Administrative Office of the US Courts to evaluate trends in electronic surveillance practices and to assess policy proposals by law enforcement agencies. During the debate over adoption of the Communications Assistance for Law Enforcement Act (CALEA), for example, we noted that contrary to the claims of the FBI and the Department of Justice, the federal wiretap statute was hardly ever used for investigations of kidnapping or bombing.(see footnote 13) Then as today, title III warrants are issued primarily for narcotics investigations.
We have also noted the significant increase in the use of pen registers and trap and trace orders in the last few years as well as the very large percentage of non-incriminating communications that are routinely intercepted by government agents. We believe that the reporting requirements are central to operation of the wiretap statute and that these reports provide critical information for lawmakers and citizen organizations.
We favor proposals to amend current reporting requirements and to provide information about stored electronic communications similar to those requirements that currently exist in section 2519 for intercepted communications. These proposals will improve accountability and provide a means to assess the scope and effectiveness of wiretapping conducted by government pursuant to title 18. We further support the provision contained in HR 4987 on ''Reports Concerning Other Disclosures'' that would extend reporting requirement to other warrants and subpoenas. We believe this will ensure a higher level of accountability and greater accuracy in reporting.
Page 153 PREV PAGE TOP OF DOC
Strengthening Pen Register Standards
We support proposed changes to sect. 3123 that would strengthen the standard for the issuance of an order for a pen register or a trap and trace device. If it is the purpose to apply this standard only to the instance where an e-mail address should be obtained, then the language should be clarified so that it is clear the address is necessary for the investigation that is being pursued.
We further support the extension from one hundred and eighty days to one year for the period of times warrant under the Federal Rules of Criminal procedure or equivalent state warrant must be obtained for government access to the contents of electronic communications in electronic storage.
Access to Locational Information
Finally, we support the proposal to require a court order before location information is disclosed to the government by the provider of mobile electronic information service. We recognize that law enforcement is currently gaining access to locational information and also that the court in USTA v. FCC implicitly recognized that such activity. For these reasons, it is important to establish a legal standard for access to this information
We are concerned, however, that an authorization to permit access to locational information coupled with a technical requirement in CALEA to mandate the availability of locational information will go further than the purpose of the wiretap law or the spirit Fourth Amendment should permit. It is generally not the case that the law both provides law enforcement the right to conduct a search and also requires technical steps be taken prior to the issuance of a warrant to ensure that success in the search be assured. We believe this is an area that the Subcommittee on the Constitution should consider carefully as similar issues arise in the future regarding the scope of the federal wiretap statute.
Page 154 PREV PAGE TOP OF DOC
We further recommend that the consent provision in the proposed provision (i)(2) be modified such that ''meaningful consent'' or ''explicit consent'' or ''affirmative consent'' be obtained. Particularly in light of the Tenth Circuit's recent holding in US West v. FCC regarding a similar provisions in the Telecommunications Act of 1996, we believe that Congress has to make clear that consent cannot be indirect, assumed, or implied.
Leaving the Cable Act Privacy Safeguards Unchanged
We appreciate the fact that none of the bills before the Subcommittee modify the privacy provisions in the Cable Act of 1984 to address the problems with electronic surveillance.(see footnote 14) We believe it would be a mistake to alter that very good provision or to harmonize downward current privacy safeguards, as the White House has proposed.(see footnote 15) We urge the Subcommittee to be very wary about reducing the level of privacy protection currently established in US law.
Comments on HR 4908
We share the Subcommittee's interest in the need to address the growing problem of workplace surveillance. According to a report released earlier this year by the American Management Association (AMA), nearly three-quarters of major US firms monitor their employees' communications and activities on the job, including their phone calls, e-mail, Internet connections and computer files. This figure has doubled since 1997, driven by a dramatic increase in employers' interest in what employees are doing on their computers. The share of major U.S. firms that checks employee e-mail messages has jumped to 27 percent from 15 percent in 1997, and overall electronic monitoring of communications and performance has increased to 45 percent from 35 percent two years ago.(see footnote 16)
Page 155 PREV PAGE TOP OF DOC
Workplace surveillance is also growing problem around the world. As we note in our recent report on Privacy and Human Rights:
Traditionally this monitoring and information gathering involved some form of human intervention and either the consent, or at least the knowledge, of employees. The changing structure and nature of the workplace has led to more invasive and often covert monitoring practices with call into question employees' most basic right to privacy and dignity within the workplace. . . .
Advances in science have also pushed the boundaries of what personal details and information an employer can acquire from an employee. Psychological test, general intelligence test, performance tests, personality test, honesty and background checks, drug test, and medical tests are a routine requirement in workplace recruitment and evaluation methods.(see footnote 17)
However, we do not think that the bill as currently drafted provides sufficient protection to address the problem. The bill is very narrow in two respects. First, it covers only communications monitoring and leaves many current practices untouched. Second, it provides only the single requirement of notice, which standing by itself, could operate more as a disclaimer than any actual safeguard.
Privacy laws are typically based on the concept of Fair Information Practices. The principles establish basic rights for individuals who give up personal information and basic responsibilities for organizations that obtain personal information. Virtually all privacy law, from the Fair Credit Reporting Act of 1970 through the Privacy Act of 1974 and the many bills under consideration in the current session follow this approach.
Page 156 PREV PAGE TOP OF DOC
A notice-only privacy law, absent any of the substantive rights associated with Fair Information Practices, such as access, correction, or use limitation, is problematic. It could in practice reduce the amount of covert surveillance, but it will not limit overt surveillance. It may in fact increase the amount of overt surveillance, as companies under directions from their attorneys, write very broad policies outlining a wide range of possible surveillance activities that may not have previously occurred.
The impact is twofold: First, an employee's reasonable expectation of privacy, a critical legal standard for privacy protection, could be significantly diminished. Second, an employee's claims under state common law tort theories could be undermined because employees would be effectively on notice of the monitoring practices.
There is the additional problem that the bill could limit workplace communication for organizing purposes that might be otherwise protected by law. This question arose in a recent workplace privacy case where a company that imposed a blanket policy prohibiting communications in the workplace attempted to dismiss a worker for communicating with others about workplace issues. An NLRB judge sided with the employee and concluded that the employer simply could not prevent employees from communicating with one another by means of notice.(see footnote 18)
We think better approaches can be found both in other US privacy laws and in international standards. The Employee Polygraph Protection Act of 1988, for example, establishes substantive limitations on the use of lie detectors in the workplace.(see footnote 19) A particularly good framework for workplace privacy protection is provided by the International Labor Organization's ''Code of Practices on the Protection of Worker's Data.'' The ILO issued these guidelines in 1997, following three comprehensive studies on international workplace privacy laws.(see footnote 20) The general principles of the Code suggest the range of interests that a workplace privacy bill could address:
Page 157 PREV PAGE TOP OF DOC
Personal data should be used lawfully and fairly; only for reasons directly relevant to the employment of the worker and only for the purposes for which they were originally collected;
Employers should not collect sensitive personal data (e.g., concerning a worker's sex life, political, religious, or other beliefs, trade union membership or criminal convictions) unless that information is directly relevant to an employment decision and in conformity with national legislation;
Polygraphs, truth-verification equipment or any other similar testing procedures should not be used;
Medical data should only be collected in conformity with national legislation and principles of medical confidentiality; genetic screening should be prohibited or limited to cases explicitly authorized by national legislation; and drug testing should only be undertaken in conformity with national law and practices or international standards;
Workers should be informed in advance of any monitoring and any data collected by such monitoring should not be the only factors in evaluating performance;
Employers should ensure the security of personal data against loss, unauthorized access, use, alteration or disclosure; and
Employees should be informed regularly of any data held about them and be given access to that data
Page 158 PREV PAGE TOP OF DOC
Beyond these two fundamental problemscovering only communications and requiring only notice of monitoringthe bill is otherwise reasonably crafted. The exceptions to the notice requirement are reasonable, though it may also be appropriate to inform employees at some point after such monitoring has occurred and also to require the employer to formally note when such authority is exercised. The proposed civil action provision is also reasonable. A liquidated damage provision is particularly important in privacy statues because of the difficulty of otherwise assessing damages.
If the bill remains a notice-only measure, we would strongly urge the Committee to add a provision that would require the notice to be available by means of the World Wide Web. That would prevent intimidation of employees seen reading the notice (a common problem with paper notices) and would also help the labor market function by enabling prospective employees to evaluate the privacy policies of prospective employers.
Even though it is late in the session, it is not too late to strengthen the federal wiretap statute, particularly in light of the current concerns with Carnivore and the ongoing question of how government is to conduct electronic surveillance in the years ahead consistent with the principles in the Fourth Amendment and the spirit of the federal wiretap statute. We hope that the full Committee will act quickly on these two bills. Regarding the surveillance notice measure, we believe that a stronger measure is appropriate and necessary to safeguard privacy in the workplace.
Page 159 PREV PAGE TOP OF DOCREFERENCES
David Banisar, Privacy and Human Rights: An International Survey of Privacy Law and Developments (EPIC and Privacy International 2000)
Whitfield Diffie and Susan Landau, Privacy on the Line: The Politics of Wiretapping and Encryption (MIT Press 1998)
Bruce Schneir and David Banisar, The Electronic Privacy Papers (Addison Wesley 1997)
Marc Rotenberg, editor, The Privacy Law Sourcebook: United States Law, International Law, and Recent Developments (EPIC 2000)
USTA v. FCC. No. 991442 (DC Cir. 2000)
EPIC Carnivore FOIA Litigation Page
EPIC Wiretap Page
Mr. CANADY. I will recognize Mr. Watt now for 5 minutes.
Mr. WATT. Thank you, Mr. Chairman.
Page 160 PREV PAGE TOP OF DOC Let me quickly, hopefully, and not using more than 1 of my minutes, get two factual things cleared up.
You all seem to be in pretty uniform support of Mr. Schumer and Mr. Barr's bill about employeeexcept for Mr. Rotenberg. I heard his proviso.
Give me a 30-second rationale for why you would limit the amount of damages, though.
Mr. DEMPSEY. Well, I think you would face the situation of a company with 10,000 employees, which violated the law and monitored many different times, if you multiplied even $1,000 per employee times multiple violations, the damage figure could get very high. So there was some effort to try to make it a meaningful sanction, to recognize the privacy interests of the individual through some compensation, but at the same time not to allow the damages to multiply out too much.
Mr. WATT. Okay. I don't agree with that, but I just wanted to figure out how you got there.
What is the current status of the D.C. Circuit decision that you referred to, Mr. Corn-Revere?
Mr. CORN-REVERE. The U.S. Telecom Association decision was issued on August 15th, and it sends back to the FCC for remand certain items on the FBI punch list for surveillance capabilities under CALEA, the Communications Assistance for Law Enforcement Act.
Page 161 PREV PAGE TOP OF DOC
Mr. WATT. So it is not going to be appealed to the Supreme Court?
Mr. CORN-REVERE. I don't know
Mr. WATT. I mean, it is basically a final decision?
Mr. CORN-REVERE. I don't know if there has been any discussion of whether or not to seek review of that decision.
Mr. WATT. All right. Those were the two kind of side issues that I wanted to pursue.
I want to zero in on the bills and the differences in the bills because I think if we are going to reconcile the bills and come up with something that Mr. Nojeim thinks we can pass tomorrow, he said, we better get down to brass tacks here.
I am looking at the staff memo that came out, or the memo that came out that describes the differences. One of them, on page 4 of the memo, says H.R. 4987, unlike H.R. 5018, would apply this higher standard to all law enforcement requests for the installation of pen register and trap and trace devices, including requests for telephone numbers dialed. So that is the distinction. That is one of the distinctions between the bills.
And my question to all four of you witnesses is, given the distinction there, which one of these bills ought wewhich one of these bills' language ought we be taking?
Page 162 PREV PAGE TOP OF DOC
Mr. DEMPSEY. H.R. 4987.
Mr. CORN-REVERE. H.R. 4987.
Mr. NOJEIM. H.R. 4987.
Mr. CORN-REVERE. I would combine the approaches and take the application of H.R. 4987 to all pen registers, whether or not it is for a traditional use or for an Internet use, and then I would use the language of H.R. 5018 that draws from section 2703 of the current law because I think that would be
Mr. WATT. Use it to what?
