SPEAKERS CONTENTS INSERTS
Page 1 TOP OF DOC
20–710 PDF
2005
IMPLEMENTATION OF THE USA PATRIOT ACT: CRIME, TERRORISM AND THE AGE OF TECHNOLOGY
HEARING
BEFORE THE
SUBCOMMITTEE ON CRIME, TERRORISM,
AND HOMELAND SECURITY
OF THE
COMMITTEE ON THE JUDICIARY
HOUSE OF REPRESENTATIVES
ONE HUNDRED NINTH CONGRESS
FIRST SESSION
APRIL 21, 2005
Serial No. 109–18
Printed for the use of the Committee on the Judiciary
Page 2 PREV PAGE TOP OF DOC
Available via the World Wide Web: http://www.house.gov/judiciary
COMMITTEE ON THE JUDICIARY
F. JAMES SENSENBRENNER, Jr., Wisconsin, Chairman
HENRY J. HYDE, Illinois
HOWARD COBLE, North Carolina
LAMAR SMITH, Texas
ELTON GALLEGLY, California
BOB GOODLATTE, Virginia
STEVE CHABOT, Ohio
DANIEL E. LUNGREN, California
WILLIAM L. JENKINS, Tennessee
CHRIS CANNON, Utah
SPENCER BACHUS, Alabama
BOB INGLIS, South Carolina
JOHN N. HOSTETTLER, Indiana
MARK GREEN, Wisconsin
RIC KELLER, Florida
DARRELL ISSA, California
JEFF FLAKE, Arizona
MIKE PENCE, Indiana
J. RANDY FORBES, Virginia
STEVE KING, Iowa
Page 3 PREV PAGE TOP OF DOC
TOM FEENEY, Florida
TRENT FRANKS, Arizona
LOUIE GOHMERT, Texas
JOHN CONYERS, Jr., Michigan
HOWARD L. BERMAN, California
RICK BOUCHER, Virginia
JERROLD NADLER, New York
ROBERT C. SCOTT, Virginia
MELVIN L. WATT, North Carolina
ZOE LOFGREN, California
SHEILA JACKSON LEE, Texas
MAXINE WATERS, California
MARTIN T. MEEHAN, Massachusetts
WILLIAM D. DELAHUNT, Massachusetts
ROBERT WEXLER, Florida
ANTHONY D. WEINER, New York
ADAM B. SCHIFF, California
LINDA T. SÁNCHEZ, California
ADAM SMITH, Washington
CHRIS VAN HOLLEN, Maryland
PHILIP G. KIKO, Chief of Staff-General Counsel
PERRY H. APELBAUM, Minority Chief Counsel
Page 4 PREV PAGE TOP OF DOC
Subcommittee on Crime, Terrorism, and Homeland Security
HOWARD COBLE, North Carolina, Chairman
DANIEL E. LUNGREN, California
MARK GREEN, Wisconsin
TOM FEENEY, Florida
STEVE CHABOT, Ohio
RIC KELLER, Florida
JEFF FLAKE, Arizona
MIKE PENCE, Indiana
J. RANDY FORBES, Virginia
LOUIE GOHMERT, Texas
ROBERT C. SCOTT, Virginia
SHEILA JACKSON LEE, Texas
MAXINE WATERS, California
MARTIN T. MEEHAN, Massachusetts
WILLIAM D. DELAHUNT, Massachusetts
ANTHONY D. WEINER, New York
JAY APPERSON, Chief Counsel
ELIZABETH SOKUL, Special Counsel on Intelligence
and Homeland Security
JASON CERVENAK, Full Committee Counsel
Page 5 PREV PAGE TOP OF DOC
MICHAEL VOLKOV, Deputy Chief Counsel
BOBBY VASSAR, Minority Counsel
C O N T E N T S
APRIL 21, 2005
OPENING STATEMENT
The Honorable Howard Coble, a Representative in Congress from the State of North Carolina, and Chairman, Subcommittee on Crime, Terrorism, and Homeland Security
The Honorable Robert C. Scott, a Representative in Congress from the State of Virginia, and Ranking Member, Subcommittee on Crime, Terrorism, and Homeland Security
WITNESSES
The Honorable Laura H. Parsky, Deputy Assistant Attorney General, U.S. Department of Justice
Oral Testimony
Prepared Statement
Mr. Steven M. Martinez, Deputy Assistant Director, Cyber Division, Federal Bureau of Investigation
Oral Testimony
Prepared Statement
Mr. Jim Dempsey, Executive Director, Center for Democracy and Technology
Page 6 PREV PAGE TOP OF DOC
Oral Testimony
Prepared Statement
Mr. Peter Swire, Professor of Law, Ohio State University
Oral Testimony
Prepared Statement
APPENDIX
Material Submitted for the Hearing Record
Prepared Statement of the Honorable Robert C. Scott, a Representative in Congress from the State of Virginia, and Ranking Member, Subcommittee on Crime, Terrorism, and Homeland Security
Prepared Statement of the Honorable Maxine Waters, a Representative in Congress from the State of California
Submission by Peter Swire entitled ''The System of Foreign Intelligence Surveillance Law,'' 72 George Washington Law Review 1306 (2004), available at http://papers.ssrn.com/sol3/papers.cfm?abstract_ id=586616
IMPLEMENTATION OF THE USA PATRIOT ACT: CRIME, TERRORISM AND THE AGE OF TECHNOLOGY
THURSDAY, APRIL 21, 2005
Page 7 PREV PAGE TOP OF DOC
House of Representatives,
Subcommittee on Crime, Terrorism,
and Homeland Security
Committee on the Judiciary,
Washington, DC.
The Subcommittee met, pursuant to notice, at 10:03 a.m., in Room 2141, Rayburn House Office Building, the Honorable Howard Coble (Chair of the Subcommittee) presiding.
Mr. COBLE. Good morning, ladies and gentlemen. Good to have you all with us for our oversight hearing on the implementation of the USA PATRIOT Act, sections 209, 217, and 220 of the act that address crime, terrorism, and the age of technology.
Our Nation has a dependency problem, one that we need to nurture and protect. That dependency is on technology. Computers and related technology have improved every aspect of our lives, our health care, our education, our security, just to name a few.
This same technology also aids those who threaten our Nation and it facilitates terrorists and criminals alike. At the stroke of a key someone can cause millions of dollars of damage to our economy or shut down 911 systems of our emergency responders.
The threat has grown with the benefits of and dependency upon technology. Now, after September 11 attacks, the risks are greater. Even prior to the attacks the Judiciary Subcommittee on Crime, Terrorism, and Homeland Security had been working on legislation to improve Federal law to protect the Nation from cybercrime and cyberterrorism.
Page 8 PREV PAGE TOP OF DOC
In an almost prophetic effort this Subcommittee held three hearings on the growing threat of cybercrime and cyberterrorism in the summer of 2001, and was in the process of drafting legislation to meet those threats when the 9/11 attacks occurred.
These hearings highlighted that the Border Patrol and checkpoints at our airports and shipping ports cannot protect against cybercrime and terrorism.
This type of crime is borderless, knows no restraints, and can substantially harm the Nation's economy and our citizens.
To protect our privacy and our safety, law enforcement must be able to deal with new technology and the associated challenges. The borderless nature of cyberspace causes jurisdictional and investigative problems for law enforcement and facilitates often times criminal activity.
The law enforcement officials and private representatives at these hearings agreed that the criminal law needed to be updated and clarified.
In the PATRIOT Act, this Committee incorporated H.R. 2915, the legislation produced by the Subcommittee and then Chairman Lamar Smith in the summer of 2001. The PATRIOT Act updated criminal law to address the new challenges. These updates were designed to help law enforcement assess whether unlawful conduct is the result of criminal activity or terrorist activity and to respond appropriately.
Page 9 PREV PAGE TOP OF DOC
The hearing today will discuss sections 209 that deals with stored electronic communications; 217 that addresses computer trespassers; and 220 that updates the service of search warrants for electronic communications.
These sections are set to expire on December 31 of this year.
I look forward to hearing from the testimonies from the witnesses, and now I'm pleased to recognize the distinguished Gentleman from Virginia, the Ranking Member, Mr. Bobby Scott.
Mr. SCOTT. Thank you, Mr. Chairman. And thank you again for scheduling another hearing on the USA PATRIOT Act. I think it's important that we have these hearings. I think we did a good job as a Committee when we passed the PATRIOT Act. Unfortunately, our work somehow dissolved between the Committee and the floor of the House. But we have taken in one of the points of this sunset which was to give us an opportunity to review our work product, and these hearings are certainly extremely important.
This hearing is about the investigation and prosecution of crimes through use of electronic evidence, section 209 of the act references seizure of voice mail messages pursuant to a warrant. However, that section authorizes access to much more than just voice mail and authorizes access through ways other than warrants, such as administrative, grand jury, and court issued subpoenas. And under the appropriate circumstances, there can also be the sneak and peak situations where they ate warrants, court subpoenas, or administrative subpoenas. So we're talking about a section that is not only misleading relative to the breadth of police powers that authorizes, but a title that is deceptive as to the extraordinary nature of those powers.
Page 10 PREV PAGE TOP OF DOC
Quite frankly, Mr. Chairman, the more I review the extent of these powers that we have extended to law enforcement through provisions such as section 209, the more I am pleased with our decision to provide for a sunset on some of those powers in order that we may review in earnest what we have done so that law enforcement authorities who get access to our private information pursuant to these powers will be aware that we are reviewing their actions.
This is a section whose original purpose was to protect or electronic data against intrusion. Now, we see a big loophole that we carved out for the purpose of law enforcement access and the limitations on traditional methods of holding law enforcement accountable, such as prior notice for the right to quash and oversight of a court through return reports to the court within a certain number of days.
And so I'm convinced that the sunset review in this area is absolutely essential to our oversight responsibilities to the public.
This is especially true in the areas of electronic and general technology given the growing impact of technology to our society. I have the same concerns about section 217, which allows an ISP to give law enforcement wide latitude to look at private electronic communications without court oversight or review.
It's one thing to call law enforcement to look at a trespass that is occurring. But it's another thing to call on law enforcement to look to see if anything suspicious is going on prior to a trespass actually occurring.
Page 11 PREV PAGE TOP OF DOC
And while I can understand the efficiency of certain arguments for a nationwide search warrant authority in the area of electronic communications, I'm also concerned with the sufficiency of the notice and the right to challenge an oversight of such warrants.
Now for law enforcement, I think it's important to note that I think these powers should be available in appropriate circumstances. So I'm not calling for a sunset of those powers. However, the public's protection of their privacy as well as their safety, I'm saying that we need to look more precisely at the notice to oversight and reporting requirements for these powers and make appropriate adjustments.
We should also continue this kind of oversight through sunsets where we have to periodically look at the use of these powers in an arena of evolving technologies and where law enforcement is aware that the use of these powers will need to be scrutinized and justified.
And so, Mr. Chairman, I look forward to the testimony of our witnesses on how we might best do that and working with you on implementing our recommendations.
Mr. COBLE. I thank you, Mr. Scott.
Lady and gentlemen, it's the practice of the Subcommittee to swear in all witnesses appearing before us. So if you all would please stand and raise your right hands
[Witnesses sworn.]
Page 12 PREV PAGE TOP OF DOC
Mr. COBLE. Let the record show that each of the witnesses answered in the affirmative. You may be seated.
We have a very distinguished panel today. And I will introduce them before we take testimony.
