SPEAKERS CONTENTS INSERTS
Page 1 TOP OF DOC
67–343
2000
ELECTRONIC COMMUNICATIONS PRIVACY ACT OF 2000, DIGITAL PRIVACY ACT OF 2000 AND NOTICE OF ELECTRONIC MONITORING ACT
HEARING
BEFORE THE
SUBCOMMITTEE ON THE CONSTITUTION
OF THE
COMMITTEE ON THE JUDICIARY
HOUSE OF REPRESENTATIVES
ONE HUNDRED SIXTH CONGRESS
SECOND SESSION
ON
H.R. 5018, H.R. 4987 and H.R. 4908
SEPTEMBER 6, 2000
Page 2 PREV PAGE TOP OF DOC
Serial No. 138
Printed for the use of the Committee on the Judiciary
For sale by the U.S. Government Printing Office
Superintendent of Documents, Congressional Sales Office, Washington, DC 20402
COMMITTEE ON THE JUDICIARY
HENRY J. HYDE, Illinois, Chairman
F. JAMES SENSENBRENNER, Jr., Wisconsin
BILL McCOLLUM, Florida
GEORGE W. GEKAS, Pennsylvania
HOWARD COBLE, North Carolina
LAMAR S. SMITH, Texas
ELTON GALLEGLY, California
CHARLES T. CANADY, Florida
BOB GOODLATTE, Virginia
STEVE CHABOT, Ohio
BOB BARR, Georgia
WILLIAM L. JENKINS, Tennessee
ASA HUTCHINSON, Arkansas
EDWARD A. PEASE, Indiana
CHRIS CANNON, Utah
JAMES E. ROGAN, California
LINDSEY O. GRAHAM, South Carolina
Page 3 PREV PAGE TOP OF DOC
MARY BONO, California
SPENCER BACHUS, Alabama
JOE SCARBOROUGH, Florida
DAVID VITTER, Louisiana
JOHN CONYERS, Jr., Michigan
BARNEY FRANK, Massachusetts
HOWARD L. BERMAN, California
RICK BOUCHER, Virginia
JERROLD NADLER, New York
ROBERT C. SCOTT, Virginia
MELVIN L. WATT, North Carolina
ZOE LOFGREN, California
SHEILA JACKSON LEE, Texas
MAXINE WATERS, California
MARTIN T. MEEHAN, Massachusetts
WILLIAM D. DELAHUNT, Massachusetts
ROBERT WEXLER, Florida
STEVEN R. ROTHMAN, New Jersey
TAMMY BALDWIN, Wisconsin
ANTHONY D. WEINER, New York
THOMAS E. MOONEY, SR., General Counsel-Chief of Staff
JULIAN EPSTEIN, Minority Chief Counsel and Staff Director
Page 4 PREV PAGE TOP OF DOC
Subcommittee on the Constitution
CHARLES T. CANADY, Florida, Chairman
HENRY J. HYDE, Illinois
ASA HUTCHINSON, Arkansas
SPENCER BACHUS, Alabama
BOB GOODLATTE, Virginia
BOB BARR, Georgia
WILLIAM L. JENKINS, Tennessee
LINDSEY O. GRAHAM, South Carolina
MELVIN L. WATT, North Carolina
MAXINE WATERS, California
BARNEY FRANK, Massachusetts
JOHN CONYERS, Jr., Michigan
JERROLD NADLER, New York
CATHLEEN CLEAVER, Chief Counsel
BRADLEY S. CLANTON, Counsel
JONATHAN A. VOGEL, Counsel
PAUL B. TAYLOR, Counsel
C O N T E N T S
HEARING DATE
September 6, 2000
Page 5 PREV PAGE TOP OF DOC
TEXT OF BILLS
H.R. 5018
H.R. 4987
H.R. 4908
OPENING STATEMENT
Canady, Hon. Charles T., a Representative in Congress From the State of Florida, and chairman, Subcommittee on the Constitution
WITNESSES
Corn-Revere, Robert, attorney, Hogan & Hartson L.L.P., Washington, DC
Dempsey, James X., senior staff counsel, Center for Democracy and Technology
DiGregory, Kevin, Deputy Associate Attorney General, Department of Justice
Maltby, Lewis, president, National Workrights Institute
Nojeim, Gregory T., legislative counsel, American Civil Liberties Union
Page 6 PREV PAGE TOP OF DOC
Overly, Michael, Foley & Lardner
Rotenberg, Marc, executive director, Electronic Privacy Information Center
Schumer, Hon. Charles, a U.S. Senator From the State of New York
Segarnick, Kenneth, assistant general counsel, United Messaging
LETTERS, STATEMENTS, ETC., SUBMITTED FOR THE HEARING
Canady, Hon. Charles T., a Representative in Congress From the State of Florida, and chairman, Subcommittee on the Constitution: Prepared statement
Conyers, Hon. John, Jr., a Representative in Congress From the State of Michigan: Prepared statement
Corn-Revere, Robert, attorney, Hogan & Hartson L.L.P., Washington, DC: Prepared statement
Dempsey, James X., senior staff counsel, Center for Democracy and Technology: Prepared statement
DiGregory, Kevin, Deputy Associate Attorney General, Department of Justice: Prepared statement
Page 7 PREV PAGE TOP OF DOC
Kerr, Donald M., Assistant Director, Federal Bureau of Investigation Before the United States Senate, The Committee on the Judiciary, September 6, 2000
Maltby, Lewis, president, National Workrights Institute: Prepared statement
Nadler, Hon. Jerrold, a Representative in Congress From the State of New York: Prepared statement
Nojeim, Gregory T., legislative counsel, American Civil Liberties Union: Prepared statement
Overly, Michael, Foley & Lardner: Prepared statement
Rotenberg, Marc, executive director, Electronic Privacy Information Center: Prepared statement
Schumer, Hon. Charles, a U.S. Senator From the State of New York: Prepared statement
Segarnick, Kenneth, assistant general counsel, United Messaging: Prepared statement
ELECTRONIC COMMUNICATIONS PRIVACY ACT OF 2000, DIGITAL PRIVACY ACT OF 2000 AND NOTICE OF ELECTRONIC MONITORING ACT
Page 8 PREV PAGE TOP OF DOC
WEDNESDAY, SEPTEMBER 6, 2000
House of Representatives,
Subcommittee on the Constitution,
Committee on the Judiciary,
Washington, DC.
The subcommittee met, pursuant to call, at 2 p.m., in Room 2237, Rayburn House Office Building, Hon. Charles Canady [chairman of the subcommittee] presiding.
Present: Representatives Charles T. Canady, Asa Hutchinson, Bob Goodlatte, Bob Barr, Melvin L. Watt, John Conyers, Jr. and Jerrold Nadler.
Staff present: Cathleen Cleaver, chief counsel; Jonathan A. Vogel, counsel; Paul B. Taylor, counsel; Susana Gutierrez, clerk; Anthony Foxx, minority counsel; and Cori Flam, minority counsel, Committee on the Judiciary.
OPENING STATEMENT OF CHAIRMAN CANADY
Mr. CANADY. The subcommittee will be in order.
In recent hearings the subcommittee has considered issues arising from the development of the Internet as a networked global communications medium. Prior testimony before the subcommittee has shown that the expansion in the range of transactions that occur on-line, and the amount of information now stored with third-party Internet service providers have produced a qualitative change in the nature of communications and, accordingly, in the nature and amount of information that may be exposed to interception by the government and by private employers.
Page 9 PREV PAGE TOP OF DOC
As much of the information individuals formerly kept in their homes, file cabinets, wallets and purses gravitates toward new locations on the Internet's landscape, Congress must consider whether existing statutes adequately protect the rights of individuals, and whether additional legislation or oversight is necessary to ensure that legal protections of personally sensitive information keep pace with rapidly advancing technology related to electronic communication and information storage.
With these concerns in mind, the subcommittee is conducting today's hearings on H.R. 5018, the Electronic Communications Privacy Act of 2000; H.R. 4987, the Digital Privacy Act; and H.R. 4908, the Notice of Electronic Monitoring Act.
[The information referred to follows:]
106TH CONGRESS
2D SESSION
H. R. 5018
To amend title 18, United States Code, to modify certain provisions of law relating to the interception of communications, and for other purposes.
IN THE HOUSE OF REPRESENTATIVES
JULY 27, 2000
Mr. CANADY of Florida (for himself and Mr. HUTCHINSON) introduced the following bill; which was referred to the Committee on the Judiciary
Page 10 PREV PAGE TOP OF DOC
A BILL
To amend title 18, United States Code, to modify certain provisions of law relating to the interception of communications, and for other purposes.
Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ''Electronic Communications Privacy Act of 2000''.
SEC. 2. EXCLUSIONARY RULE.
Section 2515 of title 18, United States Code, is amended—
(1) by striking ''wire or oral communication'' and inserting ''wire, oral, or electronic communication'';
(2) by inserting '', or any stored electronic communication has been disclosed,'' after ''has been intercepted''; and
(3) by inserting ''or chapter 121'' after ''this chapter''.
SEC. 3. REPORTS CONCERNING THE DISCLOSURE OF STORED ELECTRONIC COMMUNICATIONS.
Section 2703 of title 18, United States Code, is amended by adding at the end the following:
''(g) REPORTS CONCERNING THE DISCLOSURE OF STORED ELECTRONIC COMMUNICATIONS.—
(1) Within thirty days after the expiration of an order (or each extension thereof) entered under subsection (d), or the denial of an order approving a disclosure of stored electronic communications, the issuing or denying judge shall report to the Administrative Office of the United States Courts—
(A) the fact that an order or extension was applied for;
Page 11 PREV PAGE TOP OF DOC
(B) the kind of order or extension applied for;
(C) the fact that the order or extension was granted as applied for, was modified, or was denied;
(D) the period of disclosures authorized by the order, and the number and duration of any extensions of the order;
(E) the offense specified in the order or application, or extension of an order;
(F) the identity of the applying investigative or law enforcement officer and agency making the application and the person authorizing the application; and
(G) the nature of the facilities from which or the place where stored electronic communications were to be disclosed.
(2) In January of each year the Attorney General, an Assistant Attorney General specially designated by the Attorney General, or the principal prosecuting attorney of a State, or the principal prosecuting attorney for any political subdivision of a State, shall report to the Administrative Office of the United States Courts—
(A) the information required by subparagraphs (A) through (G) of paragraph (1) of this section with respect to each application for an order or extension made during the preceding calendar year;
(B) a general description of the disclosures made under such order or extension, including—
(i) the approximate nature and frequency of incriminating communications disclosed;
(ii) the approximate nature and frequency of other communications disclosed;
(iii) the approximate number of persons whose communications were disclosed; and
Page 12 PREV PAGE TOP OF DOC
(iv) the approximate nature, amount, and cost of the manpower and other resources used in the disclosures;
(C) the number of arrests resulting from disclosures made under such order or extension, and the offenses for which arrests were made;
(D) the number of trials resulting from such disclosures;
(E) the number of motions to suppress made with respect to such disclosures, and the number granted or denied;
(F) the number of convictions resulting from such disclosures and the offenses for which the convictions were obtained and a general assessment of the importance of the disclosures;
(G) the approximate number of persons whose communications were disclosed and who were not charged with a crime; and
(H) the information required by subparagraphs (B) through (G) of this paragraph with respect to orders or extensions obtained in a preceding calendar year.