Mr. CORN-REVERE. Use it to set the standard for obtaining a pen register, with the caveat that if you are talking about using a technology that will be installed at the ISP, I think you might want to consider strengthening that protection to a title III standard of probable cause. I know this is a complicated, rambling answer.
Mr. WATT. You lost me there, so I will come back to you.
Let me see what Mr. Rotenberg says about this.
Mr. ROTENBERG. Well, I think the H.R. 4987 standard is higher, but I would note also that it makes reference to the e-mail address. Now some people have expressed concern that there is a problem.
Page 163 PREV PAGE TOP OF DOC
Mr. WATT. Yes, I think we are all in accord on that because we want to do something that is technology-neutral, I take it?
Mr. NOJEIM. Just to comment on that, H.R. 4987 does not make reference to an e-mail address. That is in H.R. 5018.
Mr. WATT. H.R. 5018. So if you got the H.R. 4987 standard, then you would be okay.
Okay. Now elaborate for me
Mr. CANADY. The gentleman's time has expired. Without objection, the gentleman will have 3 additional minutes.
Mr. WATT. Elaborate for me, Mr. Corn-Revere, what the distinction is you are making because I want to be clear on what it is you are saying.
Mr. CORN-REVERE. There are two major issues and one fairly minor one. The first major issue is that I think that the heightened standard should apply to all trap and trace requests, whether for a traditional telephone trap and trace or for one that is intended to apply to Internet-based communications.
Mr. WATT. So that would basically change the standard under 3123 then?
Page 164 PREV PAGE TOP OF DOC
Mr. CORN-REVERE. Yes, it would.
Mr. WATT. Okay.
Mr. CORN-REVERE. So the approach adopted by H.R. 4987 is appropriate in that regard.
Secondly, where that information is sought from an Internet service provider, and the government seeks to acquire that information through installation of a device on the data network of an Internet service provider, then I think it would be appropriate to apply an even highter standard.
Mr. WATT. That is the Carnivore situation?
Mr. CORN-REVERE. Yes.
Mr. DEMPSEY. Exactly. In that sense, Mr. Corn-Revere's suggestion is actually drawn from the circuit court opinion because what happens in Carnivore and what worries us all about Carnivore is that in order to get just the ''to'' and ''from'' information, it grabs everything, including the content, and digs into the content. What the Court of Appeals said last month in the CALEA decision, and I think what Mr. Corn-Revere is suggesting, is if you are going to get content, you have to meet the fourth amendment probable cause standard.
Mr. CORN-REVERE. That is right.
Page 165 PREV PAGE TOP OF DOC
Mr. DEMPSEY. Even if the government says, ''Don't worry, we are not going to read the content, or we are only going to read so much of the content as is necessary to read the address.''
Mr. WATT. Okay. Now, are you saying that H.R. 5018 has some language in it that we could use?
Mr. CORN-REVERE. No, that language isn't contained in either of the current proposals.
Mr. WATT. Okay. So you are talking about something that isn't in either bill at this point?
Mr. CORN-REVERE. That is right. And just to pick up on what Mr. Dempsey was just saying, this point about the interception of communications via Carnivore is something that Mr. Green testified to earlieralthough I think inadvertentlywhen he said the greatest intrusion comes from intercepts of communications when he was trying to explain the difference in the exclusionary rule. Well, if that is true, that is the type of interception we face with Carnivore, except the government is configuring the device, trying to winnow out only a certain amount of information.
If the government is going to do an intercept, then the higher standard should apply. On the other hand, if all you want is the ''to'' and ''from'' information, you should be able to get that information from the Internet service provider with an intermediate showing where you don't install something on an ISP data network.
Page 166 PREV PAGE TOP OF DOC
The only other point, and this was a minor point, with respect to the language of H.R. 4987 and H.R. 5018 was to suggest that the standard established in section 2703(d) of ECPA may be appropriate here, and that language is used in the current draft of H.R. 5018.
Mr. WATT. Help me with that.
Mr. CORN-REVERE. Okay. The section 2703 language, let me pull out the statute here, says that an order for stored information shall issue only if the government entity offers specific and articulable facts showing that there are reasonable grounds to believe that the contents of a wire and electronic communication or the records or other information sought are relevant and material to an ongoing criminal investigation.
This is just to say that picking up the language, ''specific and articulable facts,'' which is in the current draft of H.R. 5018 I think makes some sense.
Mr. WATT. Just one more question, Mr. Chairman, with your permission. Actually, I have two, but I don't think I have time for the other one.
Mr. CANADY. Without objection, the gentleman will have 2 additional minutes.
Mr. WATT. The emergency situation that you referred to, Mr. Corn-Revere, is it addressed in either bill, or how difficult would it beyou said that that language would have to be carefully drafted, which I agree with, but I also agree that the government needs emergencyif it is well drafted that an emergency situation might arise. Anybody got any ideas about what that should consist of?
Page 167 PREV PAGE TOP OF DOC
Mr. CORN-REVERE. Well, I think it is a reasonable suggestion to say that there are emergency circumstances that may arise that we currently can't foresee.
Mr. WATT. That the Constitution should be suspended?
Mr. CORN-REVERE. Not that it should be suspended, but that there should be oversight after the fact and requirements that the government make a showing at that time that the emergency was justified.
Mr. WATT. Oh, I see.
Mr. CORN-REVERE. I don't have specific language in mind, but I think it is probably reasonable to recognize that those circumstances may arise.
Mr. WATT. Okay. I will get your input on that side.
I want to go to the other question which was the next distinction described asit says H.R. 4987, unlike H.R. 5018, would require the disclosure of information revealing the physical location of a subscriber's equipment by mobile or electronic information provider may occur only when, one, a government entity obtains a court order based upon a finding that there is probable cause to believe that the subscriber's equipment has been, is being or is about to be used to commit a felony; or, two, the subscriber consents to such disclosure. In that case, which standard should we be using, H.R. 4987 or H.R. 5018?
Page 168 PREV PAGE TOP OF DOC Mr. DEMPSEY. H.R. 5018, because that is the onlythere is no comparable provision in H.R. 4987.
Oh, I am sorry. I have it backwards. H.R. 4987.
Mr. WATT. H.R. 4987.
Mr. DEMPSEY. Section 6 of H.R. 4987 is the language I quoted.
Mr. WATT. Okay. Mr. Nojeim?
Mr. NOJEIM. Agreed.
Mr. WATT. Mr. Corn-Revere?
Mr. CORN-REVERE. I agree.
Mr. WATT. Mr. Rotenberg?
Mr. ROTENBERG. We agree, except I noted in my prepared statement that the term ''consent'' as used in this context unmodified may not actually provide enough protection to the subscriber, particularly in light of the recent case. U.S. West v. FCC, which we actually litigated, concerns the privacy provision in the Telecommunications Act of 1996 where Congress said consent, and the tenth circuit didn't think that was sufficient. So I at least raise in my statement the question of
Page 169 PREV PAGE TOP OF DOC
Mr. WATT. So even that is a little more complicated?
Mr. ROTENBERG. We may need to do a little bit more to get that to work the way you would like it to work.
Mr. WATT. So Mr. Nojeim is wrong, and we can't get this done by tomorrow?
Mr. NOJEIM. No, we can get the language this afternoon.
Mr. WATT. We need emergency language.
Mr. NOJEIM. We can still do it.
Mr. WATT. We need all this done by tomorrow. Can we get it done by next Thursday, that is the real question, because the chairman has moved the markup back to next Thursday. So we need language quick.
Mr. DEMPSEY. We will definitely work with you and the staff and with the Justice Department to try to do that.
Mr. WATT. I don't think you are going to get much help from the Justice Department on this issue.
Page 170 PREV PAGE TOP OF DOC Mr. DEMPSEY. I am always optimistic.
Mr. WATT. I am optimistic, too, but they don't seem to accept the standard, although now that I understand what is required to initiate an investigation, I agree with you. I can't understand why they wouldn't accept the standard.
Mr. DEMPSEY. All I am saying is we obviously need to listen carefully to what they have to say to make sure we are not doing something inadvertent.
Mr. WATT. Okay.
Mr. DEMPSEY. On the emergency exception, let me say there is already an emergency exception provision in the pen register statute, and I think what the Department of Justice is proposing is to add two additional clauses, two additional emergency grounds, to what is already in 18 U.S.C. 3125. So we can all take a look at that and see how it currently provides an emergency exception.
On the location question, I think we are in uniform agreement here that the probable cause standard is the standard to be adopted; that as the person carries that cell phone from home, to work, everywhere they go, including into places where they do have a reasonable expectation of privacy, into their house, into their office, probable cause should be the standard for government access.
What I heard Mr. DiGregory object to was lines 21 and 22 on page 4 in H.R. 4987, the words ''probable cause to believe that the equipment has been used, is being used or about to be used to commit a felony offense.''
Page 171 PREV PAGE TOP OF DOC
Mr. WATT. Yes, I heard, that, too.
Mr. DEMPSEY. I think that specific concern is worth giving some consideration to. I think you can come up with some scenarios where the phone is not being used to commit the offense.
Mr. WATT. In connection with an offense maybe.
Mr. DEMPSEY. This language in H.R. 4987 is to some extent drawn from title III, and it was, I think, an effort to try to mesh with what is there, but that is something that can be corrected with not too much work and listening to the Justice Department's concern on that point. I am not prepared to listen to them on whether it is probable cause or not, but on this point I think there may be some room for improvement.
Mr. NOJEIM. I would like to add one little thing to that. It is 2518(d)I am sorry, 2518(3)(d) in current law that says that there has to be probable cause for belief that the facilities from which or the place where the electronic communication or the voice communication is going to be intercepted, that there has to be probable cause to believe that those facilities will be used. So that is already in the wiretap statute.
What they are proposing, in essence, is that there just be probable cause that a person be involved in crime. That is not the road down which we think you ought to be going. You don't say, okay, we have evidence that so and so might be involved in crime. Therefore, we are going to tap their phone regardless of whether we think that instrumentality is going to be used in furtherance of a crime. So I don't think it makes good sense to go down the road of moving away from that requirement with respect to location information.
Page 172 PREV PAGE TOP OF DOC
Mr. WATT. Thank you, Mr. Chairman. You have been very generous, but I think we got some good information.
Mr. CANADY. Thank you, Mr. Watt.
Mr. BARR. Thank you, Mr. Chairman. I also appreciate your letting the witnesses take more time in answer to Mr. Watt's question because we have covered a lot of the territory that I would have gone over, so it was very, very useful.
Which one of you all is the best person to ask about some of the technicalities of e-mails and ISPs and stored communications versus instant? Everybody is looking at everybody else.
Mr. DEMPSEY. I am not going to step up to that one. I am a lawyer, Congressman.
Mr. BARR. Which one of you lawyers is the best person? I am not, but I do understand that there are things that make e-mail communications far different from traditional telephone conversations or hard pieces of paper, and the government's reliance on statutes that were crafted with those forms of communication in mind as a justification for not making any changes to address e-mails I think is very disingenuous, because even somebody as nontechnical as I am understands, and I think the government understands also, they just won't admit it, that there are significant differences. You can't just take an e-mail transmission, put it in your hand, and give it to somebody and say, well, that is protected. But, if you give it to somebody else and then they give it to the intended recipient, that is different. E-mails operate very, very differently.
Page 173 PREV PAGE TOP OF DOC
Are there some e-mails that are transmitted only instantaneously and don't go through an ISP? Or do all e-mails go through an ISP, a server, an Internet service provider?
Mr. ROTENBERG. Congressman, I think the answer to that question is if you are talking about a public network as opposed to a private network within an organization, you will almost invariably go through an ISP. I think the critical point here is that the problem is the Justice Department proposal is trying to extend the notion of to/from addressing, which is in the old pen register trap and trace approach, to communications privacy, simply doesn't work in the Internet. The reason for that is that a lot of that addressing information is not just locational. As people have pointed out, you can be using services like Hotmail, for example, which actually indicate contentlike information about the subscriber to the service because they are linked to particular Web pages.
It is sort of like saying that we should be able to use the old pen register trap and trace mail cover approach to people who are sending messages in glassine envelopes. Well, it is true. I mean, you can see the address on the glassine envelope, but you can also hold up the envelope and see what the people are writing about, and it is the content that the communications privacy law and the fourth amendment have always given the very highest standard to.