Our first witness is Ms. Laura H. Parsky, the Deputy Assistant Attorney General of the Criminal Division at the United States Department of Justice. In addition to serving at the Department of Justice, Ms. Parsky has served as Director of International Justice and Contingency Planning at the National Security Council. She was graduated from Yale University and obtained her law degree from Boalt Hall School of Law at the University of California at Berkeley. Following law school, Ms. Parsky clerked for the Honorable D. Lowell Jensen of the United States District Court for the Northern District of California.
Our second witness today is Mr. Steven Martinez, Deputy Assistant Director for the Cyber Division of the FBI. Prior to beginning his current position, Mr. Martinez served in many capacities within the FBI, including managing the counter terrorism and counter intelligence efforts during the staging and commencement of Operation Iraqi Freedom. Mr. Martinez is a graduate of St. Mary's College of California and received a master's degree from the University of California at Berkeley.
Our next witness is Mr. Jim Dempsey, Executive Director of the Center for Democracy and Technology. Prior to joining the Center, Mr. Dempsey was a Deputy Director of the Center for National Security Studies and also served as Assistant Counsel to the House Judiciary Committee's Subcommittee on Civil and Constitutional Rights. Mr. Dempsey is a graduate of Yale University and the Harvard Law School.
Page 13 PREV PAGE TOP OF DOC
Our final witness today is Mr. Peter Swire, Professor of Law at the Ohio State University's Moritz College of Law. Previously, Mr. Swire served in the Clinton Administration as Chief Counselor for Privacy in the Office of Management and Budget. Professor Swire is a graduate of Princeton University and the Yale Law School. After graduating from law school, he clerked for Judge Ralph K. Winter, Jr., of the United States District Court—strike that—of the United States Court of Appeals for the Second Circuit.
Folks, it's mighty good to have all of you with us. As you all have been previously informed, we operate under the 5-minute rule here, and you will see the panels before you at the desk when amber light appears that is your notification that time is elapsing rapidly. And when the red light appears, the 5 minutes have expired. And have furthermore imposed the 5-minute rule against ourselves as well. So when we examine you, if you all could be terse, we would be appreciative of that.
Ms. Parsky, why don't you start us off?
TESTIMONY OF THE HONORABLE LAURA H. PARSKY, DEPUTY ASSISTANT ATTORNEY GENERAL, U.S. DEPARTMENT OF JUSTICE
Ms. PARSKY. Thank you. Good morning, Mr. Chairman, Ranking Member Scott and honorable Members of the Subcommittee.
It is my pleasure to appear before you to discuss sections 209, 217, and 220 of the PATRIOT Act, provisions that have authorized our laws to keep pace with new technologies. These provisions have made commonsense changes that have harmonized the treatment of similar situations, that have eliminated unnecessary and inefficient processes, and that have given back to victims the rights they deserve.
Page 14 PREV PAGE TOP OF DOC
Together, they are a significant step forward in meeting the challenges of investigating and prosecuting crime in the 21st century.
Our world has changed in dramatic ways in recent years. On the one hand, as September 11th made tragically clear, we face the threat of terrorism on a scale that was previously unimaginable.
On the other hand, we have experienced tremendous technological advancement that has given us modern wonders like the Internet. It is because of both of these developments that the PATRIOT Act is vital to our country's safety.
As the world changes, so must our laws. We cannot go back to the days before September 11th, and we cannot turn back the clock of the digital age. Likewise, we cannot regress to outdated laws that defy reason in today's world.
Sections 209, 217, and 220 are just the kinds of commonsense changes that we need to keep pace with technology. Prior to the PATRIOT Act, voice mails were subject to burdensome rules designed for ongoing access to live communications rather than those rules for a single access to other similar types of stored communications.
In fact, it was easier for law enforcement to get a warrant to go into a person's home and listen to messages on that person's answering machine than it was to obtain voice mail messages left—stored with a third party.
Page 15 PREV PAGE TOP OF DOC
Section 209 fixed this inconsistency by making the rules for stored voice mail more consistent with those for other types of stored messages, such as electronic mail.
Section 217 also addresses new technology, the rise of computer networks, such as the Internet. Section 217 makes clear that Federal law will not shield a person who trespasses on the computer system of another. Section 217 puts the power to decide who may enter property back where it belongs: in the hands of the property owner, just as has always been the case for homeowners.
Finally, section 220 recognizes that today's modern communications technologies make it possible for records relating to an investigation in a particular jurisdiction to be stored in a distant jurisdiction, or in many cases in several distant jurisdictions.
Rather than sending investigators all over the country to explain the same set of facts over and over again to different prosecutors and different judges, section 220 allows the investigators and prosecutors who are most familiar with the case to obtain authorization to gather electronic records from a single judge in their own district, who is also most familiar with the facts of the case, just as has always been the case with other records subject to grand jury subpoenas. This provision just makes practical sense in today's world of electronic evidence.
In the three and a half years since Congress passed these provisions of the PATRIOT Act by overwhelming bipartisan majorities, we've had the opportunity to see these provisions in action. We have seen the modern tools Congress authorized through passage of the PATRIOT Act dramatically improve law enforcement's ability to protect the safety and security of the American people.
Page 16 PREV PAGE TOP OF DOC
We have used these tools to disrupt terrorist networks and to prevent terrorist attacks, to bring down international drug conspiracies, and to rescue children in imminent danger.
Most significantly we have prevented another terrorist attack from striking us here at home. These are the facts, not fears.
The PATRIOT Act has made law enforcement more effective and more efficient. All this has been done without impacting any of the constitutional protections that we as Americans hold dear.
It is in this context that these tools must be evaluated. It is this record of accomplishments that should be first and foremost in your minds.
We cannot go back. If Congress fails to reauthorize the PATRIOT Act, we will revert to old rules that hamstring law enforcement with inefficient processes and unnecessary delays in investigating 21st century crime.
The law would once again treat similar services differently without good cause, and, worse, the law would protect criminals at the expense of their victims' rights. If these provisions are not renewed, law enforcement will be less efficient and less effective in combating not only terrorism, but other serious offenses, such as cyber crime, child exploitation and kidnapping.
Page 17 PREV PAGE TOP OF DOC
Our experience over the past three and a half years has proven the utility and rationality of these modernizations of our laws. In light of the very real threats we face today, we cannot afford to go back to when technology was outpacing law enforcement's tools.
Therefore, I ask that you continue to move our laws forward by reauthorizing sections 209, 217, and 220 of the PATRIOT Act. The Department of Justice appreciates this Subcommittee's leadership in making sure that our country's laws meet the challenges of today and of tomorrow.
Thank you for the opportunity to testify today and for your continuing support. I am happy to try to answer any questions you may have.
[The prepared statement of Ms. Parsky follows:]
PREPARED STATEMENT OF LAURA H. PARSKY
Parsky1.eps
Parsky2.eps
Parsky3.eps
Parsky4.eps
Parsky5.eps
Page 18 PREV PAGE TOP OF DOC
Parsky6.eps
Parsky7.eps
Parsky8.eps
Parsky9.eps
Parsky10.eps
Parsky11.eps
Parsky12.eps
Parsky13.eps
Parsky14.eps
Parsky15.eps
Parsky16.eps
Parsky17.eps
Page 19 PREV PAGE TOP OF DOC
Parsky18.eps
Parsky19.eps
Parsky20.eps
Mr. COBLE. Thank you, Ms. Parsky.
Mr. Martinez?
TESTIMONY OF STEVEN M. MARTINEZ, DEPUTY ASSISTANT DIRECTOR, CYBER DIVISION, FEDERAL BUREAU OF INVESTIGATION
Mr. MARTINEZ. Good morning, Mr. Chairman, Ranking Member Scott, and Members of the Subcommittee.
My name is Steven Martinez. I'm the Deputy Assistant Director of the FBI's Cyber Division. The primary mission of the Cyber Division is to protect the American public against a host of significant and potentially deadly high-tech crimes.
The uses of technology in our society are innumerable and their value immeasurable. The state of technology has been advancing rapidly over the past 20 years, much of it to the benefit of people living in all corners of the world.
Page 20 PREV PAGE TOP OF DOC
Unfortunately, the picture is not always so bright.
Technology has also been used to harm people, while offering a particularly effective escape route. In this digital age, crimes can and do occur within seconds without the perpetrator ever getting anywhere physically close to the victim.
In such a setting, law enforcement must be equipped with the investigative tools necessary to meet, locate, and incapacitate the growing threat.
With this background in mind, I want to thank you for the opportunity to appear before you today to discuss certain sections of the USA PATRIOT Act which are scheduled to expire at the end of this year, specifically sections 209, 217, and 220. Going in numerical order, allow me to start with section 209.
Section 209 permits law enforcement officers to seize voice mail with a search warrant rather than a surveillance, or title III order. The importance of this provision is best understood in the context of how often terrorists and other criminals rely on technology to relay their plans to each other instead of risking face to face in-person meetings.
Section 209 provides a very good example of how the USA PATRIOT Act simply updated the law to reflect recent technological developments. The drafters of the act determined that obtaining voicemail stored on a third party's answering system is more similar to obtaining voicemail stored on a home answering machine, which requires a search warrant, more so than it is to monitoring somebody's telephone calls, which requires a title III order.
Page 21 PREV PAGE TOP OF DOC
In passing this portion of the act, Congress made the statutory framework technology-neutral. Privacy rights are still well accounted for, since the section 209 allows investigators to apply for and receive a court-ordered search warrant to obtain voicemail pursuant to all of the pre-existing standards for the availability of search warrants, including a showing of probable cause.
With privacy rights left firmly intact, there is a distinct advantage to the public's safety when law enforcement can obtain evidence in a manner that is quicker than the title III process.
I would like to move next to section 217, the Hacker Trespasser Exception. Like section 209 before it, section 217 also makes the law technology-neutral.
Section 217 places cyber-trespassers—those who are breaking into computers—on the same footing as physical intruders. Section 217 allows the victims of computer-hacking crimes voluntarily to request law enforcement assistance in monitoring trespassers on their computers.
Just as burglary victims have long been able to invite officers into their homes to catch the thieves, hacking victims can now allow law enforcement officers into their computers to catch cyber-intruders.
Think for a moment how odd it would be if a homeowner yelled out to a police officer ''Hey, there's a burglar in my house right now, help!'', only to have the police respond, ''Sorry, I have to apply for a court order first, try not to scare him off.'' The homeowner would be dumbfounded; the burglar would be long gone by time the police returned. This, in essence, is what was occurring prior to the PATRIOT Act.
Page 22 PREV PAGE TOP OF DOC
It can be said that section 217, in a very significant way, enhances privacy. The essence of the section—to help catch hackers—serves a vital function in the FBI's ability to enforce data privacy laws. Hackers have no respect for your privacy or mine.
There has been an outpouring of concern from the American public to protect them from identity theft and to ensure that their personal records are secure. Congress has responded with a powerful array of laws that are designed to impose serious consequences on computer hackers. However, if law enforcement does not have the ability to quickly spot and then locate hackers, then the victim toll will mount and only hackers themselves, remaining anonymous, will be left with privacy.
The FBI understands the importance of preventing criminals from stealing and selling our information, and we are resolved to catch those who do. Section 217 is of enormous help in this regard.
Lastly, I would like to turn to section 220. Section 220 enables Federal courts—with jurisdiction over investigation—to issue a search warrant to compel the production of information, such as unopened e-mail, that is stored with a service provider located outside their district.