(3) In April of each year the Director of the Administrative Office of the United States Courts shall transmit to the Congress a full and complete report concerning the number of applications for orders authorizing or approving the disclosure of stored electronic communications pursuant to this chapter and the number of orders and extensions granted or denied pursuant to this chapter during the preceding calendar year. Such report shall include a summary and analysis of the data required to be filed with the Administrative Office by paragraphs (1) and (2) of this section. The Director of the Administrative Office of the United States Courts is authorized to issue binding regulations dealing with the content and form of the reports required to be filed by paragraphs (1) and (2) of this section.
SEC. 4. PEN REGISTERS.
(a) APPLICATION.—Section 3122(b)(2) of title 18, United States Code, is amended to read as follows:
Page 13 PREV PAGE TOP OF DOC
''(2) a showing by the applicant that the requirements of section 3123 have been met.''.
(b) ISSUANCE OF ORDER.—Section 3123 of title 18, United States Code, is amended—
(1) in subsection (a), by inserting '', except that such order shall not be entered if the pen register or trap and trace device identifies an e-mail address unless the court finds that specific and articulable facts reasonably indicate that a crime has been, is being, or will be committed, and information likely to be obtained by such installation and use is relevant to an investigation of that crime'' before the period at the end; and
(2) in subparagraphs (A) and (C) of subsection (b)(1), by striking ''telephone'' and inserting ''transmission''.
(c) DEFINITIONS.—Section 3127 of title 18, United States Code, is amended—
(1) in paragraph (3), by inserting ''or which identify the e-mail address transmitted'' after ''attached''; and
(2) in paragraph (4), by inserting '', or which identify an e-mail address'' after ''transmitted''.
106TH CONGRESS
2D SESSION
H. R. 4987
To amend title 18, United States Code, with respect to electronic eavesdropping, and for other purposes.
IN THE HOUSE OF REPRESENTATIVES
Page 14 PREV PAGE TOP OF DOC
JULY 27, 2000
Mr. BARR of Georgia (for himself and Mrs. EMERSON) introduced the following bill; which was referred to the Committee on the Judiciary
A BILL
To amend title 18, United States Code, with respect to electronic eavesdropping, and for other purposes.
Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ''Digital Privacy Act of 2000''.
SEC. 2. REPORTING REQUIREMENTS.
Section 2703 of title 18, United States Code, is amended by adding at the end the following:
''(g) REPORTS CONCERNING COURT-ORDERED DISCLOSURE.—Not later than 30 days after the expiration of (or each extension thereof) an order under subsection (d) by a Federal court, or the denial of such an order, the issuing or denying judge shall report to the Administrative Office of the United States Courts that information about the order of disclosure that would be required to be reported under section 2519 with respect to an order relating to an interception under chapter 119.''.
''(h) REPORTS CONCERNING OTHER DISCLOSURE.—In April of each year, the Attorney General shall transmit to Congress a report on—
''(1) the number and kind of warrants and subpoenas applied for by law enforcement agencies of the Department of Justice under this section during the preceding year;
''(2) the number of such applications granted or denied;
Page 15 PREV PAGE TOP OF DOC
''(3) with respect to each warrant or subpoena issued under this section—
''(A) the number and type of communications disclosed;
''(B) the approximate number and frequency of incriminating communications disclosed;
''(C) the offense specified in the application; and
''(D) the approximate number of persons whose communications were disclosed; and
''(4) the number of arrests resulting from such warrants and subpoenas, the offenses for which those arrests were made, the number of trials resulting from such warrants and subpoenas, the number of motions to suppress made with respect to such warrants and subpoenas, the number of such motions granted or denied, the number of convictions resulting from such warrants and subpoenas, and the offenses for which the convictions were obtained and a general assessment of the importance of the warrants and subpoenas.''.
SEC. 3. EXTENSION OF EXCLUSIONARY RULE.
Section 2515 of title 18, United States Code, is amended by inserting ''or electronic communication'' after ''wire or oral communication''.
SEC. 4. ISSUANCE OF PEN REGISTER AND TRAP AND TRACE DEVICE ORDERS.
Subsection (a) of section 3123 of title 18, United States Code, is amended by striking ''the attorney for the Government'' and all that follows through the end of the subsection and inserting ''factual evidence reasonably indicates that a crime has been, is being, or will be committed, and information likely to be obtained by such installation and use is relevant to an investigation of that crime.''.
SEC. 5. GOVERNMENT ACCESS TO CONTENTS OF STORED ELECTRONIC COMMUNICATIONS.
Section 2703(a) of title 18, United States Code, is amended by striking ''one hundred and eighty days'' each place it appears and inserting ''one year''.
Page 16 PREV PAGE TOP OF DOC
SEC. 6. GOVERNMENT ACCESS TO LOCATION INFORMATION.
(a) COURT ORDER REQUIRED.—Section 2703 of title 18, United States Code, as amended by section 2, is further amended by adding at the end the following:
''(i) DISCLOSURE OF LOCATION INFORMATION TO GOVERNMENTAL ENTITIES.—
''(1) DISCLOSURE UPON COURT ORDER.—A provider of mobile electronic information generated by and disclosing the current physical location of a subscriber's equipment only if the governmental entity obtains a court order issued upon a finding that there is probable cause to believe that the equipment has been used, is being used, or is about to be used to commit a felony offense.
''(2) DISCLOSURE UPON SUBSCRIBER OR USER CONSENT.—A provider of mobile electronic communication service may provide to a governmental entity information described in paragraph (1) with the consent of the subscriber or the user of the equipment concerned.''.
(b) CONFORMING AMENDMENT.—Subsection (c)(1)(B) of section 2703 of title 18, United States Code, is amended by striking ''(b) of this section'' and inserting ''(b), or wireless location information covered by subsection (g)''.
106TH CONGRESS
2D SESSION
H. R. 4908
To amend title 18, United States Code, to provide for the disclosure of electronic monitoring of employee communications and computer usage in the workplace.
Page 17 PREV PAGE TOP OF DOC
IN THE HOUSE OF REPRESENTATIVES
JULY 20, 2000
Mr. CANADY of Florida (for himself and Mr. BARR of Georgia) introduced the following bill; which was referred to the Committee on the Judiciary
A BILL
To amend title 18, United States Code, to provide for the disclosure of electronic monitoring of employee communications and computer usage in the workplace.
Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ''Notice of Electronic Monitoring Act''.
SEC. 2. ELECTRONIC MONITORING OF EMPLOYEE COMMUNICATIONS AND COMPUTER USAGE IN THE WORKPLACE.
(a) ELECTRONIC MONITORING.—
(1) IN GENERAL.—Chapter 121 of title 18, United States Code, is amended—
(A) by redesignating section 2711 as section 2712; and
(B) by inserting after section 2710 the following new section 2711:
''§2711. Electronic monitoring in the workplace
''(a) IN GENERAL.—(1) Except as provided in subsection (c), an employer who intentionally, by any electronic means, reads, listens to, or otherwise monitors any wire communication, oral communication, or electronic communication of an employee of the employer, or otherwise monitors the computer usage of an employee of the employer, without first having provided the employee notice meeting the requirements of subsection (b) shall be liable to the employee for relief as provided in subsection (d).
Page 18 PREV PAGE TOP OF DOC
''(2) Not later than one year after first providing notice of electronic monitoring under paragraph (1), and annually thereafter, an employer shall provide notice meeting the requirements of subsection (b) to all employees of the employer who are subject to such electronic monitoring.
''(3) Before implementing a material change in an electronic monitoring practice described in paragraph (1), an employer shall provide notice meeting the requirements of subsection (b) to all employees of the employer who are subject to electronic monitoring covered by that paragraph as a result of the change.
''(b) NOTICE.—A notice meeting the requirements of this subsection is a clear and conspicuous notice, in a manner reasonably calculated to provide actual notice, describing—
''(1) the form of communication or computer usage that will be monitored;
''(2) the means by which such monitoring will be accomplished and the kinds of information that will be obtained through such monitoring, including whether communications or computer usage not related to the employer's business are likely to be monitored;
''(3) the frequency of such monitoring; and
''(4) how information obtained by such monitoring will be stored, used, or disclosed.
''(c) EXCEPTION.—An employer may conduct electronic monitoring described in subsection (a) without the notice required by subsection (b) if the employer has reasonable grounds to believe that—
''(1) a particular employee of the employer is engaged in conduct that—
''(A) violates the legal rights of the employer or another person; and ''(B) involves significant harm to the employer or such other person; and
Page 19 PREV PAGE TOP OF DOC
''(2) the electronic monitoring will produce evidence of such conduct.
''(d) CIVIL ACTION.—(1) Any person aggrieved by any act in violation of this section may bring an action in a United States district court.
''(2) Subject to paragraph (3), the court in an action under this subsection may award—
''(A) actual damages, but not less than liquidated damages in the amount of $5,000;
''(B) punitive damages;
''(C) reasonable attorneys' fees and other litigation costs reasonably incurred; and
''(D) such other preliminary and equitable relief as the court determines to be appropriate.
''(3)(A) The amount of monetary damages awarded an employee under paragraph (2) may not exceed $20,000.
''(B) The aggregate amount of monetary damages awarded against an employer under paragraph (2) for a given violation of this section may not exceed $500,000.
''(4) No action may be brought under this subsection unless such action is begun within 2 years from the date of the act complained of or the date of discovery of the act complained of, whichever is later.''.
(2) CLERICAL AMENDMENT.—The table of sections at the beginning of that chapter is amended by striking the item relating to section 2711 and inserting the following new items:
''Sec. 2711. Electronic monitoring in the workplace.
''Sec. 2712. Definitions for chapter.''.
(b) EFFECTIVE DATE.—The amendments made by subsection (a) shall take effect 120 days after the date of the enactment of this Act.
Page 20 PREV PAGE TOP OF DOC
Mr. CANADY. H.R. 5018 and H.R. 4987 would update provisions of Federal communications surveillance law by including forms of electronic information under the protection of the so-called statutory exclusionary rule, which excludes illegally obtained communications from use in evidence. The bills would require the Federal Government to produce the same annual reports regarding its requests for access to electronic information, such as e-mail, that it must currently produce regarding its requests for the use of telephone wiretaps. The bills would also allow law enforcement to obtain e-mail addresses under the statute authorizing it to obtain telephone numbers, but only when the government meets a higher standard of proof.
H.R. 4908 would require that employers give notice to their employees regarding company electronic communications monitoring practices, including notice of the kinds of information that would be obtained from such monitoring, and how the information would be stored or disclosed.