So I think the problem that we are running into, and it crosses into the Carnivore debate and these other issues related to standards, is that the Department of Justice is trying to squeeze under the pen register, trap and trace, old-fashioned, narrow, to/from addressing approach a lot of content-related information that really has to get the higher standard.
Page 174 PREV PAGE TOP OF DOC
Mr. BARR. And they are trying to use some of these recent court cases, and granted there aren't a lot of them, and I don't know really how revealing they are, the government wants to use them to show, there is no evidence that the FBI is doing anything wrong. Well, we don't know. And I think they are trying to, you know, fit a round peg into this square hole or vice versa here. And if they are successful, as they have been at least in part, and I forget which case it was that we discussed back in July, then it is going to become increasingly difficult to address these sorts of things once there are some sort of precedents down the road.
So I think it is very timely that we address these issues.
I think Mr. Rotenberg or maybe Mr. Corn-Revere, one of you, was talking earlier about an emergency. Who was talking about the concept of consent in H.R. 4987?
Mr. ROTENBERG. I was.
Mr. BARR. Do you have any specific language that would help us in that regard?
Mr. ROTENBERG. Well, in my testimony, and this won't take until next week, but I suggest it is simply meaningful consent, explicit consent, affirmative consent, something which avoids the problems.
Mr. BARR. Some sort of modifier.
Page 175 PREV PAGE TOP OF DOC Mr. ROTENBERG. Which makes very clear that that consent cannot be implied or assumed, which we wouldn't have thought would have been a problem, but, as I said, in light of this other case, we are a little bit more careful. I don't know if others might have views on this issue.
Mr. DEMPSEY. If I could one further, if we are going to go that route, we do have to address the 911 situation because clearly people who are calling 911 consent to be found and want to be found. They are calling the government saying, come help me.
Mr. BARR. Right.
Mr. DEMPSEY. And I think that is a consent situation.
Mr. NADLER. You shouldn't be explicit there?
Mr. DEMPSEY. Yes, that is right. I don't think you have to have it.
Mr. ROTENBERG. But on the other hand, if a service provider includes in a term of service a notice that says, we may disclose your location to law enforcement upon legal process, period, if that is viewed as consent in a subsequent disclosure, that is where the privacy issue is.
Mr. BARR. So this shouldn't be a major problem to surmount. I think we can pretty easily take care of the various concerns.
Page 176 PREV PAGE TOP OF DOC
Mr. Nojeim, did you have anything to add that you haven't had a chance to go into? I think we have pretty much covered the main areas that I wanted to go into in terms of the exclusionary rule and the use of cell phones for location and the difference between stored andthe artificial distinction between stored and instantaneous.
Mr. NOJEIM. Well, I wanted to address the emergency situation that Mr. Watt was talking about earlier, and the statute that Jim was talking about, I think it iswhat was it 3125?
Mr. DEMPSEY. 3125.
Mr. NOJEIM. An emergency exists that involves immediate danger of death or serious bodily injury to any person or conspiratorial activities characteristic of organized crime, I would think that in an emergency situation that it is not an emergency unless there is a threat of immediate danger of death or serious bodily injury to a person, and that they already have the exceptions that they want.
The problem with this emergency exception is that there would never be judicial oversight. They could get their order for 48 hours. There could notthere may not have been a true emergency, and then they stop after the 48 hours. No judge can ever second-guess them because there is no judicial review once they stop. So there is a problem with expanding the emergency situations. There is no judicial oversight.
Mr. WATT. Would the gentleman yield for a second, a follow-up on that?
Page 177 PREV PAGE TOP OF DOC
Mr. BARR. Yes.
Mr. WATT. The government has suggested adding to that an immediate threat to a national security interest, and an ongoing attack on the integrity or availability of a protected computer punishable pursuant to section 1030(c)(2)(C) of this title. What do you say about that?
Mr. NOJEIM. I would have to look at what they do with 1030(c)(2)(C).
Mr. WATT. What about national security? That one might be easier.
Mr. NOJEIM. National security is a very vague term that hasin fact, you had a hearing about what the threat to national security was when you talked about the Secret Evidence Repeal Act. I remember Bobby Scott questioning the government witnesses repeatedly, well, what is a threat to national security? And nobody had a good answer other than a circular answer; it is what we call it.
So I think you ought to not go down the road of a blanket national security exception and that the exception
Mr. WATT. Don't you think the concept is worthI mean, wouldn't that be worthyou know, we don't want to be here worrying about the Constitution if there is a real national security threat.
Page 178 PREV PAGE TOP OF DOC
Mr. NOJEIM. If there is a real national security threat that doesn't involve an immediate danger of death or serious bodily injury, let's hear about it.
Mr. CORN-REVERE. Well, let me just make one other point based on the annual wiretap reports. If you look at the statistics, it is almost unheard of for a judge to deny a request for a surveillance order, and so that raises a question of just what kind of burden is going to be created by establishing some kind of standard.
With respect to the emergency exception, I was responding in my testimony principally to the example that Mr. DiGregory gave of a case that he mentioned in Florida where a family was kidnapped, and it was through the use of location information that they were able to find and save that family.
I would point out that section 3125 and the emergency exception created there apply only to pen registers, so there may be emergency situations with respect to section 6 of H.R. 4987 regarding location information, where an emergency exception might be warranted. But I would agree with the comments that you make that it should be very carefully drafted so as not to create a vast loophole.
Mr. CANADY. The gentleman's time has expired. I will now recognize the gentleman from New York Mr. Nadler for 5 minutes, plus.
Mr. NADLER. Thank you. Thank you, Mr. Chairman.
Page 179 PREV PAGE TOP OF DOC Let me just first comment that we should be very careful with the national security concept because history tells us that that language has been used for many, many sins by many, many administrations, and national security tends to be whatever the incumbent administration deems it to be and often is a synonym for political embarrassment or whatever.
Let me ask the following. On this emergency question, why shouldn't we provide perhaps that there is judicial review of the emergency, and that if it is deemed by a judge that there wasn't really an emergency, however you define an emergency, that all information must be suppressed?
Mr. ROTENBERG. Part of the answer to this question, Congressman, is that the emergency provision under the wiretap statute tries to deal with a situation where it is literally impracticable for law enforcement to get judicial approval.
Mr. NADLER. No, no, I mean afterwards.
Mr. ROTENBERG. Right.
Mr. NADLER. In other words, you assert the emergency. You get the wiretap or whateveror the trace or whatever, and later you go before the judge and try to justify why it was necessary to do that, and he says there was no emergency.
Mr. ROTENBERG. Well, I think you could do that in part by extending the reporting requirements, which, by the way, are very useful because they would show by jurisdiction, you know, which offices and which attorney generals are using that authority.
Page 180 PREV PAGE TOP OF DOC
I am not sure what the significance would be after the search occurs of a judicial determination that the search could not have been authorized, because it will affect the authorities there. But if I may also
Mr. NADLER. Excuse me. If you saidif you put in the statute that you empower the judge who decided that you improperly used the emergency statute, there was, in fact, no emergency, if you empower the judge to say that all information and all the fruit of information gained by that trap, trace, interception, whatever, is suppressed in all respects, might that not be a useful way to enforce the law?
Mr. ROTENBERG. Yes. You would still have the basis to exercise the statutory exclusionary rule, but if you are trying to curb subsequent abuse in the future, then I think the way to do that is through reporting.
If I could make just one other point on this because you had raised this issue, as did Congressman Watt, I think to address the national security concern, the way you control that problem is by tying it to explicit statutory authority. In other words, you don't want to leave in the interest of national security because it is too open-ended, but if, in fact, there is explicit statutory authority, you could do it.
Mr. NADLER. What do you mean by explicit statutory authority?
Mr. ROTENBERG. In other words, you have to go back to the Department of Justice and say, what is the statutory authority that establishes the type of criminal act, the type of threat to the national interest, that would permit this exception?
Page 181 PREV PAGE TOP OF DOC
And my second point is that 1030, which is the Computer Fraud and Abuse Act, which I am fairly familiar with, is a very broad statute. If you grant emergency exception for 1030 investigations, you are basically suspending the Wiretap Act for all computer-related investigations, and I can't believe that that is something you would want to do.
Mr. NADLER. Mr. Dempsey, I think you wanted to comment on that as well.
Mr. DEMPSEY. I think Mr. Nojeim and I now agree that the statute already says the first half of what you were proposing. 3125(c) says that the knowing use and installation of a pen register under emergency authority, where there has not been a subsequent application for the order to the court, is a violation of the statute, so that you cannot just go in for 2 days and keep mum about it. If you go in under the 48-hour emergency rule, you are required to then apply, and if you don't apply, then that is considered to be in itself the initial use.
Mr. NADLER. And if you do apply, then what happens?
Mr. DEMPSEY. If you do apply and you are turned down, the problem is that there is, again, no statutory suppression.
Mr. NADLER. But if you do apply at that point, and if the law now said that if the judge determined there was, in fact, no emergency, and, in fact, no statutory justification for what you did, if we then said that everything must be suppressed, would that be an adequate remedy?
Page 182 PREV PAGE TOP OF DOC
Mr. DEMPSEY. I think it would be.
Mr. NOJEIM. Yes.
Mr. DEMPSEY. That would be perfectly
Mr. CANADY. Could I interject here? But under the current standard, there is no chance you are going to be turned down anyway, is there?
Mr. DEMPSEY. Well, of course.
Mr. NADLER. We have to deal with the current standard, obviously.
Mr. DEMPSEY. That is right.
Mr. NADLER. We have assumed for the purpose of this discussion that we are doing something about the standard, I think.
Mr. DEMPSEY. That is right.
Mr. NADLER. Let me ask a different question. Coming back to the consent question, you talked about putting in the word ''explicit consent,'' or something like that, to make it clear. Let me ask what people think of the fact thatand you talked again about notice in an ISP that says, we may tell all sorts of things to law enforcement, should not be considered consent, I would think that it might be useful to put in the statute. And I would ask an opinion, not only that you require explicit consent, but that no implication of consent can be drawn from a notice from the ISP, because I doubt that anybody reads those notices.
Page 183 PREV PAGE TOP OF DOC
Any comment on that?
Mr. DEMPSEY. Well, I think what you are saying is that merely accepting the terms of service, merely subscribing to the service
Mr. NADLER. Should give rise to no implication.
Mr. DEMPSEY [continuing]. Should not constitute consent. I think that is what Mr. Rotenberg was saying.
Mr. CORN-REVERE. Right. Terms of service will generally talk about release of information pursuant to adequate legal process. I don't think you can assume that at the time the surveillance takes place, that the consent occurs at that point if it has accepted the service.
Mr. NADLER. But a court might think that, and, therefore, should we have language in the statute that says no such implication may be drawn?
Mr. ROTENBERG. That is one way to do it.
Actually Mr. Corn-Revere makes a good point because another way to do it is to say that the consent should be obtained at the point that the disclosure is sought, and what that effectively does is links the consent to the act, which is what the purpose is here, and would take care of this problem.
Page 184 PREV PAGE TOP OF DOC
Mr. NOJEIM. You say express, intentional, contemporaneous consent.
Mr. NADLER. That would be sufficient?
Mr. NOJEIM. I think so.
Mr. NADLER. Okay. Let me just say one other thing, which I think governs the way I am looking at some of this. I have beenI was amazed to be hearing these distinctions drawn, in the previous round of questioning we talked about it, between e-mail content that is instantaneous and e-mail content that is stored in a computer, but someone mentioned the e-mail content that is stored on the server.
Now, I just want to observe that although my son, who is 15, constantly tells me that I am illiterate in terms of computers, and I probably am, certainly compared to him and to most people of that age, I am not so sure I am illiterate compared to a good fraction of the population of the country. When I look at an e-mail message that I have just punched the thing that says saved, I don't think of it as being saved on some ISP. I think of it as being saved in the box in front of me.
Now if I think about it sitting here, obviously I know it is notit may be on some server, but I think the way most people look at a computer really is if you are saving some message, you are saving it in your computer, and they are not thinking that someone else, therefore, should have access to it because it is really being saved somewhere else.
Page 185 PREV PAGE TOP OF DOC
Mr. CANADY. Could I interject here? What do you think happens when you hit the delete button? Do you think it then goes away, it is nowhere?