Now, for example, a judge with jurisdiction over a kidnapping investigation in Pittsburgh can issue a search warrant for e-mail messages that are stored on a server in California. As a result, investigators in Pennsylvania can ask the judge most familiar with the investigation to issue a warrant rather than having to ask an Assistant United States Attorney in California who's unfamiliar with the case, to ask a district judge in California, who also is unfamiliar with the case, to issue the warrant.
Page 23 PREV PAGE TOP OF DOC
Lest you think this is merely a hypothetical example, it's not. Using section 220, our FBI office in Pittsburgh was able to obtain a warrant for information residing on a computer in California that ultimately led to the rescue of a teenage girl who was being sexually tortured in Virginia while being chained to a wall in somebody's basement.
The man who held her hostage is now in prison, serving close to 20 years. The girl's life was saved.
Other FBI Field Offices also have repeatedly stated that section 220 has been very beneficial to quickly obtain information required in their investigations.
Mr. Chairman and Members of the Committee, let me conclude my prepared remarks by saying that the provisions of the USA PATRIOT Act I have discussed today have proven significant to a number of our successes and I have every reason to believe that the need to retain these provisions in the future is also significant.
By responsibly using the statutes provided by Congress, the FBI has made substantial progress in its ability to enforce the law and protect lives, while at the same time protecting civil liberties. Thank you.
[The prepared statement of Mr. Martinez follows:]
PREPARED STATEMENT OF STEVEN M. MARTINEZ
Page 24 PREV PAGE TOP OF DOC
Good morning Mr. Chairman, Ranking Member Scott, and members of the subcommittee.
My name is Steven Martinez and I am the Deputy Assistant Director of the FBI's Cyber Division. The primary mission of the Cyber Division is to supervise the Bureau's investigation of federal violations in which computer systems, including the Internet, are exploited by terrorists, foreign government intelligence operatives, and criminals. In short, our mission is to protect the American public against a host of significant and potentially deadly high-tech crimes.
The uses of technology in our society are innumerable and their value immeasurable. The state of technology has been advancing rapidly over the past twenty years, much of it to the benefit of people living in all corners of the world. Unfortunately, the picture is not always so bright. Technology has also been used to harm people, while offering a particularly effective escape route. In this digital age, crimes can and do occur within seconds without the perpetrator ever getting anywhere physically close to the victim. In such a setting, law enforcement must be equipped with the investigative tools necessary to meet, locate, and incapacitate this growing threat. Law enforcement must be prepared to face sophisticated enemies and criminals who are known to exploit technology because of its ability to keep them far away from the scene of the crime, spread apart even from one another, and who have the ability to delete any digital evidence of their actions at the push of a button.
With this background in mind, I want to thank you for the opportunity to appear before you today to discuss certain sections of the USA PATRIOT Act which are scheduled to expire at the end of this year, specifically sections 209, 217, and 220.
Page 25 PREV PAGE TOP OF DOC
When Attorney General Gonzales testified before the House Judiciary Committee on April 6, 2005, he shared his firm view that each of the provisions of the USA PATRIOT Act that are scheduled to sunset at the end of this year must be made permanent. Director Mueller provided the FBI's perspective in a hearing before the Senate Judiciary Committee on April 5, 2005, and he too spoke of the crucial need to renew these provisions. Based on my knowledge of the interests, capabilities, and motives of those who, day in and day out, are attempting to do us harm by means of the Internet, I want to express my full agreement about the importance of the PATRIOT Act and the provisions I plan to address today. I believe that the Act's substantial merit can be demonstrated by what we already have experienced as a nation; still, it is equally true that the Act is essential so that we are prepared to confront the ever-evolving threat that no doubt will come.
SECTION 20—SEIZURE OF VOICE MAIL WITH A SEARCH WARRANT
Going in numerical order, allow me to start with section 209. Section 209 permits law enforcement officers to seize voice mail with a search warrant rather than a surveillance, or Title III, order. Section 209 provides a very good example of how the USA PATRIOT Act simply updated the law to reflect recent technological developments. The drafters of the Act determined that obtaining voicemail stored on a third party's answering system is more similar to obtaining voicemail stored on a home answering machine (which requires a search warrant) than it is to monitoring somebody's telephone calls (which requires a TIII order). In passing this portion of the Act, Congress made the statutory framework technology-neutral. Privacy rights are still well accounted for, since section 209 allows investigators to apply for and receive a court-ordered search warrant to obtain voicemail pursuant to all of the pre-existing standards for the availability of search warrants, including a showing of probable cause. With privacy rights left firmly intact, there is a distinct advantage to the public's safety when law enforcement can obtain evidence in a manner that is quicker than the Title III process.
Page 26 PREV PAGE TOP OF DOC
The importance of this provision is best understood in the context of how often terrorists and other criminals rely on technology to relay their plans to each other instead of risking face-to-face in-person meetings. Attorney General Gonzales gave a good sense of the diversity of those who would rely on the simple convenience of leaving voicemail in furtherance of their illegal activities when he pointed out that section 209 has already been relied upon to acquire messages left for domestic terrorists, foreign terrorists, and international drug smugglers.
Allowing section 209 to expire would once again lead to different treatment for voicemail messages stored on a third party's system than for the same message stored on a person's home answering machine. Doing so would needlessly hamper law enforcement efforts to investigate crimes.
SECTION 217—THE HACKER TRESPASSER EXCEPTION
I would like to move next to section 217, the hacker trespasser exception. Like section 209 before it, section 217 also makes the law technology-neutral. Section 217 places cyber-trespassers—those who are breaking into computers—on the same footing as physical intruders. Section 217 allows the victims of computer-hacking crimes voluntarily to request law enforcement assistance in monitoring trespassers on their computers. Just as burglary victims have long been able to invite officers into their homes to catch the thieves, hacking victims can now allow law enforcement officers into their computers to catch cyber-intruders. Think for a moment how odd it would be if a homeowner yelled out to a police officer ''Hey, there's a burglar in my house right now, help!'', only to have the police respond, ''Sorry, I have to apply for a court order first, try not to scare him off.'' The homeowner would be dumbfounded, and the burglar would be long gone by time the police returned. This, in essence, is what was occurring prior to the PATRIOT Act.
Page 27 PREV PAGE TOP OF DOC
It can be said that section 217, in a very significant way, enhances privacy. First, it is carefully crafted to ensure that law enforcement conducts monitoring against trespassers in a manner entirely consistent with protecting the privacy rights of law abiding citizens. Second, the essence of the section—to help catch hackers—serves a vital function in the FBI's ability to enforce data privacy laws.
With respect to the first point, the narrowly crafted scope of this legislation, section 217 preserves the privacy of law-abiding computer users by sharply limiting the circumstances under which the trespasser exception may be used. At its most fundamental level, section 217 requires consent. Law enforcement assistance is by invitation only. The computer crime victim is actually seeking the FBI's help. In addition, a law enforcement officer may not conduct monitoring based solely on the computer owner or operator's consent unless the law enforcement officer is engaged in a lawful investigation; has reason to believe that capturing the communications will be relevant to that investigation; and can ensure that the consensual monitoring will acquire only those communications that are transmitted to or from the hacker. On top of these requirements, section 217 then goes one step further. Based on the definition of a ''computer trespasser,'' section 217 does not allow law enforcement to come to the immediate aid of victims who are being hacked by one or more of their own customers. In those cases the owner or operator of the computer system cannot provide sufficient consent to monitor the trespasser, even if the hacker/customer broke into areas of the computer he has no authority to see (including other customer account information).
Still, despite this last limitation, the hacker trespasser exception has been an important tool for law enforcement to obtain evidence based on the consent of the victim, much of which involves protecting people's privacy.
Page 28 PREV PAGE TOP OF DOC
A diverse array of real-world examples from our criminal investigations demonstrate that this provision has been significant in order for the FBI to protect the privacy rights of individuals and businesses whose computers are being broken into for the purpose of stealing the personal data stored on their computers. Hackers have no respect for your privacy or mine. When hackers break into a computer network and obtain root access they get to look at, download, and even can make changes to, whatever information is on that network. Hackers can and do routinely steal social security numbers, credit card numbers, and drivers license numbers. Depending on the systems they break into, they can look at health care information and can change it at will. There has been an outpouring of concern from the American public to protect them from identity theft and to ensure that their personal records are secure. Congress has responded with a powerful array of laws that are designed to impose serious consequences on computer hackers. However, if law enforcement does not have the ability to quickly spot and then locate hackers, then the victim toll will mount and only the hackers themselves, remaining anonymous, will be left with privacy. The FBI understands the importance of preventing criminals from stealing and selling our information, and we are resolved to catch those who do. Section 217 is of enormous help in this regard.
For example, under this provision, the FBI was able to monitor the communications of an international group of ''carders'' (individuals that use and trade stolen credit card information). The group used chat rooms and fraudulent websites to commit identity theft, but managed to provide themselves with privacy by using false names to get e-mail accounts. The most important tool in their bid to remain anonymous was their use of a proxy server they broke into and then reconfigured. The identity thieves used the proxy server to disguise where all of their Internet communications were coming from. The owner of the proxy server was himself a victim of the crime, his computer having essentially been hijacked and transformed into the hub of a criminal operation. When he determined that his computer had been hacked he provided the FBI with consent to monitor the intruder and hopefully to catch him. The computer owner's ability to bring in the FBI paid off, not just for him but for the countless other victims of the identity thief. By taking advantage of hacker trespasser monitoring, the FBI gathered leads that resulted in the discovery of the true identity of the subject. The subject was later indicted and is now awaiting trial.
Page 29 PREV PAGE TOP OF DOC
Since its enactment, section 217 has played a key role in a variety of hacking cases, including investigations into hackers' attempts to compromise military computer systems. Allowing section 217 to expire at the end of this year would help computer hackers avoid justice and prevent law enforcement from responding quickly to victims who are themselves asking for help.
SECTION 220—SEARCH WARRANTS FOR ELECTRONIC EVIDENCE LOCATED IN ANOTHER DISTRICT
Lastly, I would like to turn to section 220 of the USA PATRIOT Act. Section 220 enables federal courts—with jurisdiction over an investigation—to issue a search warrant to compel the production of information (such as unopened e-mail) that is stored with a service provider located outside their district. The practical effect of this section is that our FBI Agents are no longer limited to applying for a search warrant solely from the court that sits where the service provider happens to be located.
Before discussing this section in depth, I think it is helpful to point out that the borderless nature of Internet crime means that more often than not ***the victim**** of a crime, the person who committed the crime, and ***the evidence**** of that crime are all located in different parts of the country (or indeed the world). Applying this fact in the context of a search warrant will demonstrate the utility and the necessity of section 220.
Prior to the PATRIOT Act, if an investigator wanted to obtain the contents of unopened e-mail from a service provider located in the United States, he or she needed to obtain a warrant from a court physically located in the same federal district as the service provider was located. To accomplish this, the FBI Agent working on the case (this Agent typically would be located where the victim is located) needed to brief another FBI Agent and prosecutor who were located in the ISP's jurisdiction (where the evidence happened to be electronically stored). The second FBI Agent and prosecutor then would appear before their local court to obtain the search warrant. This was a time and labor consuming process. Furthermore, because several of the largest email providers are located in a few districts, such as the Northern District of California and the Eastern District of Virginia, these FBI Agents, Prosecutors, and Judges were faced with a substantial workload dealing with cases in which neither the victim nor the criminal resided, and they had to be brought up to speed about the details of an investigation which, both beforehand and afterwards, they had no need to know.