I would like to make one preliminary note of clarification with respect to H.R. 5018. There is a drafting error in section 3 of that bill. The intent of the bill is to impose disclosure requirements on the government only when it seeks the content of communications, and not when it seeks transaction records that are not considered to contain content under the Electronic Communications Privacy Act as currently written.
Consequently, the disclosure provisions of H.R. 5018 are intended to apply to government requests for the contents of electronic communications under 18 U.S.C. section 2703(a) and (b), and not to government requests for transaction records under 18 U.S.C. section 2703(d).
Page 21 PREV PAGE TOP OF DOC
The reference to subsection (d) of section 2703 on page 2, line 17 of the bill was the result of a drafting error. The reference should instead be to subsections (a) and (b) of section 2703.
With that one clarification, we will now turn to our witnesses. I look forward to hearing all of the testimony to be presented by the witnesses today.
[The prepared statement of Mr. Canady follows:]
PREPARED STATEMENT OF HON. CHARLES T. CANADY, A REPRESENTATIVE IN CONGRESS FROM THE STATE OF FLORIDA, AND CHAIRMAN, SUBCOMMITTEE ON THE CONSTITUTION
In recent hearings the Subcommittee has considered issues arising from the development of the Internet as a networked global communications medium. Prior testimony before the Subcommittee has shown that the expansion in the range of transactions that occur ''on-line,'' and the amount of information now stored with third party ''Internet service providers'' have produced a qualitative change in the nature of communications and, accordingly, in the nature and amount of information that may be exposed to interception by the government and by private employers.
As much of the information individuals formerly kept in their homes, file cabinets, wallets, and purses, gravitates toward new locations on the Internet's landscape, Congress must consider whether existing statutes adequately protect the rights of individuals, and whether additional legislation or oversight is necessary to ensure that legal protections of personally sensitive information keep pace with rapidly advancing technology related to electronic communication and information storage.
Page 22 PREV PAGE TOP OF DOC
With these concerns in mind, the Subcommittee is conducting today's hearing on H.R. 5018, the ''Electronic Communications Privacy Act of 2000,'' H.R. 4987, the ''Digital Privacy Act,'' and H.R. 4908, the ''Notice of Electronic Monitoring Act.''
H.R. 5018 and H.R. 4987 would update provisions of federal communications surveillance law by including forms of electronic information under the protection of the so-called ''statutory exclusionary rule,'' which excludes illegally obtained communications from use in evidence. The bills would also require the federal government to produce the same annual reports regarding its requests for access to electronic information, such as e-mail, that it must currently produce regarding its requests for the use of telephone wiretaps. The bills would also allow law enforcement to obtain e-mail addresses under the statute authorizing it to obtain telephone numbers, but only when the government meets a higher standard of proof.
H.R. 4908 would require that employers give notice to their employees regarding company electronic communications monitoring practices, including notice of the kinds of information that would be obtained from such monitoring, and how the information would be stored or disclosed.
One preliminary note of clarification is in order: there is a drafting error in §3 of H.R. 5018. The intent of the bill is to impose disclosure requirements on the government only when it seeks the content of communications, and not when it seeks transaction records that are not considered to contain content under the Electronic Communications Privacy Act as currently written. Consequently, the disclosure provisions of H.R. 5018 are intended to apply to government requests for the contents of electronic communications under 18 U.S.C. §2703 (a) and (b), and not to government requests for transaction records under 18 U.S.C. §2703(d). The reference to subsection (d) of §2703 on page 2, line 17, of the bill was the result of a drafting error. The reference should instead be to subsections (a) and (b) of §2703.
Page 23 PREV PAGE TOP OF DOC
I look forward to hearing the witness' testimony on the legislation to be considered here today.
Mr. CANADY. I now recognize Mr. Watt.
Mr. WATT. Thank you, Mr. Chairman. I thank the chairman for having this hearing today and praise him again for having the prior hearings, and I think what we have found over the course of these hearings is that this is an inordinately difficult issue. It kind of makes me long for the days of 1789 when the original Article IV was put into place with all of its simplistic beauty.
I was just reading it here to try to ground myself. It has kind of an almost surreal simplicity to it. It simply says, the right of the people to be secure in their persons, houses, papers and effects against unreasonable searches and seizures shall not be violated, and no warrant shall issue but upon probable cause, supported by oath or affirmation and particularly describing the place to be searched, and the persons or things to be seized.
Such simplistic beauty, which at the time probably was pretty complex, too, but at least in order to violate section—Article IV—amendment 4, you had to kick in somebody's door and go inside their houses or grab their persons, and now we have all of this information and the new technology and the phones and the ability to communicate over distances that probably could never have been contemplated or thought about by the original drafters.
Our challenge is to take that simplistic beauty of the fourth amendment and make sure that we stay true to the underlying rationale and the philosophy that impelled the drafters to put it there in the first place.
Page 24 PREV PAGE TOP OF DOC
The more and more electronic and technological advances we make, the more difficult it becomes to try to figure out how they fit into the simplistic beauty of the language.
I think one of our challenges, one of my challenges, has been and continues to be, and I realized this even more today as I was flying back on the plane and reviewing the materials for this hearing, understanding the technology and what the technology does is a challenge in and of itself, and a level of understanding about what the technology does and how it works is necessary to fit it into the parameters of the law and make it fit where we want it to fit.
So the more we can hear about both the technology, which we had a wonderful hearing about, and law enforcement's perception of how it ought to fit, and people's perception of how it ought to fit in the fourth amendment and constitutional context, I think the better informed we are. And so I am thankful that we are having this hearing, and I am thankful that we had the prior hearings. And I hope we will move in a very measured way and try to keep this a bipartisan approach to trying to find a solution. The chairman and I have talked and committed ourselves to that, and I hope we can continue to move in that direction.
I thank you very much for having the hearing, and I look forward to hearing the witnesses.
Mr. CANADY. Thank you, Mr. Watt.
We will now move to our first panel for today's hearing.
Page 25 PREV PAGE TOP OF DOC
I am sorry. Representative Hutchinson, I did not see you come in.
Mr. HUTCHINSON. That is fine, Mr. Chairman. I just want to thank you for holding this hearing, and I wanted to extend a greeting to Senator Schumer. I am glad to have him back over here and look forward to his testimony, and I want to yield back, Mr. Chairman.
Mr. CANADY. Thank you.
On our first panel today will be Senator Charles Schumer of New York, who has introduced S. 2898, the Notice of Electronic Monitoring Act, in the Senate.
Senator Schumer served with great distinction as a member of our committee for a number of years. We are very pleased to have Senator Schumer back with us today, and we look forward to his testimony. We ask that you do your best to confine your remarks to 5 minutes, but I don't think anyone here will insist on strict compliance with the 5-minute rule.
Senator Schumer, you are recognized.
STATEMENT OF HON. CHARLES SCHUMER, A U.S. SENATOR FROM THE STATE OF NEW YORK
Mr. SCHUMER. Thank you, Mr. Chairman. It is good to be back. I will try to stay within the 5-minute rule, particularly since I see this. They say nothing is new under the sun, but I see that new timer there instead of the old red and yellow and green lights, and I noticed as my friend from North Carolina was speaking, he had it perfectly, because a little yellow light that now says ''sum up'' begins, and he began to sum up just as it lit, and he finished as it was going 004, which was 4 seconds left. So I guess it works, and I will try to comply with that.
Page 26 PREV PAGE TOP OF DOC
I just want to say, Mr. Chairman, it is so good to be back here. I have many fond memories both of serving on the Judiciary Committee, being in this room on many, many important occasions. The quality of the members of this committee has always been outstanding and continues to be today in terms of intelligence; and not—we all don't have the same views, but I think the fervor and intelligence with which the issues are debated has been a hallmark of this subcommittee when I was a member of the Judiciary Committee and to this day, and I very much appreciate the opportunity to testify.
I also want to thank you, Mr. Chairman and Congressman Barr, for introducing H.R. 4908, the Notice of Electronic Monitoring Act, or NEMA. As you know, I have introduced NEMA on the Senate side, and I hope we can soon pass this bill which will end the practice of unjustified secret electronic monitoring by workers—of employees by their employers.
With the revolutionary changes in technology that my friend Mel Watt had alluded to, the Internet and other technological changes bring new opportunities, but also new threats to individual privacy; and one of those is electronic employee monitoring.
A lot of people don't know this yet, but for all intents and purposes, the computer that you use at work can watch your every move. Over the course of the past year, new software has been developed that makes it easy and cheap for employers to automatically record an employee's e-mail, Web activities, and even an employee's every keystroke. For example, one software product claims that it reviews more than 50,000 e-mail messages an hour, silently, discreetly and continuously, auditing e-mail content moving in and out of a company. It can be run from any work station. It can be set up within a few minutes, and after a free 30-day trial the employer can buy it for a mere $400.
Page 27 PREV PAGE TOP OF DOC
My point is not that such software products are per se bad. Indeed, electronic monitoring sometimes can prove a benefit, protecting corporate secrets, preventing employee harassment. But my point is that new technologies allow just about any employer to monitor any employee without their knowledge, and that these new software packages are becoming ubiquitous, cheap, simple to install and use, and that is what causes the problem.
The number of employers who monitor employee e-mail has doubled in the last 2 years. A recent survey indicates that as of last year nearly three-quarters of large American companies actively record and review either e-mail, Internet usage, computer files or phone usage. NEMA puts a check on business that is moderate, reasonable and fair. It gives employees the right to know whether and when and how their employer is watching; it does not prohibit, but lets the employee know ahead of time.
We would never stand for it if an employer steamed open an employee's mail and read it and put it back without his or her knowledge. Well, the same should be with e-mail. Employees are going to occasionally write personal e-mails, like a message to a spouse about a financial problem, or use the Internet to do a personal search for a medical question that they might have about themselves. All employees should know, before doing such a search or sending an e-mail, whether they have privacy or not.
NEMA requires employers to notify their employees of any monitoring of communication or computer usage. It covers reading or scanning of employee e-mail, keystroke monitoring or programs that monitor employee Web use, as well as the monitoring of telephone conversations.
Page 28 PREV PAGE TOP OF DOC
Importantly, NEMA doesn't prohibit any monitoring techniques. It merely requires employers to give clear and conspicuous notice annually and whenever policies change; and if the employer has a good reason to believe that an employee is causing significant harm to the employer or any other person, the employer can monitor that person without notice at all.
If an employer secretly monitors in violation of the act, they are subject to a suit by the employee for at most $20,000. However, I believe that such lawsuits will be few and far between because employers will simply abide by the modest terms of the act and give annual notice.
New technology has made it cheap and easy for employers to secretly monitor everything an employee does on-line, and this legislation provides workers a first line of defense against a practice that can sometimes amount to nothing more than a blatant invasion of privacy.
I want to thank you, Mr. Chairman, Congressman Barr, for joining in this bipartisan effort. NEMA has already garnered the support of the full spectrum of the privacy community. Where else do you have the ACLU to the CDT to the Eagle Forum all supporting a single piece of legislation? I hope that by working together we can make it law this session.