Mr. NADLER. I don't think.
Mr. CANADY. I think you might be surprised
Mr. NADLER. I am sure that is true.
Mr. CANADY [continuing]. If that is your expectation when you hit delete.
Mr. NADLER. I am sure that is true. My point is that we should be very careful about constructing concepts of expectation of privacy or not from what really happens as opposed to what nontechnical people might, without great consideration, assume happens. I mean, most people, I thinkI mean, if they stop to think about it, they sit at the hearing, you know, they know better, but most people they have a box in front of them, and if you delete it, it is gone, and if you save it, it is saved in the box, and that is it.
I don't think that there is an expectation, again, because I don't think people are thinking of how it works. I don't think, you know, they are thinking about, gee, if I saved a message on my answering machine, that is in my little box in my house; if I save it on my computer, it is really somewhere else. So I think we have to be very careful about creatingabout artificial considerations of what expectations really are by people who are not, in fact, thinking about that. The law has to be realistic and not think of the technology, but of what people really probably think about.
Page 186 PREV PAGE TOP OF DOC
Mr. CORN-REVERE. If I could just address the scenario that you present, it will depend on the nature of the service that you get from an ISP or some other Internet company. In most circumstances, the e-mail that you read and then save is saved only to your computer and is not saved on the servers of the ISP. There are exceptions to that, but I think in most cases you are talking about having e-mail saved only on your computer. There are services that will providestore e-mail and other data for you or host Web pages and all kinds of other things, but that is really a different circumstance. And in most cases when you are talking about storage of information for purposes of ECPA, you are talking about storing information on the server of the ISP and access to that information via legal process and not information that is stored on your personal computer.
Mr. NADLER. I think what I am saying is that I am not so sure we should make a great legal distinction between those two situations, because whether, in fact, it is saved elsewhere or saved on the floppy disk or the hard drive or whatever, and I couldn't tell you the difference, on my own computer what is the practical difference? Why should there be a legal consequence as to my expectation of privacy?
Mr. ROTENBERG. Congressman, if I could say this was exactly the point and the criticism of the Supreme Court's opinion in that pen register case that we have been talking about today. What Justice Marshall and Professor Tribe and other people said about that opinion is that you are making telephone customers into telephone operators to understand how their telephone numbers are being collected and used, and that cannot be the basis for determining the public's reasonable expectation of privacy.
Page 187 PREV PAGE TOP OF DOC Mr. NADLER. I think that isI haven't read that decision, but I think that is a good point, and really if you are going to give privacy reality, and you are going to give the fourth amendment reality, it can't depend on technical differences that no one knows aboutor not no one, but the ordinary person doesn't know about or care about or think about.
Do you want to say something?
Mr. DEMPSEY. I will just make one comment that I had wanted to make as a point of caution. There has been a lot of discussion about good faith exception and no good faith exception. Three or 4 years ago the administration actually came forward with a proposal to add to this legislation a good faith exception to the exclusionary role of title III. This committee rejected that.
Mr. NADLER. To title III of?
Mr. DEMPSEY. The basic wiretap statute. One of the reasons was because if you actually look at the cases on the interpretation of the existing statutory exclusion rule, those cases actually do create, in essence, a material breach exception or an exception already that does not strictly enforce that suppression rule.
So already some of the things that the government was alluding to in its testimony, if you actually look at the cases, the courts have been careful not to throw out evidence in the case of minor or inadvertent violations of the Wiretap Act. That exclusionary rule is only applied in situations involving a substantial and core violation of those statutory provisions.
Page 188 PREV PAGE TOP OF DOC
Mr. NADLER. You think the Court has struck the right balance?
Mr. DEMPSEY. Yes. If anything, they have been a little too generous to the government, but I certainly don't think we need further exceptions to that.
Mr. CANADY. The gentleman's time has expired.
Mr. NADLER. Thank you.
Mr. CANADY. This has been, I think, a very helpful time we have spent with the panel.
I will say to you, as I said to the representatives from the Department of Justice, we would like to work with you as we continue our consideration of this legislation. I know that we will be in communication with you regarding questions that may yet come up as we are trying to put together the legislation, which hopefully we will pass in the subcommittee next week.
So I thank you. We will be in touch.
Now I would like to ask the members of the final panel to come forward to take your seats. The witnesses on this final panel today will focus their comments on H.R. 4908, the Notice of Electronic Monitoring Act legislation, which I have introduced along with Representative Barr, a companion legislation for which has been introduced by Senator Schumer, as his earlier testimony indicated.
Page 189 PREV PAGE TOP OF DOC
The first witness on this panel will be Lewis Maltby. Mr. Maltby is president of the National Workrights Institute, a nonprofit research and education organization dedicated to advancing the rights of American workers.
Next we will hear from Kenneth Segarnick. Mr. Segarnick is assistant general counsel at United Messaging, a large e-mail outsourcing firm. As assistant general counsel, he assumes responsibility for Federal legislative and policy development and engages in a broad array of monitoring, advising on analytical activities, as well as lobbying on matters of concern to the electronic messaging industry. In addition, he consults clients of United Messaging on how to formulate comprehensive office e-mail usage and securitization policies and conducts seminars on legal issues surrounding Internet and e-mail usage in the workplace.
Our last witness on this panel and of the day is Michael Overly. Mr. Overly is a partner at Foley & Lardner, where his practice encompasses drafting and negotiating computer use policies. He is the author of Overly on Electronic Evidence, and E-Policy: How to Develop Computer E-mail and Internet Guidelines to Protect Your Company and Its Assets, published by the American Management Association.
I want to thank the three of you for being here with us today. We appreciate your patience in waiting to testify at the end of this rather long hearing.
I would ask that you do your best to summarize your testimony in 5 minutes or less, although, as you can tell, no one has yet insisted on strict adherence to the 5-minute rule. Without objection, your written statements will be made a part of the permanent record of this hearing.
Page 190 PREV PAGE TOP OF DOC
We thank you, Mr. Maltby.
STATEMENT OF LEWIS MALTBY, PRESIDENT, NATIONAL WORKRIGHTS INSTITUTE
Mr. MALTBY. Thank you for the opportunity to be here, Mr. Chairman. I appreciate the fact that the committee is holdingor the subcommittee is having these hearings, and appreciate the part that I am allowed to play in it.
We have all seen the incredible transformation of the way that Americans communicate at work. We have gone almost overnight from a world in which everything was done on paper into which virtually all communications are electronic, and there are many specifics about the numbers of that in my written testimony that I won't include today. Overall that has been a great development for all of us. We spend less time shuffling papers, more time getting real work done. It makes our jobs more interesting. It makes our employers more productive, and it increases our standard of living. Everybody wins.
But like any revolution, this one brings issues, and the biggest issue is privacy. Virtually all of the employers today, about 80 percent of all employers, have some kind of electronic monitoring system in place to make sure that its communications systems aren't being abused, and that is probably necessary. Employers can't allow employees to spend the entire workday surfing the Web or sending their fellow employees sexually harassing e-mails.
The problem is that when employers begin to try to monitor electronic communication to prevent the real potential abuses, they invariably get into private communication, sometimes very sensitive private communication. Most of the time I think we all have to admit that personal message is just a woman calling her husband and saying, honey, I am going to be late for dinner tonight because I have to work late. It is technically personal. I don't think I would feel terribly violated if my employer were to hear that kind of statement. But some of the personal messages are very, very sensitive.
Page 191 PREV PAGE TOP OF DOC
Five or 10 years ago, maybe an employee would tell a trusted friend who was a coworker about her marital difficulties over a cup of coffee in a company cafeteria. Today it is just as likely this woman would tell her friend at work about her marital problems over the e-mail system or over the telephone system. Or to give you a Website example, someone who is having problems with drugs or alcohol or who thinks that their husband or wife or son or daughter is developing a drug or alcohol problem might very well go to the Internet, might go to an Internet site for the AA. An employer who monitors every Website that every employee logs onto is going to find out that so and so or their child has a very sensitive, personal problem.
These are matters that no one wants their employer to know about, most employers don't want to know about, and that we probably all agree are not of a legitimate interest to an employer, but the information comes out just the same.
I wish that we had a comprehensive answer to this problem of privacy and technology. The truth is that we don't. There is a dialogue between privacy advocates and employers that is beginning. It is very constructive, but it is a long way from the point where there will be a consensus that anyone can bring to the subcommittee. But there is one point that virtually everyone agrees on, and that is notice. Everyone agrees, I believe, that if an employer feels the need to conduct a monitoring program of who is logging onto what Website or who is sending e-mails to what people, that it shouldn't be done in secret. It shouldn't be done behind people's backs. If it is a legitimate management program, then tell the employees what you are doing. It is just a matter of basic fairness and basic decency.
The American Management Association takes that position, and the large majority, almost 85 percent of its members, do give employees some sort of notice about the monitoring program. Even the employer community doesn't seem to have any fundamental objection to the idea that people should know how they are being monitored.
Page 192 PREV PAGE TOP OF DOC
Mr. NADLER. The what community, did you say?
Mr. MALTBY. I said even the management community. The management community does not seem to have any real objection to the concept of notice, but there are two problems. The first is that while most employers give notice, there are still about 12 million American employees right now that are being monitored that don't get notice, and 12 million people being secretly monitored is too big a number to overlook.
The other point is that the kind of notice that employees frequently get today really isn't very helpful. The most common form of notice seems to say, we, management, reserve the right to monitor any electronic communication at any time or any reason.
What does that tell anybody? An employee does not know if it is her e-mail that is being monitored, her voice mail, her Website access, her hard drive, her telephone, her voice mail or even anything, because all management has said is, we reserve the right to monitor. You don't even know if you are being monitored or not, much less how you are being monitored or why you are being monitored. It is almost worse to have that kind of notice than not be told anything at all.
All H.R. 4908 says is that employers have to be up front with their employees. If there is a monitoring program, tell them about it. It is something employees are entitled to. It is a principle we all know is the right principle. It doesn't cost employers anything. If we cannot agree on this, then what can we agree on? Thank you.
Page 193 PREV PAGE TOP OF DOC Mr. CANADY. Thank you, Mr. Maltby.
[The prepared statement of Mr. Maltby follows:]
PREPARED STATEMENT OF LEWIS MALTBY, PRESIDENT, NATIONAL WORKRIGHTS INSTITUTE
The American workplace has been rapidly transformed from one in which communication took place on paper to one which uses computers to communicate electronically. The vast majority of employers now use electronic monitoring to insure that electronic communication technology is used appropriately. This raises serious privacy issues, especially as the boundary between work and home disappears and personal communication in the workplace grows.
While there is no consensus at this time on a comprehensive resolution of these issues, there is consensus on the basic principle that employees are entitled to know about the monitoring programs which affect them. The Notice of Electronic Monitoring Act would protect the privacy of Americans at work by requiring that employers notify employees about their monitoring programs.
My name is Lewis Maltby. I am president of the National Workrights Institute. The Institute is a non-profit research and education organization dedicated exclusively to advancing human rights in the American workplace. Our mission statement and a copy of my biography are attached to this testimony. The Institute has not received federal grants.
Page 194 PREV PAGE TOP OF DOC
Electronic communication technology has swept through the American workplace with breathtaking speed. When I was a corporate general counsel in the 1980's, we communicated by writing letters longhand on legal pads, carrying them to a secretary to have them typed, proofreading them ourselves, and sending them via the postal service. Today, we communicate by typing the message onto our computer, which proofreads it for us, adding the e-mail address and pushing a button. We don't go to the library to do research, we do it at our desks via the internet. We don't get phone messages from the receptionist anymore, we have voice mail. Almost 5 million companies now have computers for their employees and use those computers for e-mail. Almost 500 million e-mail messages are sent every day. Our entire system of business communication has been transformed.
The benefits of this transformation have been enormous. Less time spent shuffling paper has translated into vastly increased efficiency, higher profits, and an increased standard of living. The quality of our lives has also improved because we have more flexibility. The ability to log on to the office computer after the children go to bed makes it possible for many of us to leave the office in time to have dinner with our families.
But progress always brings risks and challenges in its wake. The automobile gave us undreamed of freedom, but forced us to deal with air pollution. The communications revolution is no exception. The many benefits it brings us have come with great risk to our privacy. Electronic communication technology has been followed by electronic monitoring technology, installed by employers to insure that it is not being abused.