Page 30 PREV PAGE TOP OF DOC
Section 220 fixed this problem. It makes clear, for example, that a judge with jurisdiction over a kidnaping investigation in Pittsburgh can issue a search warrant for e-mail messages that are stored on a server in California. As a result, the investigators in Pennsylvania can ask the judge most familiar with the investigation to issue the warrant rather than having to ask an Assistant United States Attorney in California, who is unfamiliar with the case, to ask a district judge in California, who also is unfamiliar with the case, to issue the warrant. Lest you think this is merely a hypothetical example, it's not. Using section 220, our FBI office in Pittsburgh was able to obtain a warrant for information residing on a computer in California that ultimately led to the rescue of a teenage girl who was being sexually tortured in Virginia while being chained to a wall in somebody's basement. The man who held her hostage is now in prison, serving close to 20 years. The girl's life was saved.
Other FBI Field Offices also have repeatedly stated that section 220 has been very beneficial to quickly obtain information required in their investigations. The value of this provision in terrorism cases already has been demonstrated time and again. In his April 6 testimony, Attorney General Gonzales pointed to its important application during investigations into the Portland Terror Cell, the ''Virginia Jihad'', and the Richard Reid ''shoebomber'' case.
It is imperative that section 220 be renewed. The provision expedites the investigative process and, in doing so, makes it more likely that evidence will still be available to law enforcement after it executes a court-authorized search warrant and obtains further leads; the provision frees up FBI, U.S. Attorney, and judicial personnel to more efficiently pursue other time-sensitive investigative matters; and, section 220 in no way lowers the protections that apply to the government's application for a search warrant.
Page 31 PREV PAGE TOP OF DOC
CONCLUSION
Mr. Chairman and Members of the Committee, the provisions of the USA Patriot Act I have discussed today have proven significant to a number of our successes and I have every reason to believe that the need to retain these provisions in the future is also significant. By responsibly using the statutes provided by Congress, the FBI has made substantial progress in its ability to enforce the law and protect lives, while at the same time protecting civil liberties. In renewing those provisions scheduled to ''sunset'' at then end of this year, Congress will ensure that the FBI will continue to have the tools it needs to combat the very real threats to America and our fellow citizens. Thank you for your time today.
Mr. COBLE. Thank you, Mr. Martinez. Mr. Dempsey?
TESTIMONY OF JIM DEMPSEY, EXECUTIVE DIRECTOR, CENTER FOR DEMOCRACY AND TECHNOLOGY
Mr. DEMPSEY. Mr. Chairman, Representative Scott, Members of the Subcommittee, good morning.
Mr. COBLE. Hold. If you will just suspend just a minute, Mr. Dempsey, I wanted to recognize the presence of the Gentlemen from Florida, Ohio, and Arizona to my right and the Gentleman from Massachusetts to our left.
Go ahead, Mr. Dempsey, and you won't be penalized for that time.
Page 32 PREV PAGE TOP OF DOC
Mr. DEMPSEY. Thank you, Mr. Chairman. We commend you, Mr. Chairman, and Members of the Subcommittee and the full Committee leadership for undertaking this series of hearings on the PATRIOT Act. From this kind of detailed, objective inquiry, we can attain the balance that was left aside in the haste and emotion in the weeks after 9/11.
My main point today is that while, of course, the law needs to keep pace with changing technology to ensure that the Government can get the information that it needs to prevent crime and terrorism, at the same time the law also needs to keep pace with changing technology to protect privacy, especially as technology changes in ways that make ever larger volumes of information available to the Government, particularly to acquire from third parties.
The PATRIOT Act addressed only one side of this equation. Now is the time for Congress to address the privacy issues and finish the job.
Perhaps the biggest change that is happening in technology that increases governmental access to information and that affects privacy is the storage of more and more information on computer networks, and under the control of third parties. The kind of information that you would normally keep in your file drawer, even on your laptop in your own possession, that information is increasingly moving out onto networks, onto web-based storage. And the law just draws a distinction, and I think a now outdated distinction, between interception of communications in transit and access to those communications in storage. And it draws a further distinction between whether the e-mail is opened or unopened. If it's opened, it gets less protection than if it's unopened. If it's older, it gets less protection than if it's new.
Page 33 PREV PAGE TOP OF DOC
Our recommendation is that Congress should take the Justice Department's description of 209, for example, the so-called voicemail provision, take their explanation and their description of that at face value and make seizure of all stored communications subject to a warrant.
The problem is that the way the law now works, if a stored voicemail is opened on your home answering machine—you listen to it, but you save it—it's protected fully by the fourth amendment, subject to a warrant. If it's opened on a third party server, it no longer is protected by the warrant requirement, which is why we say that section 209 is a little misleadingly named.
If that voicemail is older than 180 days or that e-mail is older than 180 days, it's not protected by the warrant requirement on the ISP computer, even though it is fully protected still if you've printed it out and put it in your file drawer, fully protected by the warrant requirement.
So Congress should eliminate this distinction, and, in fact, this Committee, the full Committee, did vote in 2000 to eliminate that distinction and to make all stored communications—whether opened or unopened, stored—I mean a long period of time or short period of time—subject to the same warrant requirement that the Justice Department refers to.
Turning just briefly to the interception of—and also to apply to those provisions some of the other protections in the law. Again, ensuring that the Government has the access, but, for example, we have absolutely no reporting on how often the Government accesses stored e-mail. We have very good and detailed statistical reports on live interceptions of e-mail and of phone calls through the annual wiretap report. But we really don't have a sense of access to stored communications. And as Professor Swire will describe now, with Voice Over IP, we're actually going to be seeing entire voice conversations stored for perhaps lengthy periods of time as the storage capacity is made available.
Page 34 PREV PAGE TOP OF DOC
Section 217. This isn't quite like the homeowner. When the homeowner—the homeowner can invite the police into this property in order to find an intruder. But the homeowner cannot authorize the police to look in the pockets of the intruder. They cannot authorize the police to open up the briefcase of the intruder and read what's inside the briefcase. It requires another exception to the warrant requirement: search incident to an arrest, which we don't have here; protection of the officer, which we don't have here. So this isn't just like that homeowner search.
Nationwide service of warrants I think could be very nicely addressed by allowing those warrants to be challenged both in the jurisdiction in which they are issued and in the jurisdiction in which they are served. I think that's an equitable and minor change that would rebalance that.
Mr. Chairman, Members of the Committee, we look forward to working with you on these issues as we move forward between now and the end of the year. Thank you.
[The prepared statement of Mr. Dempsey follows:]
PREPARED STATEMENT OF JAMES X. DEMPSEY
Chairman Coble, Rep. Scott, Members of the Committee, thank you for the opportunity to testify at this important hearing. We want to commend the Subcommittee and the full Committee leadership for undertaking this series of hearings on the PATRIOT Act. From this kind of detailed, objective inquiry, we can attain the balance that was left aside in the haste and emotion of the weeks after 9/11.
Page 35 PREV PAGE TOP OF DOC
Our main point today is that while, of course, the law needs to keep pace with changing technology to ensure that government agencies have access to information to prevent crime and terrorism, the law also needs to keep pace with changing technology to protect privacy, as technology makes ever larger volumes of information available for the government to acquire from third parties, without going to the subject of interest, as it used to have to do under the Fourth Amendment. The PATRIOT Act addressed only one side of this equation, making government access easier without counterbalancing privacy improvements. Now is the time for Congress to finish the job and address the privacy side of the equation.
In CDT's view, there are few if any provisions in the PATRIOT Act that are per se unreasonable. We see not a single power in the Act that should sunset. The question before us—and it is one of the most important questions in a democratic society—is what checks and balances should apply to those powers. With respect to the particular PATRIOT powers at issue in today's hearing, those time-honored checks and balances should include:
Judicial review of intrusive techniques, preferably judicial approval before a search.
Second, as a general rule, individuals should have notice when their communications are acquired by the government.
Finally, government surveillance needs to be subject to Congressional oversight and some public accountability, including through more detailed unclassified reporting.
In one way or another, PATRIOT Act provisions fail to include these checks and balances.
Page 36 PREV PAGE TOP OF DOC
PREVENTION OF TERRORISM DOES NOT REQUIRE SUSPENSION OF STANDARDS AND OVERSIGHT
At the outset, let me stress some basic points on which I hope there is widespread agreement:
Terrorism poses a grave and imminent threat to our nation. There are people—almost certainly some in the United States—today planning additional terrorist attacks, perhaps involving biological, chemical or nuclear materials.
The government must have strong investigative authorities to collect information to prevent terrorism. These authorities must include the ability to conduct electronic surveillance, carry out physical searches effectively, and obtain transactional records or business records pertaining to suspected terrorists.
These authorities, however, must be guided by the Fourth Amendment, and subject to Executive and judicial controls as well as legislative oversight and a measure of public transparency.
THE LAW NEEDS TO KEEP PACE WITH TECHNOLOGY—BOTH TO PROVIDE APPROPRIATE TOOLS TO LAW ENFORCEMENT AND TO PROTECT PRIVACY
We have been told that this hearing will focus on three sections: 209 (misleadingly entitled ''seizure of voice-mail pursuant to a warrant''); 217 (interception of computer trespasser communications); and 220 (nationwide service of search warrants for electronic evidence). Sections 209, 217 and 220 are not among the most controversial provisions of the PATRIOT Act. The fact that they are subject to the sunset at all, while, for example, the ''sneak and peek'' authority in Section 213 and the national security letter expansions in Section 505 are not subject to the sunset, illustrates how the debate over the sunsets is somewhat misplaced.
Page 37 PREV PAGE TOP OF DOC
As with most other sunsetted provisions, there is little call for denying government the access to information provided under Sections 209, 217 and 220. Rather, the questions posed by these sections are matters of checks and balances, related to the continuing but uneven effort to rationalize the standards for government access to electronic communications and stored records in the light of ongoing changes in technology. It is worth noting that Sections 209, 217 and 220 have no direct connection with terrorism. They apply to all criminal cases.
These sections highlight an overarching concern about the way in which amendments to the surveillance laws in recent years, and especially in the PATRIOT Act, have served as a ''one-way ratchet'' expanding government power without corresponding improvements in the checks and balances applicable to those powers. This has been a departure from Congress' traditional approach to electronic surveillance issues. In the first major wiretap statute, Title III of the 1968 Omnibus Crime Control Act; in the Electronic Communications Privacy Act of 1986; and even in the controversial Communications Assistance for Law Enforcement Act of 1994, Congress and the Justice Department agreed on the twin goals of ensuring law enforcement authority to intercept communications while also strengthening privacy protection standards, especially in light of changing technology.