Thank you.
Mr. CANADY. Thank you, Mr. Schumer.
Page 29 PREV PAGE TOP OF DOC
[The prepared statement of Senator Schumer follows:]
PREPARED STATEMENT OF HON. CHARLES SCHUMER, A U.S. SENATOR FROM THE STATE OF NEW YORK
Mr. Chairman, thank you for holding this hearing and for inviting me to testify on an issue that is extremely pressing. I should also thank and commend you, Mr. Chairman and Congressman Barr for introducing H.R. 4908, the Notice of Electronic Monitoring Act or ''NEMA.'' As you know, I have introduced NEMA on the Senate side and I hope that we can soon pass this bill, which will end the practice of unjustified secret electronic monitoring of workers by their employers.
With the revolutionary changes that technology and the Internet are bringing to society, comes new threats to individual privacy. One of those is electronic employee monitoring. A lot of people don't know this yet, but, for all intents and purposes, the computer you use at work can watch your every move.
Over the course of the past year, new software has been developed that makes it easy and cheap for employers to automatically record an employee's email, web activities, even an employee's every key stroke.
For example, one software product claims that it reviews more than 50,000 email messages per hour, silently, discretely, and continuously auditing email content moving in and out of a company. This product can be run from any workstation, and can be set up and running in minutes. After a free 30-day trial of the software, an employer can buy it for a mere $400.
Page 30 PREV PAGE TOP OF DOC
My point is not that such software products are per se bad. Indeed, electronic monitoring can sometimes be helpful in protecting corporate trade secrets or preventing employee harassment. My point is that new technologies that allow any employer to monitor employees without their knowledge is becoming ubiquitous, cheap, and simple to install and use.
And it is becoming a problem. The number of employers who monitor employee email has doubled in the last two years. A recent survey indicates that as of last year, nearly three quarters of large American companies actively record and review either email, Internet usage, computer files, or phone usage.
NEMA puts a check on business that is reasonable and fair. It gives employees the right to know whether, when, and how their employer is watching. We would never stand for it if an employer steamed open an employee's mail, read it, and put it back without her knowledge. It should be the same with email.
Employees are going to occasionally write personal emails like a message to a spouse about a financial problem, or use the Internet to do a personal search for a medical question they have. All employees should know before doing a search or sending an email, whether they have privacy or not.
NEMA requires employers to notify their employees of any monitoring of communications or computer usage. It covers reading or scanning of employee email, keystroke monitoring, or programs that monitor employee web use, as well as monitoring of telephone conversations.
Page 31 PREV PAGE TOP OF DOC
Importantly, NEMA does not prohibit any monitoring techniques, it merely requires employers to give clear and conspicuous notice annually and whenever policies change. And if the employer has good reason to believe that an employee is causing significant harm to the employer or any other person, the employer can monitor that person without any notice at all.
If an employer secretly monitors, in violation of the Act, they are subject to suit by the employee for at most $20,000 in damages. However, I believe that such lawsuits will be few and far between because employers will simply abide by the modest terms of the Act and give annual notice.
New technology has made it cheap and easy for employers to secretly monitor everything an employee does on line. This legislation provides workers a first line of defense against a practice that can sometimes amount to nothing more than a blatant invasion of privacy. NEMA is a moderate and fair step that addresses an important threat to employee privacy that is quietly but quickly spreading to most workplaces.
Again, thank you Congressmen Canady and Barr for joining in this bipartisan effort. NEMA has already garnered the support of the full spectrum of the privacy community—from the ACLU to CDT to the Eagle Forum. I hope that working together we can make it law soon.
Mr. CANADY. As is our custom, we would not ask questions. I certainly don't have any questions, and I understand that you have pressing commitments in the Senate, so we thank you for being here.
Page 32 PREV PAGE TOP OF DOC
Mr. SCHUMER. I appreciate the opportunity to testify, Mr. Chairman. Thank you.
Mr. CANADY. Thank you for your leadership on this legislation.
We will now move to our second panel of witnesses. Actually, we will be hearing from one witness on our second panel. On our second panel today we will hear from Kevin DiGregory. Mr. DiGregory is Deputy Associate Attorney General at the Department of Justice, to whom members of Justice Department's Computer Crimes Unit report.
Joining Mr. DiGregory at the table will be David Green, the Deputy Chief of the Computer Crime and Intellectual Property Section of the Department of Justice. Mr. Green will not be making a separate statement, but will be at the table with Mr. DiGregory to answer questions.
I want to thank both of you for being here with us today. Mr. DiGregory, I ask that you do your best to summarize your testimony in 5 minutes or less. Without objection, your written statement as well as the written statements of all of the other witnesses today will be made a part of the permanent record of this hearing.
Mr. DiGregory, we welcome you back. I guess this is your third visit with us——
Mr. DIGREGORY. Third time, yes.
Page 33 PREV PAGE TOP OF DOC
Mr. CANADY [continuing]. In recent months. We appreciate your being with us here today. We look forward to your testimony.
STATEMENT OF KEVIN DiGREGORY, DEPUTY ASSOCIATE ATTORNEY GENERAL, DEPARTMENT OF JUSTICE
Mr. DIGREGORY. Thank you, Mr. Chairman and members of the committee. Thank you for allowing me this opportunity to testify about the protection of privacy and public safety in cyberspace. Twice before this year I have had the privilege of testifying before you on similar issues, and I am pleased to be here today to continue that discussion.
I appreciate your willingness to meet with members of the Department's Computer Crime Section. Yesterday, as I apologized earlier to the chairman, I am sorry that my schedule didn't permit me to attend that meeting, but I understand that there was a productive exchange of views.
Over the last decade, use of computers and the Internet has grown exponentially and individuals have increasingly come to depend on this use in their daily lives. Yet as people have increasingly used computers for lawful uses, so too have criminals increasingly exploited computers to commit crimes and to harm the safety, security and privacy of others.
Since just the beginning of the year, for example, legitimate e-commerce has been the target of malicious computer hackers in the form of denial of service attacks against Yahoo, eBay and CNN. In addition, in May the I Love You virus infected 45 million files in computer systems all over the globe, causing damages estimated at $2.61 billion.
Page 34 PREV PAGE TOP OF DOC
While the denial of service attacks and viruses have received a great deal of attention, they are but one facet of the criminal activity that occurs on-line today. Criminals use computers to send child pornography to each other through anonymous encrypted communications. Hackers break into financial computers and steal sensitive personal information, including people's Social Security numbers and credit card information. And criminals use the Internet's inexpensive and easy means of communication to commit large-scale fraud on victims all over the globe. Simply put, criminals are exploiting the Internet and victimizing people worldwide every day.
It is important to note, Mr. Chairman, that when law enforcement apprehends a criminal who has stolen a citizen's e-mail and personal information from a computer system, or a hacker who has compromised the financial records of a bank customer, we are protecting the privacy of law-abiding citizens and deterring further privacy violations. Thus, to address the looming threats created by the criminal misuse of the Internet, Congress should consider, we believe, comprehensive amendments to current law to enhance both privacy and public safety by first addressing loopholes in the substantive offenses that define criminal conduct relating to computers and the Internet; secondly, updating the procedural tools that law enforcement investigators use to gather evidence of criminal acts and identify the perpetrators of those acts; and third, by ensuring protection for the legitimate privacy interests of law-abiding Internet users.
Mr. Chairman, my written testimony provides greater detail about the threat of cybercrime as well as the Department's efforts to protect and promote privacy. Because I know the committee's time is limited, I will move directly to the Department's views on the bills that are the subject of today's hearing.
Page 35 PREV PAGE TOP OF DOC
With respect to H.R. 5018, I applaud the members of this subcommittee for your concern about the privacy interests of Internet users and their on-line safety and security. As my testimony today indicates, the Department shares those concerns. The Department, however, has reservations about the way the proposed bills treat these important issues. I hope that you will continue to provide us the opportunity to engage in a constructive dialogue with members of your staff on how to best address these issues in legislation.
Let me begin, as I said, with H.R. 5018, the Electronic Communications Privacy Act of 2000. Although this bill attempts to address a number of important concerns, it is not, we believe, the kind of balanced, comprehensive package that would improve safety, security and privacy of Internet users.
H.R. 5018, as we understand it, would make three significant changes to the law. First, it would amend the laws governing how law enforcement may obtain noncontent information about e-mail under the pen register and trap and trace statutes. It would introduce statutory suppression for certain nonconstitutional violations, and it would create a host of new reporting requirements. I will address each of these features in turn.
First, section 4 of H.R. 5018 would make it more difficult for law enforcement authorities to obtain a trap and trace or pen register order for electronic mail. Law enforcement investigators use such orders to collect the to and from information, source and destination, associated with communications from a particular e-mail account. For example, when a criminal uses e-mail to buy and sale narcotics or to lure children for sex, law enforcement needs to know to whom he is sending messages and from whom he receives them. Under current law, to obtain such an order, a prosecutor must certify that the information likely to be obtained is relevant to an ongoing criminal investigation.
Page 36 PREV PAGE TOP OF DOC
Under this bill, to obtain a pen/trap order for e-mail would require a judge or a magistrate to assess whether the facts reasonably indicate that a crime has or will be committed and that the information likely to be gathered by the order will be relevant to that crime.
By applying this new standard only to e-mail addresses, the amendments would insert a technology-specific term into the statute with far-ranging implications. This definition does not take into account the large number of other ways that electronic communications are sent over computer networks. An electronic letter can be sent using a file transfer protocol, and messages of all kinds are exchanged using Internet mechanisms such as instant messaging and chat rooms. Moreover, because the definition is phrased in terms of e-mail, one of today's technologies, it will likely become outdated as the Internet continues to evolve. It may be that in 10 years, no one will be using what we now call e-mail at all, but will be instead using some new technology not covered by the bill.
Thus, the prudent course, we believe, in amending our laws is to define terms using technology-neutral language. For example, using generic terms such as ''source'' and ''destination of the communication'' avoids this pitfall. An example of such language is contained in the administration's legislative proposal transmitted to Congress in July and entitled the Enhancement of Privacy and Public Safety in Cyberspace Act. That act would provide for judicial review before law enforcement may obtain trap and trace information not just for e-mails, but for addressing information involving both electronic and telephonic communications.
Second, H.R. 5018's trap and trace amendments are problematic because of what they do not contain. To create a balanced bill, we believe, that would enhance public safety as well as privacy, Congress should address a crucial and growing obstacle to the ability of law enforcement to investigate threats to public safety and to business on-line, and that growing threat is the geographical limitation currently found in the trap and trace and pen register statutes.
Page 37 PREV PAGE TOP OF DOC
Under current law, a court can only order the installation of a pen/trap device within the geographical boundaries of that court's district. The changes in telecommunications technology and the telecommunications industry mean that many different companies located in a variety of judicial districts may handle a single communication as it crosses the country. As a result, investigators often have to apply for multiple court orders in multiple jurisdictions in order to trace a single communication, causing, we believe, a needless waste of resources and endangering important investigations by allowing perishable data potentially to be lost.