Page 195 PREV PAGE TOP OF DOC
The vast majority of employers already have electronic monitoring programs. According to the American Management Association, 78% of all employers have at least one system in place for electronic monitoring of employees. In some cases (54%) this takes the form of monitoring the internet sites each employee visits. In others (38%), it is reading employees' e-mail messages, or reviewing documents in the employee's computer (30%).
Employers have legitimate reasons for many monitoring programs. Company e-mail systems have sometimes been used to send inappropriate material that contributes to a hostile environment. The seductive allure of the internet has led some employees to spend their time at work web surfing. Employers need to respond to these concerns.
But employers' efforts to prevent abuse often lead to serious invasions of privacy. People are not robots. They discuss the weather, sports, their families, and many other matters unrelated to their jobs while at work. While many of these non-work related conversations are innocuous, some are highly personal. An employee might tell her best friend at work about problems with her husband or share concerns about family financial problems, or their fear that their child may have a drug problem. In today's world, these ''discussions'' may well take place over e-mail or the office telephone. An employer who monitors for legitimate reasons may well inadvertently ''eavesdrop'' on such a sensitive private conversation.
These problems are compounded by the disappearing wall between the world of work and our home lives. Not long ago, work was done in the office and home was for private life. But this world is rapidly disappearing. Most professionals now carry cell phones. We make and receive work related calls during the evening, on weekends, and even on vacation. We have e-mail on our home computers and regularly receive messages from the office. Many of us carry pagers, allowing our employer to reach us any hour of the day or night. The average professional now receives 21 work related messages at home every week. We are also working longer hours than before. Nine to five work days for professional employees no longer exist. Working late, working evenings, and working on weekends is now normal.
Page 196 PREV PAGE TOP OF DOC
When work and home become a seamless whole, not only does work come home, but personal matters come to work. Personal telephone calls which an employee could not make from home during the evening because they were working sometimes must be made from work the next morning. As our schedules become more crowded and fluid, employees often need to communicate with their spouse during the work day about who is working late and how they will get the children to soccer practice. As personal communication from the workplace increases, so does the risk that employer monitoring programs will capture private messages in which the employer has no legitimate interest.
We do not yet have answers to these problems. The dialogue between employers and privacy experts is just beginning and it will be some time before a consensus emerges. But there is one basic principle about which all parties agree. Employers, employees, and privacy experts all agree that employees should receive notice of their company's monitoring programs. Employers may need to conduct monitoring for quality control and other business reasons, but they do not need to do it in secret. Legitimate monitoring programs do not need to be carried out behind employees' backs.
Secret monitoring is not only unnecessary, it is counterproductive. The purpose of monitoring is to ensure that employees are following company policy regarding the use of electronic communications technology. If employees know that the company monitors e-mail or internet access, they will be more careful to follow the rules.
Most important, secret monitoring is ethically wrong. People have a right to know when they are being watched. Reading someone else's messages without telling them is both deceptive and a profound violation of their privacy.
Page 197 PREV PAGE TOP OF DOC
Responsible employers already recognize this, and provide employees notice of monitoring. The American Management Association recommends that employers provide notice of monitoring programs and reports that approximately 85% of its members who conduct electronic monitoring notify their employees (the percentage varies slightly for different types of monitoring). But the remaining 15% of employers conduct their monitoring in absolute secrecy. This indicates that at least 12 million Americans are secretly monitored by their employers (100 million people in the workforce x 80% who are monitored X 15% who do not receive notice).
Moreover, when employees are notified that they are monitored, the notice is often inadequate. The most common form of notice generally states that the employer reserves the right to conduct monitoring. Such notice does not tell an employee what type of monitored is being conducted. An employee doesn't know if it is her e-mail, her hard drive, her telephone calls, or her internet access that is being monitored. She doesn't know if the employer monitors only specific messages, monitors randomly, or monitors each and every message. She doesn't even know whether her employer is monitoring at all. All she knows is that her employer might be conducting monitoring. This is almost worse than no notice at all. H.R. 4908 would solve this problem by setting standards to ensure that the notice of monitoring employees receive is meaningful.
Providing employees with meaningful notice is not only right in principle, but would make a great difference in practice. If an employee knows that her employer monitors e-mail messages, she can protect her privacy by having a sensitive conversation with her husband over the telephone instead. If all forms of communication are monitored, she would at least be able to choose between taking the risk that her personal discussion would be monitored and not having the discussion. An employee would never send a sensitive personal message in the belief it was confidential only to have it read by her employer.
Page 198 PREV PAGE TOP OF DOC
The Notice of Electronic Monitoring Act would protect the privacy of millions of Americans at work at virtually no cost to employers. The National Workrights Institute strongly supports H.R. 4908.
Mr. CANADY. Mr. Segarnick.
STATEMENT OF KENNETH SEGARNICK, ASSISTANT GENERAL COUNSEL, UNITED MESSAGING
Mr. SEGARNICK. Thank you, Mr. Chairman and members of the subcommittee. I appreciate this opportunity to come here and testify on this important issue regarding e-mail monitoring in the workplace and H.R. 4908, the Notice of Electronic Monitoring Act.
The Notice of Electronic Monitoring Act is about balance. It is a balance between what is an employee's actual expectations of privacy or practical expectations of privacy with respect to his or her e-mail communications in the workplace and an employer's legitimate interest in monitoring and protecting its computer resources and prohibiting unprofessional or inappropriate content from being transmitted over its computer network.
The question reallythat begs the question of whether or not the Notice of Electronic Monitoring Act strikes a balance or maybe goes too far to tip the scales away from the employer's favor and back into the employee's side. In other words, it is possible that the substance of the notice requirement under NEMA may actually prove too much and require an onerous burden to be imposed on an employer, and some of the suggestions I have in my written testimony and what I will cover today in my verbal testimony seeks to bring some sort of consistency and uniformity to the legislation, hopefully tie up some of the loose ends and any ambiguities that might exist, and take away any issues that might be problematic down the road.
Page 199 PREV PAGE TOP OF DOC
I agree with Senator Schumer's comments that were made earlier today and in a prior Congressional Record statement that the act is not designed to open the floodgates to litigation. Instead, it is designed to impose, quote, modest terms on an employer.
And so the question is whether or not these terms are indeed modest, and I think before I get into that, I want to talk just briefly about the background of monitoring in the workplace. It is a recent development with respect to e-mail communications in particular.
We heard earlier today from Senator Schumer about various software technologies that allow for automated monitoring of e-mail communications. Some might be surprised to learn that firewall protection may, under certain circumstances, constitute a form of monitoring. For instance, virus blockers or spam blockers or content filter restrictions that are designed just to filter out specific sets of inappropriate or unprofessional comments may, in fact, be considered a form of monitoring as they discriminate against messages based on their content.
Several major U.S. Companies have recently engaged in a corporate crackdown on inappropriate use of Internet e-mail, and we have seen some high-profile stories about very large U.S. companies laying off or terminating or disciplining employees for violation of corporate e-mail use and conventional standard ethics policies.
Not surprisingly, the advent of monitoring e-mail and computer usage in the workplace has spawned a debate over the propriety of such practices. On the one hand you have employees that are arguing that monitoring computer usage and e-mail communications is turning the workplace into some form of an electronic sweatshop where every keystroke and every communication is being monitored, and all privacy hasprivacy has all but disappeared from the workplace.
Page 200 PREV PAGE TOP OF DOC
On the other hand, you have employers saying that because e-mailwhile an essential tool for facilitating business and advance of legitimate business needs, e-mail can be a very dangerous tool to the employer as well, on the other hand.
For instance, with its capacity for instantaneous transmission of information and widespread dissemination, we run the risk of misappropriation of confidential and proprietary information, trade secret information, as well as traditional work environment issues such as harassment or discrimination that may arise over electronic communications. So there is a legitimate interest of the employer to monitor these computer resources to ensure proper usage.
In 1997, an Eastern District of Pennsylvania court held in one of the first cases of its kind that an employer has an unfettered right to monitor employee e-mail, notwithstanding assurances to the contrary. In fact, in Smith v. Pillsbury, the Pillsbury Corporation had dismissed Mr. Smith for transmitting two e-mail communications, one that said that he would rather not attend the company's picnic affair, referring to it as the Jim Jones Kool-Aid affair, and also said that he would like to kill all the back-stabbing bastards.
Not surprisingly, the company fired him, and he brought an action for wrongful termination under Pennsylvania common law, and that action was thrown out of court because he wasthe court held that the plaintiff did not have any reasonable expectation of privacy in any e-mail communications that were voluntarily transmitted over the company's network.
Similarly, in Texas the Texas Court of Appeals held in an unpublished opinion, in McClaren v. Microsoft, that the plaintiff's workstation was provided to him by the company for purposes of advancing the company's interests, and he should not expect it to be considered as personal property, and similarly his wrongful termination lawsuit and invasion of privacy action was thrown out of court.
Page 201 PREV PAGE TOP OF DOC
So what we have here is an opportunity for NEMA to raise the bar in terms of the dignity that is accorded to e-mail in the workplace, show that there may be actually some sort of privacy expectations on behalf of the employees, and, if not, without depriving an employer of its right to monitor e-mail, require notice to the employees, a sufficient form of notice that would put themalert them to the fact that this is not the most secure form of communications or that there is a lack of privacy that is associated with that.
But jumping right into the statute, the noticesection 3(b) of the act requires specific formsa specific form of notice, and I am afraid that there might be some problems associated with that. First, initially, the act does not define the form in which notice is required to be given. Section 3(b) specifies, quote, clear and conspicuous notice in a manner reasonably calculated to provide actual notice. It does not, however, state that this type of notice should be in written form, which I think is the clearest way to have an employer provide notice to its employees of any monitoring practices.
Under the present definition of the act, I don't think anyone could argue that an employer who during the interview of an employee grabs the shirt collar of his employee and spouts out every detail of the monitoring program has provided notice that is clear, conspicuous and in a manner reasonably calculated to provide actual notice.
However, I think we would all agree that verbal notice is undesirable as it is subject to varying interpretations. Of course, in the event of litigation, there will be questions as to whether or not it was ever given. So I think the act can take a preemptive strike at that issue and go ahead and require written notice as opposed to just reasonablyclear and conspicuous reasonably calculated.
Page 202 PREV PAGE TOP OF DOC
Another, and perhaps more complex problem arises from section 3 (B)(3) of the Act, which requires an employer to specify the frequency of its monitoring practices. The problem there is that the employer may, under certain circumstances, be imputed with having constructive notice of certain activities that are occurring over its computer resources.
In other words, an employer, for instance, who specifies in its E policy that it will monitor at the highest level at a keystroke monitoring level where every keystroke, stroke of every key on a computer, will be tracked by some sort of automated or manual monitoring program, may be required or held to a higher standard of care in the event that someone claims they were being harassed, for instance, over the company's e-mail network.
If the employer responds by saying that we did not have actual notice of such events occurring over the company's computer network, the employee may reply by saying you represented to me in your corporate policy that you would monitor these activities, and irrespective of the fact of whether or not you actually engaged that, you are imputed with constructive notice, or you should have reasonably known that this activity was occurring over your network. And I think that is problematic.
I think there are a couple ways that we could avoid that problem, first of which would be to alleviate the frequency requirement altogether. I don't think it is necessary for an employer to have to specify in particularity as to the level of monitoring that it will engage in. But if it is desired to have that into the Act, I think there could be a corrective amendment asserted that would state that the frequency requirement would not be construed as to impute the employer with constructive notice of those activities that are occurring over its computer resources or network.
Page 203 PREV PAGE TOP OF DOC
Also, the Act, section 3 (B)(2), requires an employer to specify the sphere of information that is likely to be targeted by the monitoring regimen. This requirement actually may mislead employees and in believing they have an expectation of privacy in certain types of communications and not a reasonable expectation of privacy in other types. So I think that is problematic. It also leaves open the question of whether or not the employer retains the right to monitor the types of information that are not specified in that sphere of information.