This spirit of balance has unfortunately been lost. In recent years, time and again, the Department of Justice has proposed changes in the surveillance laws that reduce judicial oversight or increase Executive Branch discretion, and Congress has too often enacted them, without ever considering how these changes add up or whether other changes may be needed to increase privacy protections in response to advancements in technology that have made the government's surveillance more intrusive. Sometimes, as with the PATRIOT Act, this one-way expansion of government power occurs in a time of intense crisis. Sometimes, these changes occur stealthily, like the ''John Doe roving tap'' change that was added to FISA in December 2001 by the conference committee on the intelligence authorization act without having passed either the House or the Senate. Other one-sided and little debated expansions in the government's discretion include the expansion of ECPA's emergency disclosure authorities in the legislation creating the Department of Homeland Security, Pub. L. 107–296, Sec. 225(d). (That at least included a reporting requirement, which should be made annual.) A further exception to ECPA was made by Section 508(b) of the Prosecutorial Remedies and Other Tools to end the Exploitation of Children Today (PROTECT) Act of 2003, Pub. L. 108–21, which allowed disclosure without a warrant or subpoena of the contents of communications and subscriber identifying information to the National Center for Missing and Exploited Children, which in turn can disclose the information to law enforcement agencies. Changes to Title III's roving tap authority were adopted in the Intelligence Authorization Act for Fiscal Year 1999, Pub. L. 105–272, Title VI, Sec 604, Oct 20, 1998, 112 Stat 2413 (permitting roving taps to be implemented if ''it is reasonable to presume that the person identified in the application is or was reasonably proximate to the instrument through which such communications will be or was transmitted''). And Section 731 of the 1996 anti-terrorism act excluded interception of wireless data transfers and of information about electronic funds transfers from the coverage of Title III.
Page 38 PREV PAGE TOP OF DOC
Each of these changes is small in isolation, and each had a rationale. None, however, was considered in the context of other, long-recognized changes that need to be made to strengthen the privacy protections of the electronic surveillance laws, including:
extending Title III's statutory suppression rule to electronic communications, a change even the Justice Department once supported;
increasing the standard for pen registers and trap and trace devices, to give judges meaningful oversight, a change the full Judiciary Committee supported in 2000;
eliminating the distinctions between opened and unopened email and between relatively fresh and older email, by bringing all stored email under a warrant standard, another change the Committee supported in 2000;
establishing a probable cause standard for access to location information, a change this Committee also supported in 2000;
requiring reporting on access to email, also supported by the Committee in 2000.
With this context in mind, it is easier to see why even some of the minor changes in the PATRIOT Act draw concern, for they are part of a steady stream of uni-directional amendments that are slowly eroding the protections and limits of the electronic privacy laws.
SECTION 209—SEIZURE OF VOICE-MAIL MESSAGES PURSUANT TO WARRANT
Page 39 PREV PAGE TOP OF DOC
Section 209 is described as permitting the seizure of voicemail messages pursuant to a search warrant. Previously, while voicemail messages stored on an answering machine in one's home could be seized by a search warrant, access to voicemail messages stored with a service provider had required a Title III order, which offers higher protections. The theory behind section 209 is that stored voice messages should be treated the same as stored data.
On one level, Section 209 makes the rules technology neutral, which is usually desirable. If Section 209 is taken at face value, and if the only difference it effects is between a Title III order and a search warrant, both issued on probable cause, Section 209 does not represent a big change. For this reason, CDT has described Section 209 as one of the non-controversial provisions of the PATRIOT Act.
However, as Prof. Swire points out, Section 209 is misleadingly titled: Because the law that was amended by 209 draws some bizarre distinctions between read and unread email and between newer and older email, Section 209 means that a lot of stored voice communications will be available not with a warrant but under a mere subpoena.
Moreover, the Justice Department's explanation of Section 209 overlooks the importance of notice under the Fourth Amendment and under Title III, and the absence of notice under the rules applied to stored material held by a service provider. When voicemail stored on your home answering machine is seized, you are normally provided notice at the time of the search. You can examine the warrant and immediately assert your rights. When email or voicemail is seized from a service provider pursuant to a warrant, you as the subscriber may never be provided notice unless and until the government introduces the information against you at trial. If you were mistakenly targeted or the government chooses not to use the evidence, you need never be told of the search of your stored communications, so you have little meaningful opportunity to seek redress.
Page 40 PREV PAGE TOP OF DOC
In the case of stored messages (whether email or voicemail), it is not even necessary from an investigative standpoint to deny contemporaneous notice in the way it is with live interception. Denial of notice is justified in the case of real-time interceptions because the effectiveness of the technique would be destroyed if the target were given contemporaneous notice. In the case of stored email or stored voice messages, the evidence is already created and, especially if notice is given immediately after seizure, the subject cannot destroy it. Denial of notice in the case of third party searches for stored email or voicemail is not justified.
Recommendation: Congress should take the Justice Department's description of Section 209 at face value, and make all seizure of stored communications, whether voice or email, subject to a warrant. It could do so by eliminating the difference between opened and unopened stored records and between records 180 days old or less and records more than 180 days old. It should take the Justice Department's arguments at face value and adopt truly technology neutral rules for voice and data, whether in transit or in storage, applying the protections afforded under Title III:
minimization of non-relevant material,
notice to persons whose communications have been intercepted,
a statutory suppression rule, and
detailed statistical reports to Congress and the public.
Page 41 PREV PAGE TOP OF DOC
All of these protections apply to e-mail and voice when intercepted in transit. None of them apply to e-mail and voice seized from storage.
The Storage Revolution Is Rendering the Law Obsolete
A storage revolution is sweeping the field of information and communications technology. Service providers are offering very large quantities of online storage, for email and potentially for voicemail. Increasingly, technology users are storing information not in their homes or even on portable devices but on networks, under the control of service providers who can be served with compulsory process and never have to tell the subscribers that their privacy has been invaded. New Voice over Internet Protocol (VoIP) services may include the capability to store past voice conversations in a way never available before, further obliterating the distinction between real-time interception and access to stored communications.
Section 209 takes a seemingly small category of information out of the full protection of the Fourth Amendment and moves it under the lowered protections accorded to remotely stored communications and data. But stored voicemail is the tip of an iceberg. Increasingly, individuals are using stored email to store documents, including draft documents on computers operated by service providers and accessed through a Web interface.
Rather than allowing growing amounts of personal information to fall outside the traditional protections of the Fourth Amendment, it is time to revisit the rules for networked storage (whether of voice or data) and bring them more in line with traditional Fourth Amendment principles, by requiring contemporaneous notice as the norm and covering both newer records and older records (again, whether voice or data) under the same probable cause standard. That would be truly technology neutral and would have the advantage of not allowing technology advances to erode privacy protections.
Page 42 PREV PAGE TOP OF DOC
Section 217—Interception of computer trespasser communications
Section 217 permits law enforcement agencies to carry out electronic surveillance of without a court order when the service provider permits the surveillance on the ground that a ''trespasser'' is using its system. Section 217 represents another in a steadily growing series of exceptions to the protections of the electronic communications privacy laws. (The emergency disclosure provision of Section 212 is another example.)
Section 217 and similar provisions essentially allow ''off the books surveillance''—they define certain interceptions not to be interceptions, and certain disclosures not to be disclosures. Once an access to communications or data is excluded from the coverage of the surveillance laws, not only is it not subject to prior judicial approval, but also there are no other protections normally associated with electronic surveillance:
There is never a report to a judge. (In contrast, under both Title III and FISA, when electronic surveillance is carried out on an emergency basis, an application must be filed after the fact.)
There is no time limit placed on the disclosures or interceptions. (A Title III wiretap cannot continue for more than 30 days without new approval.)
There is never notice to the person whose communications are intercepted or disclosed.
There is no statutory suppression rule if the communications were improperly seized, and there would be no suppression remedy at all if the information is deemed to be outside the protection of the Fourth Amendment.
Page 43 PREV PAGE TOP OF DOC
The interceptions and disclosures are not reported to Congress or the public.
The Department of Justice, in its defense of Section 217, claims that the privacy of law-abiding computer users is protected because only the communications of the computer trespasser can be intercepted. But what if the system operator is wrong? What if there is a legitimate emergency, but law enforcement targets the wrong person? Under Section 217, a guilty person gets more notice than an innocent person—the guilty person is told of the surveillance or disclosure but the innocent person need never be notified.
Contrary to the Department's arguments, Section 217 is not analogous to the case of the home trespasser. While the homeowner can invite in the police onto his property, the homeowner cannot authorize the police to go through the trespasser's pockets or read the papers in his briefcase. To do so requires a separate Fourth Amendment basis, which would require a warrant unless one of the exceptions applied, and in the online context, there may be no other exception available.
Recommendation: While an emergency exception to the court order requirement may be appropriate for trespasser situations, interceptions under the trespasser rule should be treated as interceptions under Title III:
As with other emergency interceptions, when electronic surveillance is carried out on an emergency basis, an application for judicial approval must be filed after the surveillance commences
Page 44 PREV PAGE TOP OF DOC
The length of interceptions should be limited to the time necessary to identify the trespasser or for 30 days, whichever is less
Interceptions under the trespasser rules should be treated as interceptions for purposes of giving delayed notice to the person whose communications are intercepted.
Interceptions under the trespasser rules should be treated as interceptions for purposes of the statutory suppression rule.
Interceptions under the trespasser rule should be counted as interceptions for Title III purposes and included in the annual Wiretap Report.
Section 220—Nationwide service of search warrants for electronic evidence
Section 220 amended 18 U.S.C. 2703 to allow judges to issue search warrants for electronic evidence that can be executed outside of the district in which the issuing court is located. In a world where the center of an investigation may be in one state, but the target's ISP has its servers in another state, this makes obvious sense. Moreover, unlike Section 216, which authorizes a kind of roving pen register (one order can be served on multiple service providers in different districts until the government gets the full picture it wants), it seems that search warrants under Section 220 have to name the service provider upon whom they will be served. If it turns out that that provider does not have the records being sought, the government will have to obtain a new search warrant (as it would any time a search warrant does not turn up the expected evidence.)
Page 45 PREV PAGE TOP OF DOC
However, as the Electronic Privacy Information Center has noted, Section 220 removes ''an important legal safeguard by making it more difficult for a distant service provider to appear before the issuing court and object to legal or procedural defects. Indeed, it has become increasingly common for service providers to seek clarification from issuing courts when, in the face of rapidly evolving technological changes, many issues involving the privacy rights of their subscribers require careful judicial consideration. The burden would be particularly acute for smaller providers.''
Recommendation: One solution to this problem is to allow a warrant to be challenged not only in the district in which it was issued but also in the district in which it is served. While the issuing judge may have a better sense of the factual basis for the order, a judge in the district in which the order is served may be in a better position to interpret or redefine the scope of the order in light of issues concerning the system of the service provider on whom the order is served.
Even aside from Section 220, whether search warrants for electronic evidence are issued for evidence inside or outside their jurisdictions, judges should question applicants to be sure that the warrant is narrowly drawn. Judges should use extra care in understanding what information is being sought, whether it will be copied or originals will be seized (interfering with ongoing business), and whether it is possible to disclose just certain fields or just records from a certain pertinent timeframe. These are analogous to questions that judges have the authority to consider in the case of physical searches, but judges need to understand computer systems in order to fully enforce the specificity requirement of the Fourth Amendment in the digital context. Judges should look more carefully at the return of service. While notice under 18 U.S. C. 2705(b) can be prohibited, judges should be hesitant to deny notice to the person to whom the records pertain, since the subscriber is really in the best position to raise legitimate concerns. This is just another way in which judges faced with the authorities of the PATRIOT Act can assert closer scrutiny and place conditions on the exercise of PATRIOT authorities without denying the government access to the information needed.
Page 46 PREV PAGE TOP OF DOC
CONCLUSION
CDT supports the Security and Freedom Enhancement (SAFE) Act, a narrowly tailored bipartisan bill that would revise several provisions of the PATRIOT Act. It would retain all of the expanded authorities created by the Act but place important limits on them. It would protect the constitutional rights of American citizens while preserving the powers law enforcement needs to fight terrorism.