No privacy interest is enhanced, we submit, by repeatedly applying for identical orders in different parts of the country based upon the same underlying facts. The statute should be amended to ensure that Federal courts have the authority in a single order to require any U.S. Telecommunications carrier to provide law enforcement authorities with the information needed to trace both voice and electronic communications to their source. Language implementing such a change is contained in the administration's bill. As is the case today, a Federal court with jurisdiction over the investigation still would have to approve the application.
Another section of H.R. 5018 would apply the wiretap statute suppression remedy, 18 U.S. Code 2515, in two new circumstances: For real-time interception of the content of electronic communications and for obtaining e-mail in electronic storage. Expanding the reach of the statutory suppression provision in this broad manner may confer an unwarranted windfall on criminals.
Page 38 PREV PAGE TOP OF DOC
By suppressing evidence, a court interferes with a core function of a criminal trial, the search for the truth. The exclusion of evidence prevents a jury from hearing all the relevant facts that allow it to determine guilt or innocence. Because suppression of evidence affects the central values of our criminal justice system, it is generally reserved for serious constitutional violations. Congress should consider carefully before creating new suppression remedies by statutes in situations where no criminal violation—excuse me, where no constitutional violation has occurred.
Statutory rules can be enforced through existing civil remedies that do not allow the guilty to escape punishment. As an alternative, this subcommittee may wish to consider the approach taken by the administration's bill, which raises the level of protection for real-time interceptions of the content of electronic communications so that they are equal to the protections afforded to wire and voice, while also eliminating other ambiguities in the law by, for example, clarifying that Internet service providers that provide service through coaxial cable which also is used to provide cable TV service, to provide that—when they provide that Internet service, they are subject to the provisions of the Electronic Communications Privacy Act.
Finally, H.R. 5018 also mandates new reporting requirements that would create a significant burden for law enforcement authorities. These reporting requirements would apply to the use of orders for the disclosure of stored communications under section 2703 of title 18. These orders are less intrusive than wiretap authorizations for the real-time interceptions of the content of communications, yet H.R. 5018 would impose reporting requirements even greater than those imposed on law enforcement for wiretap orders.
The imposition of such extensive reporting requirements for cybercrime investigators at a time when law enforcement authorities are strapped for resources to fight cybercrime would hinder our efforts to fight cybercrime.
Page 39 PREV PAGE TOP OF DOC
Let me turn now to H.R. 4987, the Digital Privacy Act of 2000. While the bill addresses important issues, it raises many of the same concerns as H.R. 5018. For example, it creates an extensive new reporting requirement for an even broader set of processes, including search warrants and grand jury subpoenas, threatening once again to perhaps turn crimefighters into bookkeepers. Moreover, H.R. 4987 contains a provision that would greatly restrict the use of cell phone location information by government entities.
Currently we obtain cell site location from providers through an order under 18 United States Code 2703(d), which requires the government to provide to a court specific and articulable facts showing that there are reasonable grounds to believe that the records are relevant and material to an ongoing criminal investigation. The proposed amendment would allow law enforcement to obtain such cell site information only upon a judicial finding that there is probable cause to believe that the equipment has been used, is being used or is about to be used to commit a felony offense. This new restriction, we believe, would prevent location information from being obtained where the phone itself is not being used to commit the offense.
This amendment has the capacity, we believe, to potentially seriously endanger public safety. For example, just last week three defendants in Florida were given life sentences for kidnapping a family and holding them hostage. The family had been rescued by using the location of a cell phone. In another case, cell phone location information allowed investigators to track a fugitive murderer from Florida and arrest him in North Carolina. If the proposed bill were enforced, we would not have been able to find these criminals through cell phone location because the phone was not being used to commit a crime.
Page 40 PREV PAGE TOP OF DOC
As you can see, the consequences of the proposed provision are significant.
We believe the current standard adequately protects privacy and should be maintained.
Finally, Mr. Chairman, I want to thank you again for the opportunity to testify today. The public is properly concerned about their on-line privacy and the potential for criminals, private industry and the government to infringe upon it. But the public is also deeply concerned about their safety and security when using the wondrous resources of the Internet. Enhancing the ability of law enforcement to fight cybercrime both promotes Internet user safety and enhances their privacy by deterring and punishing those who would violate that individual privacy.
The Department of Justice stands ready to work with the members of this subcommittee and others to achieve these important goals.
That concludes my prepared statement, and Mr. Green and I would be pleased to try to answer any questions that you have.
[The prepared statement of Mr. DiGregory follows:]
PREPARED STATEMENT OF KEVIN DIGREGORY, DEPUTY ASSOCIATE ATTORNEY GENERAL, DEPARTMENT OF JUSTICE
Mr. Chairman and Members of the Subcommittee, thank you for allowing me this opportunity to testify about H.R. 5018, the ''Electronic Communications Privacy Act of 2000,'' and H.R. 4987, the ''Digital Privacy Act of 2000.'' Twice before this year I have had the privilege of testifying before you on issues relating to the protection of privacy and public safety in cyber-space, and I am pleased to be here today to continue that discussion.
Page 41 PREV PAGE TOP OF DOC
The Internet and Public Safety
Over the last decade, use of computers and the Internet has grown exponentially, and individuals have increasingly come to depend on this use in their daily lives. The Internet has resulted in new and exciting ways for people to communicate, transfer information, engage in commerce, and expand their educational opportunities. These are but a few of the marvelous benefits of this rapidly changing technology. There is no question that the Internet has changed the way we live today. Yet, as has been the case with every major technological advance in our history, we are seeing individuals and groups use this technology to commit serious criminal acts. As people have increasingly used computers for lawful purposes, so too have criminals increasingly exploited computers to commit crimes and to harm the safety, security, and privacy of others.
Since just the beginning of the year, for example, legitimate e-commerce has been the target of malicious computer hackers in the form of ''denial of service attacks.'' These unlawful attacks involved the unauthorized intrusion into a large number of computers, which were in turn used to launch attacks on several, target computers, such as Yahoo, eBay, and CNN. In these cases, the number of victims was substantial, as was the collective loss and cost to respond to these attacks. We have also seen the emergence of fast-moving viruses that have caused damage to computer systems around the world and have disrupted the computer systems of consumers, businesses, and governments. In May, the ''I Love You'' virus infected 45 million files in computer systems all over the globe, causing damages estimated at $2.61 billion. Frighteningly, the ''I Love You'' virus was followed by almost 30 copycat variants.
Page 42 PREV PAGE TOP OF DOC
While the denial of service attacks and viruses have received a great deal of attention and are cause for concern, they are but one facet of the criminal activity that occurs online today. Criminals use computers to send child pornography to each other through anonymous, encrypted communications; hackers break into financial computers and steal sensitive, personal information of private consumers, such as names, addresses, social security numbers, and credit card information; and criminals use the Internet's inexpensive and easy means of communication to commit large-scale fraud on victims all over the globe.
Let me share some statistics with you that illustrate the dimensions of the problem. Seventy-four percent of businesses recently surveyed by the Computer Security Institute reported computer security breaches that included theft of proprietary information, financial fraud, system penetration by outsiders, data or network sabotage, or denial of service attacks. Indeed, almost twenty percent of respondents reported 10 or more such incidents. In addition, Internet fraud has increased exponentially. Since it's inception in May of this year, for example, the FBI's Internet Fraud Complaint Center has received 1,200 complaints every week. At this rate, they will receive 62,000 complaints a year. Simply put, criminals are exploiting the Internet and victimizing people, worldwide, everyday.
Responding to the Challenge of Unlawful Conduct on the Internet
The growing threat of illicit conduct online was made clear in the findings and conclusions reached in the report of the President's Working Group on Unlawful Conduct on the Internet, entitled, ''The Electronic Frontier: The Challenge of Unlawful Conduct Involving the Use of the Internet.'' This extensive report highlights some of the significant challenges facing law enforcement in cyberspace. As the report states, the needs and challenges confronting law enforcement, ''are neither trivial nor theoretical.'' The Report outlines a three-pronged approach for responding to unlawful activity on the Internet:
Page 43 PREV PAGE TOP OF DOC
1. Conduct on the Internet should be treated in the same manner as similar conduct offline, in a technology neutral manner.
2. The needs and challenges of law enforcement posed by the Internet—including the need for resources, up-to-date investigative tools and enhanced multi-jurisdictional cooperation—are significant.
3. There should be continued support for private sector leadership in developing tools and methods to help Internet users prevent and minimize the risks of unlawful conduct online.
The report also emphasizes the need to address the privacy issues raised by changes in computer and telecommunications technology. I would encourage anyone with an interest in this important topic to review carefully the report of the Working Group. The report can be found on the Internet by visiting the website of the Department of Justice's Computer Crime and Intellectual Property Section, located at www.cybercrime.gov. That website also contains a great deal of other information relating to cyber-crime and to the laws protecting intellectual property.
The migration of criminality to cyberspace accelerates with each passing day and the threat to public safety is becoming increasingly significant. As Deputy Attorney General Eric Holder told a joint hearing of House and Senate Judiciary Subcommittees in February, this nation's vulnerability to computer crime is astonishingly high and threatens not only our financial well-being and our privacy, but also this nation's critical infrastructure.
Page 44 PREV PAGE TOP OF DOC
Legislation That Would Promote the Safety, Security, and Privacy of Internet Users
It is important to note, Mr. Chairman, that when law enforcement successfully apprehends a criminal who has stolen a citizen's personal information from a computer system, or a hacker who has compromised the financial records of a bank customer, we are undeniably working, not just to apprehend the offender, but to protect the privacy of law-abiding citizens and to deter further privacy violations at the hands of criminals.
Thus, in order to address the looming threats created by the criminal misuse of the Internet, Congress should consider a comprehensive package of amendments to current law. Such a package should enhance both privacy and public safety by (1) addressing loopholes in the substantive offenses that define criminal conduct relating to computers and the Internet; (2) updating the procedural tools that law enforcement investigators use to gather evidence of criminal acts and identify the perpetrators; and (3) ensuring protection for the legitimate privacy interests of law-abiding Internet users.
Moreover, such a comprehensive package should not ignore the need for law enforcement to have adequate resources to respond to the continuing growth in cyber-crime. The changing nature of criminal investigations and the need to develop effective computer crime prevention and response strategies requires a focused, national effort that includes local, state, and federal law enforcement entities. Law enforcement is taking steps to respond to this dramatic increase in criminal activity: indeed, he FBI alone opened more than twice as many computer crime investigations in FY 1999 as it had in FY 1998. Unlike traditional methods of equipping and training law enforcement officers, investigators focusing on cyber-crime must receive continuous training and updated equipment in order to stay current with the rapidly changing technology. Criminals undoubtedly understand the latest technology, and so must law enforcement. In order to be able to meet the growing threat, we urge Congress to fully fund the Administration's FY 2001 budget request for increased prosecutive resources for the Criminal Division's Computer Crime and Intellectual Property Section and for United States Attorneys Offices—to handle cyber-crime investigations and cases.