And finally, if section 3 (B)(2) forces an employer to identify with particularity the types of information that it is gunning for, I think we may see a trend, one of the few positive trends that are occurring in corporate e-mail policies, fade away, that is, sanctioned personal usage. Most company policies today are recognizing that there will be some limited personal usage of the company's e-mail system, recognizing that by providing guideposts for appropriate personal usage in the policies. However, it puts the employer in an awkward position of, on the one hand, specifying that you have the limited right to incidental personal use of the computer resources, and on the other hand, stating that that is exactly the type of information that we will be targeting in our monitoring program. One is going to have to give. Since the statue would require the sphere of information be specified, what would ostensibly be an insincere gesture of limited personal usage may eventually fade away.
And finally, the Act does not define user at all or broadly enough. It just specifies employees only, when, in fact, most companies today allow more than just employees to access its e-mail system. We find independent contractors, consultants, media professionals, all types of people with various relationships with the company accessing its e-mail system.
Page 204 PREV PAGE TOP OF DOC So what the Act presently, in its present form would require, that employer provide notice to its employees but not to other authorized or sanctioned users of the e-mail system. Once again, I express my appreciation for this opportunity to testimony. I apologize for running overboard. I would be happy to answer questions if you have them.
Mr. CANADY. Thank you.
[The prepared statement of Mr. Segarnick follows:]
PREPARED STATEMENT OF KENNETH SEGARNICK, ASSISTANT GENERAL COUNSEL, UNITED MESSAGING
Mr. Chairman, and Members of the Subcommittee. Thank you for inviting me to testify about e-mail monitoring in the workplace and H.R. 4908, the ''Notice of Electronic Monitoring Act'' (hereinafter ''NEMA'').
Electronic communication, e-mail in particular, has quickly become a predominant (and preferred) method of communication for companies around the nation. (An estimated 130 million workers are projected to transmit more than 2.8 billion e-mail messages this year alone!)(see footnote 21) And most experts agree that e-mail has changed the workplace for the better. With its capacity for instantaneous transmission and widespread dissemination, as well as a broad range of functionality, e-mail is an essential tool for increasing productivity and efficiency in the workplace.
Yet the same attributes of e-mail that have vastly enhanced corporate communication have also led to a multitude of unexpected difficulties for employers, including exposure to various forms of legal liability. In addition to traditional work environment issues (i.e., sexual harassment, discrimination, and the like), e-mail has introduced a whole host of new issues ranging from employee privacy rights to economic espionage. For some companies, e-mail has been the key to a Pandora's box, opening the door to some of the darkest and most guarded secrets of corporate America. Workplace e-mail has also raised concerns about security of sensitive information and potential waste of corporate computer resources.
Page 205 PREV PAGE TOP OF DOC
Several major U.S. companies have recently engaged in a corporate crackdown on improper use of e-mail and the Internet. For example, last year the New York Times Company fired more than 20 employees for sending e-mail the company deemed inappropriate and offensive. Xerox also terminated 40 employees last year for inappropriate use of the Internet. Just last month, Dow Chemical Co. fired about 50 workers for sending explicit pornographic images through the company's e-mail system and disciplined another 200 workers for distributing, downloading or saving pictures that were either pornographic or violent in nature. Similarly, Merck & Co. had recently taken action against an unspecified number of employees as part of an ongoing corporate investigation on improper use of e-mail and the Internet.
In an ongoing effort to safeguard against the many pitfalls arising from office e-mail usage, many companies have instituted automated monitoring programs. Statistics show that about 17% of FORTUNE 1,000 companies, along with a handful of federal agencies, presently employ software that enables them to monitor their employees' overall computer activity.(see footnote 22) That figure is expected to increase to 80% by 2001.(see footnote 23) The share of major U.S. companies checking employee e-mail messages has jumped to 27% in 2000 from 15% in 1997, according to a survey conducted by the American Management Association.(see footnote 24) And about 16% of those companies that monitor e-mail do not notify their workers that they check.(see footnote 25)
Computer monitoring comes in many shapes and forms; ranging from content-filteringdesigned to block messages containing a specified set of termsto programs that log every single keystroke of an individual's computer. Some companies might be surprised to learn that state-of-the-art virus and spam blockers should also be regarded as computer monitoring.
Page 206 PREV PAGE TOP OF DOC
The advent of monitoring e-mail and computer usage in the workplace has spawned a debate over the propriety of such practices, pitting employers' interests in preventing misuse of their computer resources against employees' expectations of privacy in their electronic communications. The debate over computer surveillance has been further fueled by the covert nature of most monitoring programs; most corporate monitoring programs are capable of accomplishing their surveillance without detection by individual users. Employers maintain that there are compelling reasons to monitor employee e-mail, varying from supervising employee productivity to preventing hostile work environments. Employees, however, claim that without some restrictions on an employer's ability to monitor e-mail, privacy protection will all but disappear from the workplace, resulting in an ''electronic sweatshop'' where constant monitoring takes place.(see footnote 26)
Presently, the case law on point has resolved this debate in the company's favor, leaving employees with little recourse against employers who snoop through their e-mail. Specifically, courts in various jurisdictions have ruled that an employee does not have a reasonable expectation of privacy in e-mail communication voluntarily made over a company e-mail system. One District Court went so far as to hold that an employee does not have a reasonable expectation of privacy in his workplace e-mail notwithstanding company assurances that such communications would not be intercepted.
In Smyth v. Pillsbury Company,(see footnote 27) the plaintiff filed suit against his former employer claiming that he was wrongfully discharged from his position as a regional operations manager. The plaintiff was terminated after the defendant intercepted certain private e-mail messages transmitted by the plaintiff containing what it deemed to be inappropriate and unprofessional comments. The plaintiff claimed that he relied on assurances from the defendant that all e-mail communications would remain confidential and privileged and that such communications could not be intercepted and used against him for termination or reprimand when he transmitted the e-mail at issue. As such, the plaintiff claimed that the defendant encroached upon his right to privacy and his termination was therefore improper.
Page 207 PREV PAGE TOP OF DOC
In dismissing the plaintiff's complaint, the District Court held, in part, that the plaintiff had no reasonable expectation of privacy when using the company's e-mail system despite assurances from the company to the contrary. Specifically, the Court stated:
Once plaintiff communicated the alleged unprofessional comments to a second person (his supervisor) over an e-mail system that was apparently utilized by the entire company, any reasonable expectation of privacy was lost. . . . Rather, plaintiff voluntarily communicated the alleged unprofessional comments over the company e-mail system. We find no privacy interest in such communications.
[E]ven if we found that an employee had a reasonable expectation of privacy in the contents of his e-mail communications over the company e-mail system, we do not find that a reasonable person would consider the defendant's interception of these communications to be a substantial and highly offensive invasion of his privacy. . . . [T]he company's interest in preventing inappropriate and unprofessional comments or even illegal activity over its e-mail system outweighs any privacy interest the employee may have in those comments.(see footnote 28)
Similarly, in another recent decision, the Court of Appeals of Texas held that a plaintiff did not suffer a tortious invasion of privacy when his employer reviewed and disseminated e-mail messages that were stored in a ''personal folders'' application on his office computer.(see footnote 29) Despite the fact that the plaintiff stored his e-mail messages under a private password and in his ''personal folders,'' the court concluded that the plaintiff had no reasonable expectation of privacy in such messages. Notably, the court's analysis honed in on the misconception that an employee's personal workstation is the equivalent to his personal property:
Page 208 PREV PAGE TOP OF DOC
[The plaintiff's] workstation was provided to him by [the defendant] so that he could perform the functions of his job. In connection with that purpose . . . part of his workstation included a company-owned computer that gave [the plaintiff] the ability to send and receive e-mail messages. Thus, contrary to his argument on appeal, the e-mail messages contained on the company computer were not part of [the plaintiff's] personal property, but were merely an inherent part of the office environment.(see footnote 30)
At least one court, however, has declined to dismiss the common-law claims of two former employees terminated for writing disparaging messages about their employer. In Restuccia v. Burk Technology,(see footnote 31) the president of a company was alleged to have spent approximately eight hours accessing and reviewing his employees' e-mail messages. The plaintiffs sent e-mails that included disparaging nicknames for the president and allegations that he was having an affair with another co-worker. The company had no policy prohibiting personal e-mail messages, but did prohibit excessive on-line chatting. The employees were never advised that their supervisor could access their computer files or that their messages were automatically saved on back-up files to which their supervisor had access.
The employees sued under a Massachusetts statute that prohibited the interception of wire communications and also alleged common-law claims of negligent infliction of emotional distress, invasion of privacy, wrongful termination and loss of consortium. The court first held that an employer's storing and reviewing of e-mail messages on a company server did not violate the wiretapping statute. The court did, however, deny the employer's motion for summary judgment on the employees' common-law claims, holding that issues of material fact remained unanswered. In rendering its decision, the Restuccia court emphasized that there was no company policy against using the e-mail system for personal messages and that the company never disclosed to its employees that all e-mail messages were automatically stored on the computer's backup system and were accessible by management.
Page 209 PREV PAGE TOP OF DOC
Seeking to bring uniformity to the patchwork of inconsistent rules that presently extend to e-mail, NEMA has been introduced with bi-partisan support in both houses of Congress. NEMA is intended to impose a fair and reasonable check on monitoring activities, and afford employees the right to know whether, when, and how their employer is watching them. Although the Act is aimed at enhancing employee privacy rights, it does not deprive an employer of its right to monitor. However, NEMA acknowledges that, while employees should not have an expectation of privacy in e-mail voluntarily sent, stored, or received on the company's system, they are entitled to clear notice from employers who choose to exercise their monitoring rights. In essence, NEMA recognizes the pervasiveness of e-mail and accords a higher sense of ''dignity'' to this form of communication.
In particular, NEMA requires employers to notify their employees of any monitoring of communications or computer usage. It covers reading or scanning of employee e-mail, keystroke monitoring, or programs that monitor employee Internet use. The requisite notice must be clear, conspicuous, and given annually and whenever policies change. The notice must also specify the frequency of the monitoring, the kinds of information likely to be monitored, how the monitoring will be accomplished, and how the information will be stored and used.
If an employer engages in secret monitoring in violation of the notice requirements under the Act, they are subject to suit for up to $20,000. While such suits are thought to be few and far between based on the ''modest terms'' of the Act(see footnote 32), the notice requirement may be more of an onerous burden for an employer to sustain than intended.
Page 210 PREV PAGE TOP OF DOC Section (3)(b) of the Act states:
(b) NOTICEA notice meeting the requirements of this subsection is a clear and conspicuous notice, in a manner reasonably calculated to provide actual notice, describing
(1) the form of communication or computer usage that will be monitored;
(2) the means by which such monitoring will be accomplished and the kinds of information that will be obtained through such monitoring, including whether communications or computer usage not related to the employer's business are likely to be monitored;
(3) the frequency of such monitoring; and
(4) how information obtained by such monitoring will be stored, used, or disclosed.
Initially, the Act does not define the form in which notice is required to be given to employees. Although section (3)(b) specifies ''clear and conspicuous notice, in a manner reasonably calculated to provide actual notice,'' it is unclear as to whether such notice must be in written form. Arguably, even verbal notification of a company's monitoring practices passes muster under the Act, provided that such notice encapsulates the remaining requirements of section (3)(b). In fact, no one could argue that an employer who grabs the shirt collar of an employee and spouts out every detail of the company's monitoring program failed to provide notice in a way ''reasonably calculated to provide actual notice.'' However, verbal notification of monitoring is undesirable, as it is subject to varying interpretations and it cannot be reproduced in the event a dispute arises between employer and employee. This problem can be easily remedied by requiring employers to provide written notice either on paper or through a ''click-wrap agreement'' where a company's notice appears online. Therefore, I would suggest amending the Act accordingly.
Page 211 PREV PAGE TOP OF DOC
Another, and perhaps more complex, problem arises from section (3)(b)(3) of the Act, under which an employer must disclose the ''frequency'' of its monitoring practices. By disclosing the frequency of its monitoring activities, an employer may unwittingly raise the standard of care owed to an employee, particularly if a high frequency of monitoring is specified. Under certain circumstances, if a company asserts that it is engaging in continuous monitoring of its e-mail system, but does not have the resources to maintain this frequency level or for whatever reason chooses not to extensively monitor the system, it may nonetheless be bound by its representation that it was engaging in a high level of monitoring. In other words, the company may be imputed with having constructive notice of certain harassing or discriminating or other inappropriate comments being transmitted over its e-mail system, thereby increasing the company's standard of care.