We look forward to working with this Subcommittee and the full Committee as you move forward in seeking to establish some of the checks and balances that were left behind in the haste and anxiety of October 2001.
Mr. COBLE. Thank you, Mr. Dempsey. Professor Swire.
TESTIMONY OF PETER SWIRE, PROFESSOR OF LAW, OHIO STATE UNIVERSITY
Mr. SWIRE. Thank you, Mr. Chairman, and Mr. Ranking Member, and Members of the Committee. I appreciate very much the opportunity to testify before you today.
Most of my remarks today will be on section 209 of the PATRIOT Act, the section that expanded the Government's access to voicemail and many other telephone conversations without the need for a wiretap order.
Page 47 PREV PAGE TOP OF DOC
Before turning to that, I will briefly comment on the other two sections that are the subject of today's hearing.
Both section 220, on nationwide service of warrants, and section 217, the computer trespasser exception, were considered in detail when I chaired a White House Working Group in 2000 on how to update surveillance law for the Internet Age. As my written testimony explains in greater detail, I generally support extension of section 220 although with some refinements that Jim Dempsey has in his written testimony.
For section 217, however, modifications should be made. Section 217 solves some important real-world problems. It lets a computer system owner ask the police for help when their system is under attack. With the owner's permission, law enforcement can surf over the shoulder of the system operator in order to spot the hacker and track him back through the Internet. That's the good news.
The bad news, though, is that there are no checks against abuse in the section. Section 217 says the police are only supposed to look at the communications of the hacker. But if the police look at other e-mail and web traffic they can still use all that information. They can use it in future investigations. They can use it in court. The incentives for law enforcement are to get permission to enter the system under 217, and then see how much they can get to see while they're there.
As my written testimony explains, there is a simple solution to this. It's the same solution that this Committee, the Judiciary Committee in full, passed in 2000, with only one dissenting vote. The simple solution is that the same suppression rule that applies to phone wiretaps should also apply to e-mails. If law enforcement breaks the legal rules, if they go too far and break the law, they should not get to use the fruits of the illegal search.
Page 48 PREV PAGE TOP OF DOC
The rest of my time I'm going to spend on section 209. It turns out that section 209 has much broader ramifications than most people realize—than I realized before I was asked to testify this week.
Section 209 allows the Government to get access to voicemails and many telephone conversations with much less than a wiretap order. The actual textual change in 209 is simple. The old law said that stored electronic records were under looser rules of the Stored Communications Act. All the PATRIOT Act did was say stored wire or electronic records; wire means any voice, telephone calls, voicemail sorts of records.
In many instances under section 209 now, law enforcement can get your stored, but also stored voice now with a grand jury subpoena, where there's no judge involved at all or else with a judicial order that requires much less than probable cause.
Section 209 was given to the Congress and to the public as if it were only about voicemail. It does apply to voice mail, which are stored telephone communications, but that's not all. The key new thing I think we're learning is that section 209 applies to any and all telephone conversations that are stored. The term ''voice mail'' does not exist in the statutory text, except in the title.
Should any of us care about stored telephone conversations? The answer is yes. The simple technological fact is that stored telephone conversations are becoming much more common due to changing phone technology. Every major telecomm company is part of this shift. SBC, Comcast, Verizon, Qwest—all of them are implementing right now major moves into this new phone technology. The new technology has a clumsy name, VOIP, which means Voice over Internet Protocol. What it means is that telephone conversations are shifting to this Internet protocol. What that means, in turn, is that telephone conversations are being stored at home and in the network for millions of Americans.
Page 49 PREV PAGE TOP OF DOC
The numbers for this change are big and they are real. This is not Internet hype. The phone software called Skype has now recorded over 100 million downloads. Over 20 percent of all new business phones already use this technology, with estimates of over half of new business phones within 3 years. Growth rates in the residential sector are over 30 percent a year.
Because VOIP uses the Internet to transmit voice, all the tools that make the internet work come into play. The Internet tool that section 209 takes advantage of is called caching. Just as your web browser stores graphics and images in its caches, ordinary users can and will have their phone conversations stored or cached at the Internet network level. People won't even realize their phone conversations are being stored, putting their phone calls at risk of being seized with much less than a wiretap order.
What should be done with section 209? The first thing is that you shouldn't simply take my word for these changes. You should ask the Department of Justice. They're here today and my written testimony suggests questions you can pose to the Department. And this way, all of us will know what the new law really means.
My written testimony suggests possible changes to be done to address this concern, and in conclusion I thank the Committee for the opportunity to share these thoughts.
My written testimony contains citations to my law review and other writings on the PATRIOT Act, and if I can be of assistance in the future, please do not hesitate to ask.
Page 50 PREV PAGE TOP OF DOC
[The prepared statement of Mr. Swire follows:]
PREPARED STATEMENT OF PETER P. SWIRE
Swire1.eps
Swire2.eps
Swire3.eps
Swire4.eps
Swire5.eps
Swire6.eps
Swire7.eps
Swire8.eps
Swire9.eps
Swire10.eps
Page 51 PREV PAGE TOP OF DOC
Swire11.eps
Mr. COBLE. Thank you, professor, and we've been joined by the Gentlelady from California, Ms. Waters.
We will probably, folks, have a second round today. This is a very important subject matter, so we'll probably do a second round.
Ms. Parsky, your written testimony provides a good description of the distinction between communications subject to a wire tap communication—subject to stored communications.
You state that the Wire Tap Act—and I assume that you refer to wiretaps generally—was designed to address a very particular type of situation: the ongoing interception of real-time conversations. You then distinguish ongoing interception of real-time with the one time access to stored communications, such as voicemail.
Now, if I understand Professor Swire's claims, he argued that the possibility—that with the possibility of future technology, store telephone calls over the computer—the distinction between wiretaps and stored communications will be lost.
Cannot a person already record their phone calls through high-tech message machines?
Ms. PARSKY. Mr. Chairman, you raise a very important issue, which I think actually there are two issues raised by Professor Swire that I'd like to clarify.
Page 52 PREV PAGE TOP OF DOC
One is that to the extent that individual parties choose to store or to record conversations that they may have, whether it be over VOIP, which uses an Internet protocol, or over a normal telephone, over a wire system, once those communications are stored by the individual in either world they are subject to a search warrant. There's nothing that's special or different about VOIP in that context.
You could just as easily have a conversation with—between two parties and one of the parties has a—makes a consensual recording of that conversation and stores it on a cassette in their home.
The other important thing to point out is that VOIP does not change the obligations that are on service providers, whether they be a cable company or a telephone company; that to the extent that there's any interception and seizure of communications beyond that which is necessary to the provision of the services, they're violating the Wiretap Act, and there are consequences for that.
So I think that there is much ado about the new technologies that are coming up in our future. But, in fact, there's really nothing different except for the protocol. The same laws, the same restrictions would apply.
Mr. COBLE. Thank you. Professor Swire, is—you indicate that 209 applies to all stored telephone communications and not just the voicemail. Is not the real distinction that law enforcement receives the stored communication through a one-time access request rather than ongoing interception?
Page 53 PREV PAGE TOP OF DOC
Mr. SWIRE. That's the distinction the Justice Department is supporting. That means that if your phone conversations are stored at the network level by your ISP in the future, they'll be accessible under that Stored Communications Act. Up until now, those phone conversations that went through the telephone network, you needed a wiretap order to hear what Jim Dempsey and I were saying.
Tomorrow, if it's stored at the network level, the Justice Department can get it, in some cases with a grand jury subpoena or other lower than search warrant requirements.
Mr. DEMPSEY. Mr. Chairman, could I speak to this question?
Mr. COBLE. Sure.
Mr. DEMPSEY. Cause this is a very good line of questioning.
One distinction is between the sort of real-time interception and the stored.
Another distinction looks to where is it stored. If you store a voicemail, an e-mail, a document in your office or in your home, no matter how old it is, no matter what you've done with it, if you've read it or not read it, it's protected fully by the fourth amendment and requires a warrant. If you store it outside of your home—if it's stored in the basement of the Capitol Building or stored on a server of the telephone company, which increasingly it is—it's not protected by the fourth amendment. It doesn't require a warrant, particularly after you've read that e-mail or listened to that telephone call, and to get one—it's not so much—there is a distinction between ongoing and one-time. But to get one piece of paper from your office, a warrant is required. To get one recorded phone call from your office, a warrant is required. You have to get it from——
Page 54 PREV PAGE TOP OF DOC
Mr. COBLE. My time is about to expire. I don't want to overlook Mr. Martinez, since the other three—are you going to weigh in, Mr. Martinez?
Mr. MARTINEZ. Well, again, I think one of the things that we need to recall is that we are talking often of situations where consent is acquired, in fact, is initiated by a victim. And so this is a different situation than where we would initiate an investigation, you know, go through the effort to obtain a wiretap warrant.
So I think we do need to recognize that there are real victims in these types of situations and that consent is often the entry point that we have as the law enforcement agency.
Mr. COBLE. My time has expired. The Gentleman from Virginia.
Mr. SCOTT. Thank you, Mr. Chairman. Let's put a little bit—put this in perspective. Either search warrant versus a wiretap warrant, what is the exact difference between the two. I mean the wire tap you have to have—go to the judge, get a probable cause, listen in. It's limited. Search warrant can be done administratively without a judge looking over from time to time?
Mr. DEMPSEY. Well, Congressman, in both cases, it requires a finding of probable cause by a judge. In the case of a wiretap, at least for voice communications, it requires in the Federal case, it only applies to a certain number of serious crimes—a list of about a hundred of the most serious crimes. It requires senior Justice Department approval. There are periodic reports to the judge. There's a statutory suppression rule in addition to whatever fourth amendment suppression rule there is. And there are these fairly detailed and useful reports to Congress about the use of the technique.
Page 55 PREV PAGE TOP OF DOC
Mr. SCOTT. Mr. Martinez, are there any things such as an administrative search warrant?
Mr. MARTINEZ. An administrative search warrant? There are administrative subpoenas, but again a search warrant connotes that a law enforcement officer has had to make findings of facts, provided that in an affidavit, and it is reviewed and becomes an order of the court to take action.
Mr. SCOTT. That's the search warrant. Now, if you're going to this ISP off site, do you need a search warrant—you don't need a search warrant?
Mr. DEMPSEY. If the communication is an unopened e-mail 180 days old or less, you need a search warrant. If it's an opened e-mail, you use a subpoena. If it's more than 180 days old, you use a subpoena.
Mr. SWIRE. Can I make a real quick point on that. I don't think we know what an unopened phone call looks like. That's never been defined. But if I've talked with you on the phone, the Justice Department may think that's already been opened, and they might get it under the lower standard. That's obviously something to clarify.
Mr. SCOTT. Well, let's—Mr. Dempsey, you kind of talked about letting the police into my house and letting them look around is different from letting them look into the crooks' pockets. Let me know if I got this wrong. I looked at it a little different. I looked at it not as me letting the police into the house. I live in an apartment building. How about the apartment superintendent letting them into my apartment. Isn't that more akin to what's going on when AOL let's you into my e-mails going back and forth?
Page 56 PREV PAGE TOP OF DOC
Mr. DEMPSEY. I think that's a very interesting way of looking at it. It may be another appropriate way. It is true—and I think appropriate—that system administrators have the right to monitor their own systems. I think maybe the supervisor of the apartment, if he believes you're away, and an intruder breaks into your apartment, the supervisor of the building can call the police and say someone is in so and so's apartment.