Page 45 PREV PAGE TOP OF DOC
We also need to amend existing law in two areas. First, we must make certain that the substantive laws defining what conduct is criminal—such as the Computer Fraud and Abuse Act (section 1030 of title 18)—are adequately refined and updated. Second, we must look critically at the tools law enforcement uses to investigate computer crimes—such as the existing Electronic Communications Privacy Act and the pen register and trap and trace statutes—to ensure that they are cast in terms that fully account for the rapid advances in technology. Failure to do both will hamper our efforts. If we have the appropriate substantive laws, but no means to effectuate them, we will be stymied in our pursuit of online criminals. Conversely, if the conduct in question is not covered by the criminal law, the ability to gather evidence is of no value in protecting the safety and privacy of people who use the Internet.
The Administration has been carefully considering these issues for a number of months. As a result of this process, in July the Administration, through the Department of Justice, transmitted to Congress proposed legislation that attempts to resolve the shortcomings in both the substantive and procedural laws, while improving privacy safeguards. In short, this proposal seeks to enhance both online privacy and public safety. I urge Congress to consider this kind of comprehensive legislation that seeks to deal with the full scope of the problem, rather than attempting to address the issues piecemeal.
With that background, I am pleased today to offer the views of the Department of Justice on the legislation recently proposed by Members of this Subcommittee.
Department of Justices Views on H.R. 5018
Page 46 PREV PAGE TOP OF DOC
I applaud the members of this subcommittee for your concern for protecting the privacy interests of Internet users and their online safety and security. As my testimony today indicates, the Department shares your concerns about ensuring the privacy interests of those who use computer networks lawfully. The Department does, however, have serious reservations about the way the proposed bills treat these important issues.
Let me begin by discussing H.R. 5018, the ''Electronic Communications Privacy Act of 2000.'' Although this bill attempts to address a number of important concerns, it is not the kind of balanced, comprehensive package that would improve the safety, security, and privacy of Internet users. It does not update the substantive criminal law that defines computer crimes in order to assure that criminals who violate the security and privacy of American citizens are properly punished. Nor does it modernize the investigative tools used to fight cyber-crime in a balanced way. And it does not address the desperate need for resources to assure that investigators and prosecutors have the training and equipment to pursue cyber-crime cases properly.
H.R. 5018 would make three significant changes to the law: (i) it would amend the laws governing how law enforcement may obtain non-content information under the pen register/trap and trace statutes; (ii) it would introduce statutory suppression for a range of non-Constitutional violations; and (iii) it would create a host of new reporting requirements. I will address each of these features in turn.
Proposed Trap and Trace/Pen Register Amendments. Section 4 of H.R. 5018 would make it more difficult for law enforcement authorities to obtain a Trap and Trace or Pen Register Order for electronic mail. Law enforcement investigators use such orders to collect the ''to'' and ''from'' information associated with communications from a particular e-mail account. For example, when a criminal uses e-mail to send a kidnaping demand, to buy and sell narcotics, or to lure children for sex, law enforcement needs to know to whom he is sending messages and from whom he receives them. Current law requires the applying government attorney to certify that the information likely to be obtained through the Order is relevant to an ongoing criminal investigation.
Page 47 PREV PAGE TOP OF DOC
H.R. 5018, like the Administration's bill, would introduce the requirement of judicial review of the factual basis for such orders. Specifically, H.R. 5018 would require such applications to contain ''specific and articulable facts'' that would justify the collection of the data. While the Justice Department can comply with the added administrative burdens imposed by increasing this standard, we have concerns about the amendments. Specifically, the technology-specific manner in which the bill would implement this change, the lack of an emergency exception, and the unrealistic geographic limitations that restrict such orders in the present law all raise serious concerns that should be addressed.
The Administration bill would, while raising the barriers to obtaining pen register and trap and trace orders, also amend those telephone-era statutes in a technology-neutral manner to make clear their relevance to the electronic age. Thus, if amended by that bill, the statute would apply to all ''dialing, routing, addressing, and signaling information'' associated with a given communication. It would thus increase privacy protection for all forms of electronic communication—including plain old telephone calls.
H.R. 5018, by contrast, would apply the heightened standard only to devices that identify ''an e-mail address.'' This definition does not take into account the large number of other ways that electronic communications are sent over computer networks. For example, an electronic letter can be sent using ''file transfer protocol'' (or ''ftp''), and messages of all kinds are exchanged using Internet mechanisms such as ''instant messaging'' and ''chat rooms.'' Moreover, because the definition is phrased in terms of one of today's technologies, ''e-mail,'' it will likely become quickly outdated as the Internet continues to evolve. It may be that in ten years, no one will be using what we now call ''e-mail'' at all but will be instead using some new technology not covered by the bill. Thus, the prudent course in amending our laws is to define terms using technology-neutral language, such as that contained in the Administration bill.
Page 48 PREV PAGE TOP OF DOC
We also believe that any amendment to the pen/trap statute should supplement existing legal authority that allows law enforcement to use pen/trap devices in emergency situations—such as when they encounter an immediate danger of death or serious bodily injury or when they are investigating organized crime—without getting prior approval from a court, so long as they obtain court approval within 48 hours thereafter. The Administration bill would add two long-overdue exceptions to the prior-approval requirement: (1) immediate threats to national security; and (2) investigations of ongoing intrusions into computer networks under 18 U.S.C. §1030. In the latter case, rapid investigative response is made essential both by the nature of the medium—in which attackers may move seamlessly and almost instantaneously through a series of ''stepping stone'' victim sites, launching attacks from each—and by the quickly disappearing character of network routing evidence.
H.R. 5018 also fails to address a crucial and growing obstacle to the ability of law enforcement to investigate threats to public safety and to business online: the geographical limitations currently found in the trap and trace and pen register statutes. Under current law a court can only order the installation of a pen/trap device within the geographical boundaries of that Court's district. But changes in telecommunications technology and the telecommunications industry means that many different companies, located in a variety of judicial districts, may handle a single communication as it crosses the country. As a result, investigators often have to apply for multiple court orders in multiple jurisdictions in order to trace a single communication, causing a needless waste of resources and delaying and impeding important investigations. Indeed, in computer network investigations, such delays can cause perishable data to be lost and effectively end an investigation.
Page 49 PREV PAGE TOP OF DOC
The statute should be amended to ensure that federal courts have the authority to order all telecommunications carriers providing service in the United States—whether within a particular judicial district or not—to provide law enforcement authorities the information needed to trace both voice and electronic communications to their source. Language implementing such a change is contained in the Administration's bill. It is important to recognize in considering a nationwide trap-and-trace provision that introducing such a change would in no way reduce privacy protections. As is the case today, a federal court with jurisdiction over the investigation would still have to approve the application. No privacy interest is enhanced by repeatedly applying for identical orders in different parts of the country based on the same underlying facts.
New Statutory Suppression Remedies. Section 2 of H.R. 5018 creates two new statutory suppression remedies. It would require that courts exclude evidence from any criminal trial—whether the crime is the distribution of child pornography, a terrorist conspiracy, or murder—where investigators failed to meet statutory requirements. The statutes at issue define the legal procedures that investigators must use to obtain stored electronic communications and to intercept the content of electronic communications using a wiretap. The Department believes that expanding statutory suppression provisions beyond those that apply to the real-time interception of content would confer an unwarranted windfall on criminals.
By suppressing evidence, a court interferes with the core function of a criminal trial: the search for the truth. The exclusion of evidence prevents a jury from hearing all the relevant facts that allow it to determine guilt or innocence. Because suppression of evidence affects the central values of our criminal justice system, it is generally reserved for the most serious violations of law, such as violations of the Constitution. Congress should be cautious in considering whether to create new suppression remedies by statute in situations where no Constitutional violation has occurred.
Page 50 PREV PAGE TOP OF DOC
Indeed, in the more serious situations intended to be covered by the new statutory suppression provisions, suppression already exists for law enforcement misconduct that rises to the level of a Constitutional violation. For example, if a wiretap affidavit submitted for the interception of the content of electronic communications contained intentionally false statements, any resulting interception would violate the Fourth Amendment, and a court would properly suppress such evidence. Statutory rules, on the other hand, can be enforced through existing civil remedies that do not allow the guilty to escape just punishment. See, e.g., 18 U.S.C. §2707 (setting forth civil and disciplinary remedies for violations of 2703).
Despite these reservations, the Department would, in the proper context, support harmonization of the way in which the law treats voice and electronic communications. Changes in technology and society have militated toward treating these two forms of communication in the same way. Thus, we believe the law could treat electronic communications in the same way as voice communications for purposes of suppression—so long as this change is part of a broader recalibrating of the way that the law treats all communications. For example, the Administration's package proposes that wiretaps for electronic communications should be treated just the same as voice wiretaps, including approval by a high-level Justice Department official, limited to the list of predicate crimes under §2516, and with the availability of suppression under §2515.
New Reporting Requirements. Section 3 of H.R. 5018 mandates extensive new reporting requirements that would create a significant burden for law enforcement authorities. These reporting requirements would apply to the use of orders under section 2703(d) of title 18. Such orders are most commonly used to obtain stored traffic information—such as computer logs showing when communications were transmitted—and sometimes the content of communications that the user has chosen to save with a third party provider. These orders are far less intrusive than wiretap authorizations for the interception of the content of communications in real time using a wiretap. Yet H.R. 5018 would impose reporting requirements even greater than those imposed on law enforcement for wiretap orders.
Page 51 PREV PAGE TOP OF DOC
Moreover, the imposition of such extensive reporting requirements for cyber-crime investigators would come at a time when law enforcement authorities are strapped for resources to fight cyber-crime. The reporting requirements for wiretaps, while extensive, are less onerous because law enforcement applies for such orders relatively rarely. Extending such requirements to orders used to obtain mere transactional data would dramatically hinder efforts to fight cyber-crime, such as the distribution of child pornography and Internet fraud.
Department of Justices Views on H.R. 4987
Mr. Chairman, let me turn to H.R. 4987, the ''Digital Privacy Act of 2000.'' Again, while the bill addresses important issues, it is not the kind of balanced, comprehensive package that would promote both privacy and effective law enforcement. Indeed, it raises many of the same concerns as H.R. 5018. For example, it creates an extensive new reporting requirement for an even broader set of legal processes, including search warrants and grand jury subpoenas, threatening to turn crime-fighters into bookkeepers. And, while it creates a suppression remedy for wiretaps that involve electronic communications matching the standard for voice wiretaps, H.R. 4987 would not make the other changes to the statute that would allow voice and electronic communications to be treated equally.