For example, assume that a company asserts that it will engage in the highest frequency of monitoring by utilizing a keystroke-monitoring program that will log an employee's every move on the computer. Some employees may rely on the employer's assertion of continuous monitoring and, as a result, expect the employer to be aware of unprofessional or inappropriate content or illegal activity occurring over its network. Consequently, it may be reasoned that the employer had constructive notice of a sexually explicit e-mail message, for example, transmitted over the company's network, even if the employer never actually implemented any monitoring program at all.
A company can avoid this scenario by specifying its actual level of monitoring, i.e., random or responsive only, but it would then lose some of the deterrent effect of its monitoring policy. Another way to avoid altering the employer's standard of care would be to insert a corrective amendment in the Act stating that nothing in section (3)(b)(3) will be construed as imputing the employer with constructive notice of any activity occurring on its network. Finally, removing the frequency disclosure requirement altogether would alleviate the constructive notice/standard of care issue without undermining the spirit and intent of the Act.
Page 212 PREV PAGE TOP OF DOC
Section (3)(b)(2) of the Act requires an employer to specify the sphere of information that will be targeted by its monitoring regimen. This requirement, however, may actually mislead employees into believing they have a reasonable expectation of privacy in the types of information not targeted by the employer. It also leaves open the question of whether an employer retains the right to review information not defined as ''the kinds of information that will be obtained through . . . monitoring.''
If section (3)(b)(2) forces an employer to identify the types of information that can be legally monitored, it may impede one of the few positive trends occurring in corporate e-mail and computer use policies todaysanctioned personal usage. Because most employees will occasionally write a personal e-mail or use the Internet to do a personal search, many employers are expressly allowing such personal use in their written policies, provided that it does not interfere with the business purposes of the company or the employee's job responsibilities. Rather than banning personal use outright, many corporate policies simply provide guideposts regarding personal use of computer resources, i.e., restricting such use to specific times (breaks, meals, after hours, etc.). However, a statement of whether an employer is ''likely'' to monitor e-mail or other Internet use ''not related to the employer's business'' may put an end to permitted personal usage. Especially in light of the fact that most monitoring programs target non-business related communications, employers would be in the awkward position of consenting to personal e-mail, for example, and explicitly stating that the very same e-mail will likely be monitored. Under such circumstances, authorized use of personal e-mail no longer appears as a sincere gesture and will eventually likely fade away from corporate policies.
In conclusion, the private sector, as with law enforcement, has a manifest need for increased privacy rights associated with e-mail and computer usage. Limitations on an employer's current unfettered right to monitor employee e-mail would certainly be a step in the right direction. The difficulty is counterbalancing an employer's legitimate interest in monitoring its computer resources with an employee's expectations of privacy. Unfortunately, NEMA's notice requirements may prove too much by enhancing employee rights at the expense of the employer. Of course, the subtle inequities of NEMA that I have alluded to in this testimony can be easily rectified with corrective amendments. With these modifications, I wholeheartedly support this bill.
Page 213 PREV PAGE TOP OF DOC
Once again, I would like to express my appreciation for having this opportunity to appear and testify before the Subcommittee. I am available to field questions now or at your convenience.
Mr. CANADY. Mr. Overly.
STATEMENT OF MICHAEL OVERLY, FOLEY & LARDNER
Mr. OVERLY. Thank you, Mr. Chairman. The opinions expressed today are my own and not necessarily those of my firm or any of our clients.
My involvement with technology in the workplace and, in particular, the creation, storage and transmission of electronic information began many years ago when I worked as a research engineer in the defense industry and has continued to the present day in my practice as an attorney. I currently devote the majority of my practice to working with businesses and their employees to address the unique challenges that arise from technology in the workplace. I see pretty much on a daily basis the type of issues that can arise in the breadth of those issues from an employee use of technology in the workplace.
Businesses generally have three areas of concern regarding employee use of computer resources: Minimizing potential liability to the business to their own employees and to third parties outside the organization, protecting sensitive business information which has become a dramatic concern in recent years, from unauthorized disclosure and finally reducing potential waste of computer resources. These concerns require businesses to have the ability to monitor and review employee use of their computer resources to ensure those resources are used properly.
Page 214 PREV PAGE TOP OF DOC
Employees, on the other hand, generally demonstrate a profound lack of appreciation of the potential liability that may arise from use of their employer's computer resources, particularly e-mail. Much of the problem results in the incorrect perception of employees that their electronic communications are entirely ephemeral in nature, that once deleted, they are gone forever, and in fact, records of e-mail and computer use may be maintained for many years, in fact.
Large companies may maintain magnetic tapes of e-mail records and other computer use records for decades. Even deleted messages and files may be retrieved weeks or months after they were thought deleted using very common computer forensic techniques. Files may even be retrieved after they have been repeatedly overwritten on a hard disk. The lack of appreciation of employees and in technically astute employees of the unique nature of e-mail and other forms of computer use has led me to become a strong advocate of computer use policies, written policies that provide employees with a clear and understandable statement of their duties' obligations with regard their employer's computer resources. In particular, I believe it is essential to make clear in these policies that the employer must, at least under certain defined circumstances, be able to review and monitor employee computer use. Employees must be placed on notice that anything created, stored or transmitted through their employer's computer system can and likely will be reviewed by others. And that if the employee desires privacy, they must understand that their employer's computer system is not the way to transmit that information.
It is foregoing reasons that I support notice legislation such as H.R. 4908. I look at such legislation as compelling businesses to do essentially what they should have done in the first place, and develop appropriate policies and disseminate those policies to their employees, and make sure employees through education, under what is containedthose policies, it is not enough to reduce something to writing and distribute it.
Page 215 PREV PAGE TOP OF DOC
I do, however, have a couple of pragmatic concerns regarding the text of the notice of Electronic Monitoring Act. The first has already been raised, and that is, I believe section B requires a little clarification. To avoid unnecessary litigation, I think employers should have a bright line rule as to what does constitute notice and what does not. And I believe that section B, as it is written currently, does not satisfy that requirement.
I spent most of my time helping businesses develop their own policies, work with education programs with their employees, and I think it would be very difficult, given the structure of section B, to come up with a clear, from the employee standpoint, description of exactly what it is that the employer is going to be doing that will satisfy section B as it is currently written.
I have suggested in my notes that a similar approach such as that used, California Senate bill 1016 last year, be considered. Under that proposed notice statute, the employer was simply required to distribute to all employees by hard copy or electronic notice the employer's workplace privacy and electronic monitoring policies and practices. To ensure actual notice of the policies and practices, the California bill would have required each employee to sign or electronically verify that he or she has read, understood and acknowledged receipt of the policies and practices.
If a particular employee declined to sign or electronically verify the to or going, the employer could comply with the notice requirement by having the person that originally provided the policies and practices to the affected employee simply sign and retain a statement to that effect and provide a copy of the statement to the affected employee.
Page 216 PREV PAGE TOP OF DOC
The second concern that I have relates to whether or not the bill is intended to provide an exclusive remedy to the employee. As written, it is unclear whether this bill is intended to give an employees a stand-alone cause of action, separate from and in addition to, any claim the employee may have for any invasion of privacy or any other right. In other words, can an employee maintain a cause of action against an employer under H.R. 4908 and a separate cause of action for damages for invasion of privacy? Similarly, if a State enacts its own notice statute as California nearly did a year ago, can an employee maintain an action under both the State and Federal laws, or will the Federal law preempt the State laws in this area? I believe it is critical that the issue of exclusivity be specifically addressed in the proposed statute.
Mr. Chairman and members of the subcommittee, I thank you for your time.
Mr. CANADY. Thank you.
[The prepared statement of Mr. Overly follows:]
PREPARED STATEMENT OF MICHAEL OVERLY, FOLEY & LARDNER
Mr. Chairman, and Members of the Subcommittee. Thank you for the opportunity to appear before you today to testify regarding this important subject.
My involvement with technology in the workplace and, in particular, the creation, storage, and transmission of electronic information began when I worked as a research engineer many years ago in the defense industry and has continued to the present day in my practice as an attorney. I currently devote the majority of my practice to working with businesses and their employees to address the unique challenges posed by technology in the workplace. I see first hand the wide array of issues that can arise from employee use of a business' computer resources.
Page 217 PREV PAGE TOP OF DOC
Businesses have three general areas of concern regarding employee use of their computer resources: (1) minimizing potential liability of the business to its employees or third parties; (2) protecting sensitive business information from unauthorized disclosure; and (3) reducing potential waste of computer resources. These concerns require businesses to have the ability to monitor and review employee use of their computer resources to insure those resources are used properly.
Employees, on the other hand, generally evidence a profound lack of appreciation of the potential liability that may arise from use of their employer's computer resources, particularly e-mail. Much of the problem results from the incorrect perception of most employees that their electronic communications are entirely ephemeral in nature: existing for only a short time and then permanently erased. Nothing could be further from the truth. Records of e-mail and computer use may be maintained for many years. Even deleted messages and files may be retrieved weeks or months after they were thought deleted.
The lack of appreciation by employees, even technically astute employees, of the unique nature of e-mail and other forms of computer use has lead me to become a strong advocate of computer use policies: written policies that provide employees with a clear and understandable statement of their duties and obligations regarding use of their employer's computer resources. In particular, I believe it is essential to make clear in these policies that the employer must, at least under certain identified circumstances, be able to review and monitor employee computer usage. Employees must be placed on notice that anything created, stored, or transmitted through their employer's computer system can and likely will be reviewed by others and that if they desire privacy, they should not use their employer's computer system.
Page 218 PREV PAGE TOP OF DOC
It is for the foregoing reasons that I support notice legislation such as H.R. 4908. I look at such legislation as compelling businesses to do what they should have done anyway. That is, adopt clear policies regarding employee use of their computer resources.
I do, however, have two concerns regarding the text of the Notice of Electronic Monitoring Act. First, I believe the notice requirements in Section (b) require clarification. To avoid unnecessary litigation, employers should have a bright line rule regarding what is required to satisfy the notice requirement. As written, Section (b) is unduly onerous and will almost certainly lead to litigation as to whether or not a notice included sufficient detail. I believe a simpler approach, such as the one proposed in California SB 1016 last year, be considered. Under that proposed notice statute, the employer was simply required to ''distribute to all employees, by hardcopy or electronic notice, the employer's workplace privacy and electronic monitoring policies and practices.'' To insure actual notice of the policies and practices, the California bill would have required each employee to sign or electronically verify that he or she had read, understood, and acknowledged receipt of the policies and practices. If an employee declined to sign or electronically verify the foregoing, the employer could comply with the notice requirement by having the person who provided the policies and practices to the affected employee sign and retain a statement to that effect and provide a copy of the statement to the affected employee.
My second concern relates to whether or not this bill is intended to provide an exclusive remedy to the employee. As written, it is unclear to me whether this bill is intended to give employees a stand-alone cause of action, separate from and in addition to any claim the employee may have for invasion of privacy or any other right. In other words, can an employee maintain a cause of action against an employer under 4908 and a separate cause of action for damages for invasion of privacy? Similarly, if a state enacts its own notice statute (as California nearly did), can an employee maintain an action under both the state and federal laws? Or will the federal law preempt the state laws in this area? I believe it is critical that the issue of exclusivity be specifically addressed in the proposed statute.
Page 219 PREV PAGE TOP OF DOC
Mr. Chairman, and Members of the Subcommittee, thank you for your attention in this matter, and for the opportunity to provide this testimony. I will be happy to answer any questions you may have.
Mr. CANADY. Mr. Watt.
Mr. WATT. Mr. Chairman, I think these witnesses have pretty much covered the issues that I had thought about. So I may pass.
Mr. CANADY. Mr. Barr.
Mr. BARR. I agree with Mr. Watt, Mr. Chairman. I very much appreciate the witnesses reviewing it. I have read the testimony and listened to the testimony today. And I think the number of questions have been raised and I think with some fine tuning, you have got a good piece of legislation here and I am proud to support it.
Mr. CANADY. Mr. Nadler.
Mr. NADLER. Thank you. Let me join everybody in thanking you, these three witnesses, for their testimony and Mr. Segarnick for some of the suggestions you made. But I will be the fly in the ointment and ask a question. I was struck by one of the court cases cited by Mr. Segarnick, about somebody who I think, as I recall the case, uses e-mail to say thatto tell his friend in the company that no, he didn't want to go to the company picnic and those bastards can all whatever. And was fired, therefor. Now, of course, you can be fired for anything. I mean, nobody has to justify a firing.