Mr. SCOTT. In that case, you've got kind of an assumed permission that if there's a leak, the water is flowing out of my front door and I'm not there, the superintendent can go in. Over my objection without me knowing, can the building superintendent let the police into my apartment to wander around?
Mr. DEMPSEY. I think there are some circumstances probably in which they can.
Mr. SCOTT. But that's not the normal situation.
Mr. DEMPSEY. Now, it would be—let me say one of the ways in which people have talked about section 217, this trespasser provision, is as an emergency provision, particularly in the case of computer crime, in which time is of the essence; the hacker may be in and out; you need to get the information quickly.
But if that's the justification—if we're looking at a sort of an emergency exception—a funny smell is coming from your apartment or there's terrible noises coming from your apartment, screaming—in those kinds of situations, there might be grounds to enter without a warrant. But as in emergency wiretaps generally, there should be then go to the judge, take care of the emergency, then go to the judge, get the order, count it as an interception, bring it under the other rules, count it—report it to Congress, et cetera.
Page 57 PREV PAGE TOP OF DOC
Mr. SCOTT. Yeah, but you got to have a check and balance. If you call it an emergency and go get something, and it wasn't an emergency, you got the exclusionary rule looking at you. So you don't have an incentive to trip over the fourth amendment.
Mr. DEMPSEY. Correct.
Mr. SCOTT. Because if you found something, you can't use it, so there's no incentive—and that's kind of the policing mechanism you have if there's no incentive, you don't do it.
Mr. DEMPSEY. And here——
Mr. SCOTT. But there is an incentive to cheat and get in there. If you can use it, then there are no sanctions because you're not going to be able to sue the police—a guilty person is not going to sue the police, and get any——
Mr. DEMPSEY. Well, there are two or three provisions in the PATRIOT Act that I would sort of call ''off the books'' surveillance. What we do is we define it not as an interception or not as a disclosure, and then once we do that under the statutory structure, all of the other protections are eliminated, including the suppression rule. And what I think Professor Swire and I are saying is recognize the trespasser concept to some extent, but build around it some more checks and balances.
Page 58 PREV PAGE TOP OF DOC
Mr. SCOTT. It's well known that e-mails kind of survive in cyberspace somewhere after you thought you had erased them. Are voicemails similarly preserved some kind of way? If you got a Verizon——
Mr. SWIRE. It depends on what Verizon or SBC does in their system. As you move towards——
Mr. SCOTT. You mean we don't know?
Mr. SWIRE. I don't know.
Mr. SCOTT. We don't know if our voicemails are preserved in cyberspace. Anybody know? We have another round, gentlemen.
Mr. MARTINEZ. I think that you'd find in the industry that there are different means of doing that in different technologies for storage and different reasons that they might have for storing, including billing purposes and that type of thing.
But if I may for a minute, I don't know if the analogy or the contrast between an emergency situation and one that is not emergency is really the appropriate one, because we don't want to take away from the victim, and again we talk about systems administrators. They're in the best position to determine whether or not their system is under attack. And there are instances where they may have evaluated that they have a situation where they can record all that—all the traffic and at a later date, because it's not considered particularly virulent to their system provide that to law enforcement and say I think I may have had an attack. It doesn't appear to have been a great one.
Page 59 PREV PAGE TOP OF DOC
Or they may determine that they are under a current attack and there's information being exfiltrated in real-time. We're forcing a distinction upon them that really ought to be up to them to decide. You know do I have a more expedient situation. But what we don't want take away from them is our ability to address it quickly and try to mitigate—help mitigate it for them.
Mr. COBLE. The Gentleman's time has expired. And as I said, we'll do another round. The Gentleman from Arizona, Mr. Flake.
Mr. FLAKE. Thank you, Mr. Chairman—the witnesses.
Ms. Parsky, under section 209 how long can law enforcement go without notifying a subscriber or a customer that their stored communications have been accessed? How long is it? Is it indefinitely? And if not, how long is the longest time that it's happened?
Ms. PARSKY. Well, excuse me, under section 209 actually is not the provision and the PATRIOT Act is not the provision that makes that determination. It's actually determined by ECPA. And under ECPA, there is a requirement that for stored electronic communications or wire communications, section 209 then brings in the wire communications, either you need to access them with a search warrant if they are unopened or within the first 180 days, in which case there would be notice with the search warrant, or if they are older than 180 days, then you have to provide notice and a court order. So it's not a search warrant, but the provision of ECPA requires notice if a search warrant is not used.
Page 60 PREV PAGE TOP OF DOC
Mr. FLAKE. So under no circumstance is anyone's stored electronic communication accessed without their knowledge.
Ms. PARSKY. Well——
Mr. DEMPSEY. Congressman, if I—could I respond?
Mr. FLAKE. Sure. Please.
Mr. DEMPSEY. I think in the case of a warrant, the notice is served on the service provider with the warrant. There's no notice to the customer ever——
Mr. FLAKE. That's what I——
Mr. DEMPSEY. —unless the evidence is used against them in court.
Mr. FLAKE. That's my question.
Ms. PARSKY. That's correct.
Mr. FLAKE. When will the customer know?
Ms. PARSKY. Well, as with any business records that might be stored by a third party, if you have a bank, for instance and there's a grand jury subpoena and law enforcement has, you know, lawful right to access those records that are being stored by a third party, the customer, the owner of those records, would not get notice either. So this isn't applying anything different.
Page 61 PREV PAGE TOP OF DOC
Mr. FLAKE. But this is—it is different, though.
Mr. SWIRE. But this is the world of stored records we're moving to, and we're hearing that the customers never find out under these grand jury subpoenas and other things. This is what would apply to an increasing number of ordinary phone calls going forward.
Mr. FLAKE. This is different. I would maintain that if you have an account at a bank, obviously you're a customer of that bank. Maybe you don't know that the bank is being monitored or surveilled or information is being gathered, but in this circumstance, you are the target. But, yet, because law enforcement gets it from a third party, then you, the target, are not informed, and you're saying that that is the case; that can be the case for an indefinite period of time?
Ms. PARSKY. That's correct. If you are the target, whether it's a voicemail message that's being stored, or it's your bank records being stored, you would have notice if there are criminal charges brought, and that's part of the Government's case, through the discovery process.
Mr. FLAKE. But not until the criminal charges are brought?
Ms. PARSKY. Right.
Mr. FLAKE. Surveillance——
Page 62 PREV PAGE TOP OF DOC
Ms. PARSKY. It's comparable in the physical world or in the electronic world.
Mr. FLAKE. Mr. Dempsey, you care to——
Mr. DEMPSEY. Well, which means that in the case of the individual whose records are wrongly acquired, who's never charged with a crime, the person who really would want to have some recourse, he may never be told.
Mr. FLAKE. Does that trouble you, Mr. Martinez? You seem to indicate concern for the victims quite a bit. Would somebody be considered who was wrongly believed to have information that would make them a suspect, but then never—they never find out that they were being surveilled?
Mr. MARTINEZ. Well, I think one analogy I could draw is in the world of physical surveillance. You know we follow bad guys, and they make contact with both other bad guys and other unwitting people that might not be part of their conspiracy. And so there is going to be times when we do have information or do see information that might not regard the actual crime that we—but what we're interested in is evidence. And we're going to boil it down to evidence, and I think that's the approach we would take.
Mr. FLAKE. Ms. Parsky, what delays were experienced prior to section 209 that made section 209 necessary?
Ms. PARSKY. Well, I think that there is the basic fact that the procedures for obtaining a wiretap, which are procedures that are put in place for the very special circumstance and the increased expectation of privacy and invasion of that privacy when you have an ongoing interception of live communications. And because of that, what the Wiretap Act puts in place additional procedures, additional protections to the Constitution that are resource intensive and time consuming.
Page 63 PREV PAGE TOP OF DOC
With respect to a search warrant, there still are constitutional protections. There's still a standard of probable cause that needs to be met, and it's still presented to a neutral magistrate to make a neutral decision, but there aren't all the same hoops that need to be jumped through because it's a stored communication which, not under the PATRIOT Act, but, you know, over 20 years ago, was determined does not meet the same level of protection as an ongoing interception.
Mr. COBLE. The Gentleman's time has expired. The Gentleman from Massachusetts, Mr. Delahunt.
Mr. DELAHUNT. Yes, thank you, and this is again, Mr. Chairman, I want to compliment you and the Ranking Member for providing us with a very informative panel, much like the one we just had the other day.
Mr. COBLE. Thanks.
Mr. DELAHUNT. You know some of us understand the law well. And from past experience, we've been involved in these kind of investigations involving electronic eavesdropping, et cetera, and we're familiar with the act.
I think what you have to understand is that many on this panel, and I presume in Congress, are illiterate when it comes to the technologies. I, for example, don't know how to use e-mail. I don't have what do you call it a Palm Pilot or a Blackberry. I don't know how to turn on a computer. So I'm really at a disadvantage in the sense that I understand the law, but I really don't understand the technologies.
Page 64 PREV PAGE TOP OF DOC
But I think the overarching concern—and I think it's been expressed rather well by both Mr. Dempsey and Professor Swire—the issue here is really one of privacy. And fundamentally, I think our purpose should be—and in this recent colloquy that you had I think with Mr. Flake involving notification—there's another piece of this, too, and that's the issue of transparency. I think much of the concern that the American people have is what's happening. You know, people like myself really don't know what's happening, because we're not familiar with the technologies. But we have this very profound unease that something is happening, and it may be untoward and it may be intrusive of our privacy.
So I think what we ought to be doing is examining how we deal with the concerns that the American people have in terms of their privacy. I think we address that through as much transparency as we can without imposing impediments that are really unreasonable on the Government. And I would suggest that's the kind of balance that we want to strike. I see the—this particular—the issues that we've been discussing here today as an opportunity to do just that. I mean why—what's magical about 180 days? And that is—is that really a false distinction? I don't know. I—you know.
Mr. SWIRE. Congressman, can I?
Mr. DELAHUNT. Sure.
Mr. SWIRE. In preparing for the testimony, I went back and looked at the Committee report from 2000 or H.R. 5018. That's when this Committee, the full Committee, in great detail looked at many of these issues. That Committee report is written in pretty plain English. It explains a lot of these issues and hits some of the——
Page 65 PREV PAGE TOP OF DOC
Mr. DELAHUNT. I was on the Committee at the time, and I was very proud of the fact that the Committee came out with a—I think a fine piece of legislation unanimously and one I think that was very thoughtful and many of us were very much engaged in that. But I think the reauthorization process now provides us an opportunity to do some clean up and anticipate, like VOIP. I mean I don't even know what VOIP is. I mean I can't even imagine. What do you? What do you sit in front of a screen and talk to the screen? I don't know.
Mr. SWIRE. No. It's really great now. You'll use a regular handset. You'll think it's a phone call, but it's going through the Internet.
Mr. DELAHUNT. Well, that's good. I mean I don't have a clue.
Ms. PARSKY. If I may, I'd like to address the privacy issues that you raise and I think one important thing here is that we stay focused on the PATRIOT Act and the sunset provisions of the PATRIOT Act.
Mr. DELAHUNT. Now, see that's where I disagree with you. Okay. I think we have—we can amend the PATRIOT Act without just addressing those provisions that are sunset. I think we have an opportunity here to do something again without imposing an impediment on the Government, but if we just focus on these particular sections without implicating ECPA and all these other rather significant ancillary pieces of our statutory scheme that by necessity are implicated, we're really not going to, I think, come up with a product that I think reassures the American people that their privacy is being protected, for example. That's my point.