Further, H.R. 4987 contains a provision that would unduly restrict the investigative use of cell phone location information. Currently, law enforcement obtains such information through 2703(d) orders, based on presenting ''specific and articulable facts showing that there are reasonable grounds to believe that the [information] is relevant to an ongoing criminal investigation. The proposed amendment to section 2703 of title 18 would restrict law enforcement to obtaining such information only upon a judicial finding that ''there is probable cause to believe that the equipment has been used, is being used, or is about to be used to commit a felony offense.'' This new restriction would prevent location information from being obtained where the phone itself is not being used to commit the offense. For example, in one important investigation, cell phone location information allowed investigators to locate an escaped murderer and arrest him. The proposed bill would forbid investigators from using location information in this kind of situation in the future because the killer's phone was not being used to commit a crime. Similarly, in another investigation, an individual committed murder in one part of a city and lied to create an alibi by stating that he was in a different part of the city at the time of the murder. The records of the location of his cell phone revealed his lies and assisted law enforcement authorities to prove his guilt, even though the phone had nothing to do with the crime itself. Moreover, there may be cases where the location of a victim's phone can provide critical—and, in a kidnaping case, even lifesaving—information but we may not be able to obtain the victim's consent prior to obtaining and acting on the information.
Page 52 PREV PAGE TOP OF DOC
As you can see, the consequences of the proposed provision are significant. Thus, the Department opposes this provision in its current form.
Conclusion
Mr. Chairman, I want to thank you again for this opportunity to testify today about our efforts to fight crime on the Internet and comment on the legislation proposed by you and members of your subcommittee. The public is undoubtedly concerned about their online privacy—and the potential for criminals, private industry, and the government to infringe upon it. But the public is also deeply concerned about their safety and security when using the wondrous resources of the Internet. Enhancing the ability of law enforcement to fight cyber-crime both promotes Internet users' safety and security and enhances their privacy by deterring and punishing those criminals who violate individual privacy. The Department of Justice stands ready to work with the Members of this Subcommittee and others to achieve these important goals.
Mr. Chairman, that concludes my prepared statement. I would be pleased to answer any questions that you may have at this time.
Mr. CANADY. Mr. DiGregory, again I thank you for coming today and for your testimony. I will say that I think your testimony raises issues that are worthy of consideration by this subcommittee.
Let me point out that the legislation that we are considering today was filed with a narrower focus than the administration's proposal. That partly has to do with the jurisdictional issues of what comes to this subcommittee and so on. But I share your concern about the broader range of issues that should be concerned, and it would be my goal to find a way to address the broader range of issues, not necessarily all of them in exactly the way the administration has proposed, but I think that broader range of issues is worthy of and needs consideration. So I want to make that point clear.
Page 53 PREV PAGE TOP OF DOC
I am hopeful that we will be able to, after today's hearing, continue our discussion and perhaps be able to reach a consensus. I have talked with Mr. Watt about working on such a process, and I am committed to doing what I can to find common ground between the members of the subcommittee and the administration, Members on both sides of the aisle, so that we could come forward with a work product from the subcommittee sometime soon, because if we don't do it sometime soon, this Congress will be over.
Earlier we had announced a markup for tomorrow. We will not be conducting that markup. Instead we would anticipate a markup in the subcommittee next Thursday, that is Thursday of next week, and I think that will give us more time to work through the range of concerns that have been raised by all of the folks who are concerned about these issues.
Now, let me focus on a couple of things. On the standard for obtaining trap and trace and pen register orders, your primary concern seems to be that we have created a separate category for e-mails, and you think that is inappropriate. Well, we can have a discussion about that, but I want to focus on not that aspect of it, but on the standard.
Now, you in the administration proposal seem to recognize that the way things are going now is really not quite enough oversight, or you are at least willing to have the level of oversight or judicial involvement raised.
Currently, based on certification of law enforcement, it is a ministerial act for a court to issue an order that allows trap and trace or pen register, the information pursuant to those statutes. Now, I will tell you candidly that I think if most Americans knew that all someone from law enforcement had to do was to certify that essentially they want to get that information, and then they go before a court, and a court as a ministerial act issues that order for either telephone numbers or e-mail addresses, I don't think most Americans understand that there is that power of law enforcement. So you, perhaps in recognition of the sensitivity of even that sort of information, recommend in your proposal that the court at least make a finding that the information is relevant to an ongoing criminal investigation.
Page 54 PREV PAGE TOP OF DOC
Now, in our proposal, which focuses not on the telephone calls, but just on e-mail, we go a little further and require a finding of specific and articulable facts. Well, let me read it: A finding that there are specific and articulable facts reasonably indicating that a crime has been, is being or will be committed.
Now, do you have a problem with that standard? I want to get a sense of whether you think that standard of specific and articulable facts would impose an undue burden on law enforcement.
You may well be right that this shouldn't be limited to e-mail. It should be perhaps an across-the-board technology-neutral standard, whatever the standard is, but is this higher standard that is involved here, is it going to impose, in your view, an undue burden on law enforcement? And if you think it would, explain why. Your testimony doesn't seem to—it seems to kind of skirt around that issue a little bit. So I want to draw you out on that some, and for that purpose I will grant myself an additional 3 minutes.
Mr. DIGREGORY. Let me just tell you what my concern is, and I will let David speak to this as well, because we each have a number of years of experience as a prosecutor. I am concerned about what that standard means and what I would have to say to a court in saying to them that a crime has been, is being or will be committed. And that is because the pen register and trap and trace orders are usually obtained, and David can correct me if I am wrong on this as well because he has more experience on these orders than I do, but they are usually obtained at the very outset of a criminal investigation.
Page 55 PREV PAGE TOP OF DOC
Let me give you what I think is a relatively simple example. You have information from a confidential informant that Joe Jones is operating a gambling business out of his home and using the telephone in his home to do that. Now, you wouldn't ordinarily go from that piece of information that is given to you by the source and seek a title III order for content. You couldn't.
The first step that you would take would be to seek the pen register and trap and trace orders to determine things like the numbers of phone calls that are going in and out of Joe Jones's private residence, and that might be an indication of whether or not he is engaged in a gambling business, and that might substantiate the information that your source has brought to you.
Now, would I be able to say under this standard that a crime is being, has been or will be committed, or would I be able to say that I have got a reason to at least begin preliminarily a criminal investigation into the matter because of the information that has come to me? So I don't know if that answers your question, but I am concerned about what those words about a crime being committed means, and how much they will restrict the prosecutor in his ability to obtain the pen register or trap and trace order when he has got some information and enough information, I would submit to you, to get that, to at least confirm what his source is telling him or try to begin to confirm that and proceed further with his investigation, but not really enough information to conclude that a crime is being committed.
Mr. CANADY. Well, I guess the thing that concerns me is under the existing standard certainly, and perhaps under your situation, you don't really change the standard. You just change the role of the judge.
Page 56 PREV PAGE TOP OF DOC
Mr. DIGREGORY. You at least have the judge take a look at the facts that the prosecutor submits, and the judge make a determination that the information to be obtained from the order is likely to assist in this ongoing criminal—is likely to be relevant to the ongoing criminal investigation.
Mr. CANADY. The thing that concerns me, and this doesn't just apply to e-mail, this would apply equally to the traditional trap and trace or pen register on a telephone, that you can just—somebody can get in his mind, well, I wonder who he is calling or I wonder who is calling him, maybe he is doing something illegal and let's find out. It is hard for me to see what keeps you from doing that under the existing scenario.
My time has run out. Depending on how many questions others have, we may do a second round, but I will turn to Mr. Watt now.
Mr. WATT. Thank you, Mr. Chairman.
I think the chairman has put his finger on the basic issue here. The issue is not whether we want to try to find some technology-neutral language. I think we all can agree to that very easily. But if the standard is not right, finding technology-neutral language just makes it a broader improper standard.
I am having a lot of trouble with your standard. I can understand it from the prosecutor's perspective, but my Constitution wasn't written for the protection of the prosecutor.
Page 57 PREV PAGE TOP OF DOC
While you are worried about what you have got to say to a court and whether you have got to demonstrate that some crime is in process or not, the Constitution doesn't require you to do that. All it requires you to have is reasonable cause—probable cause to believe that something is going on.
Right now you have got a standard under 18 U.S.C. 3123 that I think it puts you way out there on that statute. What you are saying now is that we should take that same standard, which I think is an inappropriate standard, and multiply the egregiousness of it by applying it to everything else that law enforcement does.
I, for the life of me, can't see anything in my Constitution that talks about the term ''relevant to an ongoing criminal investigation.'' that isn't in my Constitution. So unless we can come together on what the standard ought to be, I mean, we are going to have a hard time moving. I mean, I find myself very close to Mr. Barr on this issue, and if the left is there and the right is there, him being the left and me being the right, of course, I mean I think what you are trying to do is to get the Constitution Subcommittee to write a prosecution standard as opposed to a constitutional standard.
Mr. DIGREGORY. Let me respond in this way: We wouldn't be asking for this admittedly lesser standard to be applied to everything that we do with respect to electronic surveillance. What I would suggest to you is that the premise from which you must begin, whether you agree with that premise or not, is that the United States Supreme Court has said—and you mentioned earlier, Mr. Chairman, that most Americans would be shocked to know that the pen register can be obtained under this standard—they may also be shocked to know that there is no reasonable expectation of privacy in the information obtained from the pen register. That may be a guess that people would make, but nevertheless the Supreme Court has determined that there is no reasonable expectation of privacy in source and destination information.
Page 58 PREV PAGE TOP OF DOC
And if I may, because I have suggested you begin from that premise, I could read from that opinion because they talk about there being not only no objective expectation of privacy, but no subjective expectation of privacy.
They said in pertinent part, first we doubt that people in general entertain any actual expectation of privacy in the numbers they dial. All telephone users realize that they must convey telephone numbers to their telephone company since it is through telephone company switching equipment that their calls are completed. All subscribers, moreover, realize that the phone company has facilities for making permanent records of the numbers they dial. In fact, pen registers and similar devices are routinely used by telephone companies for purposes of checking billing operations and detecting fraud.
Although most people may be oblivious to a pen register's esoteric functions, they presumably have some awareness of one common use, to aid in the identification of persons making annoying or obscene calls.
Further language in the opinion, this court has consistently held that a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.
Now, I know that—all I am suggesting to you is that that is what—that is the premise from which we must begin the analysis because that is what the law is. I am not suggesting to you—and certainly you have the power to change the law. We have suggested that a certain change be made and, in fact, this opinion issued. And there is nevertheless a standard in Federal law for obtaining a pen register trap and trace when this opinion suggests that maybe there doesn't even need to be because there is no reasonable expectation of privacy in this information.
Page 59 PREV PAGE TOP OF DOC
So the point that I am trying to make with this lengthy discussion is that when you consider what standard to apply, I would submit you must also consider the level of, for lack of a better way of putting it, intrusion involved with respect to the information being sought. I would suggest to you that the lesser the intrusion, the lesser the standard need be in making that balance between public safety and individual privacy.
Mr. CANADY. The gentleman's time has expired. Without objection, the gentleman will have 3 additional minutes.