Page 220 PREV PAGE TOP OF DOC
My question is a different one.
Mr. Maltby, what would the law regardhow would the law regard a company that, without telling its employees or perhaps with telling its employees, put in an extremely sensitive military sound system in the lunchroom so they could monitor all the employees' conversations, and then fired people if they didn't like what they said.
Mr. MALTBY. The law is pretty murky in this area, Congressman, but could you make a strong argument that that conduct would already be prohibited by ECPA. In fact, there was a case in the early 1990's where an employer did essentially that, they bugged the employee cafeteria by putting bugs in the sprinkler system. And that was Northern Telecom. The case didn't get to trial, but it is common unofficial knowledge that the company settled out of court for a substantial amount of money because his lawyers thought they had a good chance of losing in court on those facts.
Mr. NADLER. Let's take that to e-mail for the moment. If someone is using e-mail, as you said, as the functional equivalent of what used to be said in the cafeteria, should the law be different?
Mr. MALTBY. It shouldn't but it is. Because it is quite clear, no matter which political stripe you go to, that ECPA just doesn't cover e-mail.
Mr. NADLER. I am trying to see what the law might perhaps should be. Now we all know that the employer obviously has a right to guard his system from, you know, being used either for inappropriate purposes or just wasting his money. Fine. But we also know that employees are human beings, and that I think would look askance at some employer who tried to discipline an employee for calling her child when he came home from school and saying, you know, how are you doing, and there is a tuna fish sandwich in the refrigerator and that sort of thing. And I think the same with e-mail, if that becomes the new telephone system. Should there be any limitation on this? Should the law
Page 221 PREV PAGE TOP OF DOC
Mr. MALTBY. Well, it is probably not a subject for legislation. I don't know how one could either, in principle or in practice, establish a statute that says how much personal use are you entitled to and what is reasonable use. But I think as a practical matter, employers just have to recognize that just as they need to send their employees e-mail at night once in a while or call him on his cell phone while he is on vacation standing in a lift line at Stowe, that sometimes the personal messages are going to go from work. You could attempt to minimize it. You could attempt to keep it reasonable, but you can't stop it, it just isn't possible.
Mr. NADLER. Let me go to a slightly different aspect of what I referred to a moment ago. The fellow, if he is sitting in the lunchroom and told your friend, I don't want to go to the company picnic because I don't like Smith, who is going to be there, and the employer secretly bugged you and Smith is the employer and therefore fired you, there is some protection on that from that court case. Should there be some similar protection on Interneton e-mail to your friend in the company? I don't want to go to the picnic because Smith is going to be there and, you know, I don't like Smith.
Mr. MALTBY. There should be. One of the points that we have been trying to make in this area for 10 years now actually is that whether or not the communication ought to be subject to an employer review ought to be determined by what is the subject matter of the communication, and is that subject matter something which the employer has any legitimate interest. It should not be determined by what medium you choose to transmit. If a message would be protected by telephone from employer monitoring, it shouldn't become available to be monitored by the employer because it goes by e-mail instead. That makes no sense at all.
Page 222 PREV PAGE TOP OF DOC
Mr. NADLER. And yet, the employer has a reasonable reason, he has got a reason, to not want his computer time filled up by too many such comments about the company picnic, and about Smith and why we don't like Smith. How do you draw that line?
Mr. MALTBY. Congressman, I don't think anyone knows how to draw that line right now. And I think that is why Congressman Barr has made a very wise choice in this legislation, and Chairman Canady not to try to solve that problem. Rather than try to say what is legitimate monitoring, has not legitimate monitoring and make some forms of monitoring off limits to employers, when quite frankly we don't know how to do that yet. We just say whatever youyou can do whatever you want, employer, just tell people what you are doing.
Mr. NADLER. But subject to the comments of Mr. Segarnick and Mr. Overly about the adequacy of that notice and so forth and explicitness, that is what we ought to do now. But do you think that in the future, perhaps, we ought to consider something to deal with this problem where we figure out how to do it if we figure out how to do it?
Mr. MALTBY. Yes, I think there will be a point when privacy advocates and the management community and other concerned parties will have some rough but genuine consensus about what the rules ought to be about what can be monitored and what can't be monitored. And when that consensus has really emerged, I think we will and ought to be
Mr. NADLER. Not only will and can be monitored, but what actions cannot be taken or can be taken on the result of what you heard.
Page 223 PREV PAGE TOP OF DOC Mr. MALTBY. Hopefully. I assure you that when a consensus emerges, Gregory Nojeim and Jim Dempsey will be on your doorstep to tell you about it. That doesn't exist now. But there is a step where there is consensus, and that is the point of notice. If I could just, for a few seconds, I have to be perfectly candid and admit that drafting this particular bill, I had the privilege of trying to help Senator Schumer and his staff in that effort, this is not an area where there is an established legal vocabulary you can draw on. We had to create a vocabulary for this particular bill. That is an incredibly difficult proposition. I am not at all surprised to hear that maybe we didn't get it absolutely right the first time. I'd be very happy to work with Mr. Segarnick and anyone else to see if we can't find language that really does provide very clear notice to employers, clear notice helps everybody. And we all want to see that. If we haven't done that we will try harder.
Mr. NADLER. Well, let me again thank you and thank all the witnesses here for your forthrightness and for your consideration of this. And with that I yield back Mr. Chairman.
Mr. CANADY. Thank you, Mr. Nadler. I want to join my colleagues in thank you each of you for being with us. I think your comments have been very helpful to us. Mr. Overly and Mr. Segarnick in particular your suggestions for refinements in the language are things that I think we should seriously consider. So it would be my goal to work with you and Mr. Maltby, Senator Schumer, Representative Barr, and other interested members, in trying to make sure we have this right. And that we are not creating any unintended consequences and that we are doing what we have set out to do here. But I
Mr. SEGARNICK. Do we have until tomorrow?
Page 224 PREV PAGE TOP OF DOC
Mr. CANADY. No. Earlier today we thought it would be tomorrow, but we decided that next Thursday would be better. Although I really think that the issues that we are dealing with with respect to this bill are not, while they are not simple, they are less complex than the issues that we are dealing with in the other legislation that we have been discussing at this hearing today. So it would be my objective to try to get this tied up, while at the same time, working on those more complicated issues in the other legislation. On the point about there being a consensus, I think that there is pretty broad agreement, I will have to tell you, though, I am not sure that there is an absolute consensus on even the principle of notice, particularly if there are any penalties attached to the failure to give notice.
So I fully expect there will be some opposition voiced to this bill at some point. I think that is unfortunate because I think this is a very simple clear principle. And I think if we can refine the language, though that I know everybody is on clear notice about what they are expected to do, then the reasons for any objections go outI don't want to create a trap for the unwary. I don't want toas Senator Schumer indicated, this isn't about encouraging litigation by any means. This is about encouraging and requiring certain conduct by employers. But certainly, it is my hope that there wouldn't be any litigation brought under this because we would see across-the-board compliance.
So with that, I thank you and tell you we will be in touch. And the subcommittee stands adjourned.
[Whereupon, at 5:25 p.m., the subcommittee was adjourned.]
Page 225 PREV PAGE TOP OF DOC
(Footnote 1 return)
The Center for Democracy and Technology is a non-profit, public interest organization dedicated to promoting civil liberties and democratic values on the Internet. Our core goals include ensuring that the Constitution s protections extend to the Internet and other new media. CDT also coordinates the Digital Privacy and Security Working Group (DPSWG), a forum for more than 50 computer, communications, and public interest organizations, companies, and associations working on information privacy and security issue.
(Footnote 2 return)
In addition, pursuant to the disclosure requirements of House Rule XI, clause 2(g)(4), I note that I have received no federal grants, contracts or subcontracts during the current or preceding two fiscal years relating to the subject of my testimony.
(Footnote 3 return)
Administrative Office of the U.S. Courts, 1999 Wiretap Report at 5 (May 2000). The Report is required to be compiled annually pursuant to 18 U.S.C. §2519.
(Footnote 4 return)
Id. at Table 7.
(Footnote 5 return)
Id. at 10.
(Footnote 6 return)
18 U.S.C. §3123(a). By contrast, an order to intercept the content of electronic communications requires a showing of probable cause that the target has committed a specified felony. 18 U.S.C. §2516, 2518. The request for such an order must state with particularity information regarding the facts relied upon by the applicant, the crime at issue, the individuals suspected of committing the offense, and the type of communications to be intercepted.
(Footnote 7 return)
United States Telecom Ass'n. v. FCC, 2000 WL 1059852 *12, citing 47 U.S.C. §1006(b)(2).
(Footnote 8 return)
FTP (''File Transfer Protocol'') is they typical method for uploading or downloading files on the Internet. Such files may contain computer programs, graphics, sounds or text. Generally, to log onto an FTP server the user must use an account name and a password. See Preston Gralla, How the Internet Works at 178181 (1999).
(Footnote 9 return)
EPIC v. DOJ, FBI, Reno, DC Dist. Ct., Civ. No. 001849.
(Footnote 10 return)
''Wiretaps Increase in 1997; Only Two Computer Taps,'' EPIC Alert 5.06. May 12, 1998.
(Footnote 11 return)
See, e.g., ''Internet Probe Tainted,'' USA Today, August 30 at 14A. (''A public whose e-mail could be invaded deserves better.''); ''A Bite Out of Carnivore,'' Washington Post, August 19, 2000 at A18 (''. . . it's hard to see how Carnivore could lawfully be deployed without a full wiretap warrant.'')
(Footnote 12 return)
277 U.S. 438, 470 (1928).
(Footnote 13 return)
Letter to Senator Malcom Wallop from EPIC, October 6, 1994, reprinted in Banisar and Schneier and Banisar, The Electronic Privacy Papers, 25254.
(Footnote 14 return)
42 U.S.C. 551.
(Footnote 15 return)
Stephen Labaton, ''Learning to Live with Big Brother,'' The New York Times, July 23, 2000, sect. 4, at 3.
(Footnote 16 return)
American Management Association, ''American Companies Increase use of Electronic Monitoring: AMA Calls on Employers to Raise Level of Dialogue with Employees,'' April 12, 2000 (press release) [http://www.amanet.org/research/specials/elecmont.htm], ''Workplace Testing: Monitoring and Surveillance'' (2000) [http://www.amanet.org/research/pdfs/monitrsurv.pdf]
(Footnote 17 return)
David Banisar, Privacy and Human Rights: An International Survey of Privacy Law and Developments 4555 (EPIC and Privacy International 2000).
(Footnote 18 return)
''Employees Wage War to Protect their E-Mail,'' Orlando Sentinel, April 30, 2000 at H1.
(Footnote 19 return)
Public Law 100618.
(Footnote 20 return)
See Privacy and Human Rights 4647.
(Footnote 21 return)
Dana Hawkins, ''Office Politics in the Electronic Age Workplace,'' U.S. News & World Report, March 22, 1999.
(Footnote 22 return)
Charlotte Faltermayer, ''Cyberveillance,'' TIME Magazine, August 14, 2000 at B22 (citing research conducted by International Data Corp., a Farmingham, Mass. research firm).
(Footnote 23 return)
(Footnote 24 return)
2000 American Management Association, ''Workplace Testing: Monitoring and Surveillance.''
(Footnote 25 return)
(Footnote 26 return)
Hall Adams, III, ''E-Mail Monitoring In The Workplace: The Good, The Bad and The Ugly,'' 67 DEFCJ 32, 34.
(Footnote 27 return)
Smyth v. Pillsbury Company, 914 F. Supp. 97 (E.D. Pa. 1997) (Weiner, J.).
(Footnote 28 return)
Smyth, 914 F. Supp. at 100.
(Footnote 29 return)
McLaren, Jr. v. Microsoft Corporation, 1999 Tex. App. LEXIS 4103
(Footnote 30 return)
McLaren, 1999 Tex. App. LEXIS 4103, * 11.
(Footnote 31 return)
Restuccia v. Burk Technology, 1996 Mass. Super. LEXIS 367 (1996).
(Footnote 32 return)
See Congressional Record, Introduction of Bills and Joint Resolutions (SenateJuly 20, 2000).