Mr. WATT. I don't know that I need 3 additional minutes, Mr. Chairman. I want to listen to the rest of the conversation, but I am having a lot of trouble getting where this gentleman is on this issue.
I hear what you are saying. I mean, it is very practical, but I think the public has a reasonable expectation in not having the government, without belief—probable cause for believing that some crime is taking place, eavesdropping on keeping track of their phone numbers, keeping track of where they are sending e-mails to.
I don't think that that would be an impossible burden. I mean, in the case where you talked about the informant telling you that some criminal conduct is taking place, if that is a reliable informant, and you can convince the judge that that is a reliable informant, then maybe that is probable cause. If it is not probable cause, then I will be damned if I can see how you have the right to go and start monitoring my phones or my e-mails, notwithstanding what the United States Supreme Court said.
Page 60 PREV PAGE TOP OF DOC
Mr. DIGREGORY. But, of course, you know that when we monitor the content of your telephone conversations or the content of your e-mails, we are required to meet a probable cause standard, and, in fact, statutory law requires us to do much more than that. It requires us to state to the Court that it is necessary to the investigation that we take this route and that we must minimize the interceptions to only those conversations or exchange of e-mails, if you will, which relate to the criminal conduct.
So I take the point that we have got a disagreement on this, but we are always willing to continue to discuss this.
Mr. WATT. Yes, but the disagreement is so basic that I think this is what is going to—you know, all this other stuff that we are talking about, whether you use technology-neutral language, all the—if we cannot agree on what the standard ought to be, then I think we are just whistling in the wind about whether we are going to be able to get to a point where we can—and, you know, I see the disagreement developing not so much along political lines or partisan lines, but along philosophical lines and constitutional lines and what the standard ought to be.
If we cannot forge beyond this basic question, how are we going to come to any consensus about what the legislation ought to cover? That is the problem—the real bind we have.
Mr. CANADY. If I could enter into that?
Page 61 PREV PAGE TOP OF DOC
Mr. WATT. I am happy to yield to the gentleman.
Mr. CANADY. In fairness to the administration, I think that we need to recognize that even though we may not agree with the administration's standard, they are actually increasing the protections that are provided over and above what current law is, because currently the judge plays only a ministerial role. At least under the administration's proposal, and I am not here specifically to defend their proposal, but at least under their proposal there is going to be a judge who would be making a finding. So I think that——
Mr. WATT. What would the finding be though?
Mr. CANADY. A finding with respect to the relevance.
Mr. DIGREGORY. The finding would be that the information that would be obtained from the orders would have to be believed by the judge to be relevant to the ongoing investigation.
Mr. WATT. Why should that be the standard? That is the question I am asking. Why should that be the standard as opposed to having a baseline belief that some criminal conduct is taking place? And if it is, then why wouldn't that be as easy to demonstrate to a judge that you have got an investigation going on? I mean, that is all you are saying: We have an investigation going on. You go in and you march in and you tell the judge that, and then the judge enters an order saying, yes, you have an investigation going on; no probable cause, nothing else.
Page 62 PREV PAGE TOP OF DOC
Mr. DIGREGORY. It may be that we can meet the standard that Mr. Canady has proposed by simply saying that I have got an informant, and that informant tells me that Joe Jones is running a gambling business out of his house, and I want a pen register and trap and trace order to begin to corroborate my informant and to begin to establish whether or not I can build a case against Joe Jones. It may be that that is enough.
What I was saying in response to Mr. Canady's question was that as a prosecutor I am not sure what that standard means. I don't think that there is perhaps as much of a difference in what Mr. Canady has related in his legislation with respect to the belief that a crime is being committed and the standard that we have put forward with respect to relevancy to an ongoing criminal investigation.
Ultimately it would all depend, I think, on what a judge requires, but I think one of the reasons we are having this discussion is to try to figure out exactly what is meant by a crime is being committed or will be committed.
Mr. GREEN. But the trade-off is exact. If you set up a probable cause standard to get this kind of information, addressing information, then we will follow that standard, obviously, but we will be less able to protect public safety on-line, and that is the trade-off that the Constitution puts in this Congress.
Mr. CANADY. Well, the gentleman's time has expired. At this point, with the subcommittee's leave, we are going to go out of order and go to the gentleman from Michigan, who has to leave momentarily, but would like to take his 5 minutes now if that is okay.
Page 63 PREV PAGE TOP OF DOC
I recognize the gentleman from Michigan.
Mr. CONYERS. Thank you, Mr. Chairman and members.
I will not take 5 minutes. I want to put my statement in the record, with your permission, and commend all the people that have been working on this idea.
[The prepared statement of Mr. Conyers follows:]
PREPARED STATEMENT OF HON. JOHN CONYERS, JR., A REPRESENTATIVE IN CONGRESS FROM THE STATE OF MICHIGAN
There is no denying that the Internet has taken its place alongside the telephone and ''snail'' mail as a central means of communication. So it's no surprise that illegal activities are migrating there as well.
As a result, law enforcement needs tools to intercept unlawful communications by terrorists, cyber-criminals, and others who will use the Internet for illegal conduct in the hope they can conspire in cyberspace without leaving any fingerprints.
At the same time, Americans are becoming wary that they sacrifice their privacy each time they log on to the Internet. And with good reason. While we want to ensure that law enforcement has the tools it needs, we must balance this interest with the Constitution so that individuals retain the privacy they cherish.
Page 64 PREV PAGE TOP OF DOC
In July, this subcommittee held a hearing to examine the FBI's use of its new Carnivore electronic surveillance technology. To many of us, the hearing confirmed our fears that our current laws are insufficient to protect constitutional rights and privacy in the Internet age. Therefore, Congress must act now to amend those laws to bring them up to date.
To this end, I'm gratified that my colleagues Chairman Canady and Representative Barr have taken the first steps in drafting legislation to better safeguard the privacy rights of online users. The Administration has also developed a proposal over the course of a year that addresses these issues.
I understand that yesterday the Administration, Chairman Canady and our staffs held a productive meeting. There is a lot of common ground among these three proposals. If the Majority is serious about working with us to craft a good bill, I am committed to working together to reach an agreement on this legislation before Congress adjourns.
Most importantly we need to set clear standards for law enforcement even when it seeks only the most basic identifying information regarding the flow of e-mail traffic—through what are known as pen register and ''trap and trace'' orders. Rather than a mere executive branch administrative subpoena for such orders, law enforcement should seek judicial sanction for them. On that, I believe there is widespread agreement.
However, I think the Clinton Administration with its keen sensitivity to technology, has made an important point in its draft legislation. Such heightened protection should be ''technology neutral'' and should apply whether a communication is transmitted via the traditional email or some other web transmission.
Page 65 PREV PAGE TOP OF DOC
The Administration has also raised an thoughtful point about technology asking for judicial orders to be enforceable nationwide, rather in just the jurisdiction in which a federal court resides. That is because web traffic often touches down in multiple file servers in multiple jurisdictions prior to landing in its final destination.
Mr. Canady, in my judgement an important question has been raised as to whether there needs to be a statutory requirement—to buttress the Constitutional requirement—for suppression in the case of unauthorized eavesdropping of unopened, e-mails. I don't know of many scenarios in which such a statutory addition is needed, but I am open to argument on it.
The bottom line is this. This is an important opportunity for the Congress and for the nation. We can and should protect privacy on the Internet. But the only way we will do it is if we draft legislation in a bipartisan manner that can win administration support. I pledge my willingness to do so.
Mr. CONYERS. I really think you have put together a good witness list. I commend particularly Chairman Canady and Mr. Barr, for working with our staff and our side on this matter. I am happy that our old friend Chuck Schumer was here earlier, and I just wanted to leave one little comment that my staff has impressed on me, and that is that there may be an advantage in having technology-neutral language that should apply whether a communication is transmitted through e-mail or other Web transmission. And the seeking of judicial orders to be enforceable nationwide, I think, has some attraction to myself because the Web traffic often touches down in many file servers.
Page 66 PREV PAGE TOP OF DOC
The other point that would come up, and I hope it will be discussed, has been raised as to whether there needs to be a statutory requirement to buttress the constitutional requirement for suppression in the case of unauthorized eavesdropping of unopened e-mails. I don't know of many scenarios of such a statutory suppression and if an addition is needed, but I will be looking to hear about it. But I think this is an important hearing, and it is plowing into some of that new high tech, never-never land that the Judiciary Committee is uniquely responsible for in our jurisdiction.
So I welcome the witnesses and thank the chairman and return any time left.
Mr. CANADY. Thank you, Mr. Conyers.
The gentleman from Arkansas Mr. Hutchinson is now recognized for 5 minutes.
Mr. HUTCHINSON. Thank you, Mr. Chairman. I appreciate your willingness to continue working with the administration in drafting agreeable language, and I do think there is some agreement.
Following up on the discussion in regard to the standard for a trap and trace device or a pen register, Mr. Green pointed out that there is a trade-off. Presently we have a statutory standard that law enforcement, the Justice Department, is meeting. I think there is a question as to whether that statutory standard should be changed, despite the fact that the Supreme Court has indicated there is no expectation of privacy in that information.
Page 67 PREV PAGE TOP OF DOC
I agree with Mr. Canady that I think the public, regardless of what the Supreme Court says, has some expectation of privacy that who they call and who they receive calls from, those numbers which reveal who the calls are coming from and going to, is confidential.
It is scary to think about someone knowing everybody I call and who I receive calls from without there being an indication that a crime is being committed.
Mr. DiGregory, does that seem reasonable to you, that approach, that view?
Mr. DIGREGORY. It does seem reasonable to me, and it really is a question of——
Mr. HUTCHINSON. A trade-off?
Mr. DIGREGORY. Certainly there is a trade-off, but I guess it is—and I don't mean to be splitting hairs, or maybe I do mean to be splitting hairs, but I guess it depends on what the difference is between relevant to an ongoing criminal investigation and whether or not a crime has been, is being or will be committed.
Mr. HUTCHINSON. I think there is a huge difference. I mean, one you have got a reasonable indication that a crime is being committed. That certainly merits an investigation and a legitimate public concern versus a law officer's statement that ''I have an ongoing investigation.'' My goodness, there are all kinds of ongoing investigations. That is just real, real broad.
Page 68 PREV PAGE TOP OF DOC
But let me come back to the trade-off question. I want to know if you raise the standard as indicated by this proposed legislation, where is the harm? Tell me how this is going to impact law enforcement. How is it going to impact our crimefighting ability? Tell me where the problems are in this and what is going to be the cost to the public safety issue if we raise the standard.
Mr. DIGREGORY. I don't think that it would be—certainly with the standard that is put forth in the administration's proposal would be terribly burdensome——
Mr. HUTCHINSON. All that standard is saying is that the court has to satisfy that there is some relevance.
Mr. DIGREGORY. The court has to look at the factual statements submitted by the prosecutor and make a determination that the information that will be made available through the pen register and trap and trace order will be relevant to an ongoing criminal investigation.
Mr. HUTCHINSON. O