Page 66 PREV PAGE TOP OF DOC
Mr. DEMPSEY. Congressman, if I could, just on the question of transparency. I think you're 100 percent correct. There are two ways that we provide transparency.
One, which Congressman Flake was referring to——
Mr. DELAHUNT. Notification.
Mr. DEMPSEY. —notice to the individual. Under the wiretap law, the surveillance is conducted in secret. Absolutely. The technique would be ineffective. It would be worthless unless there were that secrecy.
Mr. DELAHUNT. Right.
Mr. DEMPSEY. But after, as you know, the investigation is closed, then notice is provided to people whose communications were intercepted whether they are charged with a crime or not.
But for some of these other provisions, we do not have that kind of notice. And, for example, in the trespasser case, section 217 says that the trespasser interception is not an interception to be counted, to be notified, to be reported to a judge, et cetera. I think that could be addressed.
The second way we do transparency is by reports to Congress. And I think partly the sunset has helped to draw some of that information out, but now if these authorities are going to continue, and they probably should continue, there needs to be that kind of statutory reporting obligation that says how often are they being used, how many individuals' communications are being implicated, et cetera.
Page 67 PREV PAGE TOP OF DOC
Mr. COBLE. The Gentleman's time has expired. You may continue that for the second round, Mr. Dempsey. I want to say to my friend from Massachusetts you have assuaged my discomfort. I am relieved to know that I am not the lone Member of Congress who does not possess a Palm Pilot. [Laughter.]
Mr. DELAHUNT. In fact, we are the brotherhood.
Mr. COBLE. The Gentlelady from California, Ms. Waters.
Ms. WATERS. Well, thank you very much.
Ms. Parsky and Mr. Martinez, since sections 209, 217, and 220 are not specified as tools solely to combat terrorism and terrorism-related activities, how many times have these sections been used in non-terrorist criminal investigations? If the USA PATRIOT Act was passed to aid in terrorism and terrorism-related investigations, then what are the purposes for sections 220, 217, and 209 if these sections do not limit investigations strictly to terrorism and terrorism-related investigations?
Ms. PARSKY. Let me begin and then Mr. Martinez I'm sure will have some followup. But the first thing that I think is important to make clear is that the PATRIOT Act contains provisions that are specifically addressed to terrorism, but it also contains provisions that are not specifically addressed to terrorism, and because there are those specifications in certain provisions, the other provisions by necessity are necessity are modernizations of all of the criminal procedures; and that if there had been an intent that it only be applied to terrorism, it would have been stated as such. These provisions that we're talking about today are some of those very provisions that are intended just to modernize the tools that are available to law enforcement to protect our communities across the board, not just the terrorists.
Page 68 PREV PAGE TOP OF DOC
Ms. WATERS. May I interrupt for one moment? I want to be clear that you're saying that the stored communications that have been referenced here so many times today—the telephone calls, et cetera—may be accessed without notification to the party that is the target of the investigation, and this information may be used in any shape, form, or fashion that the interceptor would like to use it for?
Ms. PARSKY. Absolutely. What this does is it applies the same normal rules that would apply to any criminal investigation.
Ms. WATERS. No. No. No. But this is without notification—well. This is information—these are facts. It's not as if you have an investigation to seek facts. Whatever is on the record is on the record. The telephone calls are there. The messages are there—what have you. They're accessed. I don't know about it. You don't need a warrant to get it. You can use it any way that you want to. Perhaps you have an investigation about terrorism. There is not terrorism, but you find that somebody may have committed another infraction or it could be considered a crime. Then you take this information and you pass it on to another law enforcement agency. Is that what you're saying?
Ms. PARSKY. Well, what I'm saying is that the same rules that have applied for years——
Ms. WATERS. Well, we haven't had these rules.
Ms. PARSKY. No, but the rules aside from the PATRIOT Act. The same rules that have applied to electronic mail, that have applied to physical records that are stored with a third party, these exact same rules. All the PATRIOT Act does is it says that you treat the same all types of stored communications, whether they are wire, whether they are electronic, whether they are physical or physical records. There's nothing new here.
Page 69 PREV PAGE TOP OF DOC
Ms. WATERS. It is something new——
Ms. PARSKY. The same notice provisions apply.
Ms. WATERS. Well, let me just stop you again. As I understand it, under those circumstances, you have a limited period of time by which you can engage in the so-called search or investigation. I may be wrong. But this could go on forever and ever and ever; is that correct? Is that a difference?
Ms. PARSKY. There's nothing in the PATRIOT Act that changes the length of time that it may take for an investigation to be carried through. That's dictated by the facts of the case. But there are—I mean there are very significant cases. There are child pornography cases. There are places where we have rescued children from their molesters because of the very critical modernizations that were provided through the PATRIOT Act.
Ms. WATERS. Yeah. But, I'm not talking about that. What I'm talking about is this: you access my telephone messages. You use them in any way that you want to, not just for terrorism, but like you said, it's meant to apply to, you know, cases in the same manner that prior to the PATRIOT Act. You can do anything you want with that information. You can share it. You can give it to anybody you want to give it to, and you can continue to access that information for as long as you want to without having to report to a court or anything. Is that what you're telling me?
Ms. PARSKY. No. That's not correct at all. What happens is the exact same standards apply whether it is a wire communication, an electronic communication or a physical record. You still need to go to a court to get a court order, a search warrant. You still need to provide notice with that search warrant to the same extent——
Page 70 PREV PAGE TOP OF DOC
Ms. WATERS. And that's good for how long? Thirty days?
Ms. PARSKY. Which? The search warrant?
Ms. WATERS. Yes.
Ms. PARSKY. The search warrant has to be served within 10 days, and then you obtain the evidence that is stored.
Ms. WATERS. And how long can you look for the evidence?
Ms. PARSKY. The search gives you access for that one period of time to go and collect the stored records within the scope of the search warrant. So you are limited by the terms of the search warrant to a particular scope. You are limited to the investigation that you are carrying on, and there are other protections that are built into our system so, in fact, you cannot go and do whatever you want with it or disclose it to whomever you want. There are Privacy Act implications. And you're——
Ms. WATERS. What if you go to a provider, looking for information, and for whatever reasons, however they store that information, however they categorize that information, it's not easily found. You have to—they have to do a number of things to access the information, and how long can that go on? Do they have to give you the information in 10 days, 15 days, 30 days? Or can you work with them to get you that information over the next year?
Page 71 PREV PAGE TOP OF DOC
Ms. PARSKY. Well, if it's a search warrant, you go in and you obtain the information. If it's a subpoena, then there is a return date on the subpoena, and by the return date, they need to return to the grand jury the records that have been requested.
Ms. WATERS. I'm talking about search warrant now I guess. I'm talking about search warrant.
Ms. PARSKY. In the search warrant, we go in and we obtain it ourselves. We don't give them a certain amount of time to provide it to us, because then we risk that they would destroy the records.
Mr. DEMPSEY. Yeah, actually, Congresswoman, if I may say just on that one point with the service provider: actually Congress changed the law recently to allow the service of warrants by fax. So they are faxed into the service provider without the presence of an officer there.
I think really what we're looking at here is sort of a confluence of three different things. One is the specific provisions of the PATRIOT Act that we're talking about today, relatively narrow changes. But I've been trying to say that they interface with other changes in technology that need to be addressed.
Third, they also interface with other provisions of the PATRIOT Act, for example, section 203, which was the subject of a hearing the other day, so that in terms of what can be done with this information, it's not only limited any longer to law enforcement uses. It can be disclosed if it constitutes information about foreign affairs. It can be disclosed to national security, military, protective, immigration or intelligence agencies.
Page 72 PREV PAGE TOP OF DOC
Mr. COBLE. Well, the Gentlelady's time has expired. We can continue this in the second round.
We'll start our second round now.
The courts have long recognized that providers of communications services possess a fundamental right to take reasonable measures to protect themselves and their properties against the illegal acts of trespassers. Now, I don't mean this to sound as subjective as it's going to sound, but who has the reasonable expectation of privacy under section 217? The owner of the computer or the criminal or terrorist hacking into the computer? Start with you, Ms. Parsky.
Ms. PARSKY. Thank you. You raise a very important point, and I think particularly when we're talking about privacy rights here, and when we're focusing on the provisions of the PATRIOT Act that are subject to pre-authorization. Section 217 is a critical provision to protect privacy. It's a critical provision to protect the privacy not only of the service provider whose property is being unlawfully accessed. That's what the hacker trespasser is doing. But, you know, we are living in a time when there are all sorts of computer hacking incidents that are subjecting consumers and individuals to the potential for identity theft. So that to the extent that you have this hacker then accessing the individual account holder's information and providing very private information to others to conduct criminal activity, this is allowing law enforcement to protect those privacy rights of the consumers.
Mr. COBLE. Which was vague prior to the act?
Page 73 PREV PAGE TOP OF DOC
Ms. PARSKY. That's correct.
Mr. COBLE. Let me hear from the rest of the panelists.
Ms. MARTINEZ. Congressman, if I can follow up on that. Again, in working—the FBI works very hard to garner good relationships with e-commerce businesses so that we can get the information we need to go at cyber crime, and there are some incentives and disincentives for them to do it.
One of the things that I think we're starting to agree upon is that e-commerce businesses have a responsibility to protect the—both their intellectual property, but also the vast amount of personal information that they might store in the course of their normal business.
Again, this expands their ability to be a responsible corporate citizen, to get information to us that might allow us to act quickly to stop an attack that might very well expose hundreds of thousands, millions of personal records. So again, anything we do that would reduce our ability, especially the timeliness of our ability, to address those types of situations when a consenting party comes to us and makes us aware of a problem, I think would be—would go against being able to protect privacy of citizens in general
Mr. COBLE. Thank you, sir. Mr. Dempsey?
Mr. DEMPSEY. Mr. Chairman, I agree with Mr. Martinez. But the question is what if they're wrong? What if the system operator is wrong and points the finger at the wrong person? What if law enforcement comes in and acts over broadly? I'm saying respond to the emergency, recognize the seriousness of the computer crime, but build some checks and balances in that gives some redress when a mistake is made.
Page 74 PREV PAGE TOP OF DOC
Mr. COBLE. Professor?
Mr. SWIRE. Thank you. It's the expectations of privacy of all those phone users, e-mail users, credit card people. That's where the ordinary citizen's privacy is at stake. And right now, if the Government looks through those, either by mistake or because they want to look through those, they can take that information. They can use it in future investigations. They can use it in court. And the statutory suppression rule that this Committee has previously passed addresses that so that you have a rule that says they should follow the law and not be over broad in their searches.
Mr. COBLE. Ms. Parsky, your facial response tells me you want to weigh in again, and you may.
Ms. PARSKY. Thank you. Well, one thing to make clear is that this isn't just about an emergency. This is the equivalent of a normal consent situation. And there are numerous, you know, vast arrays of examples where in a physical world, there is a citizen or a company that provides law enforcement with a tip, and we need our citizens to bring crimes to our attention. They don't always pan out. There is always the potential that there will be access to information about individuals who don't end up having criminal culpability.
Mr. COBLE. I thank you for that.
Ms. PARSKY. Thank you.
Page 75 PREV PAGE TOP OF DOC
Mr. COBLE. Let me beat the red light by putting another question to Mr. Dempsey.
Mr. Dempsey, in your written testimony, you stated that section 220 of the USA PATRIOT Act makes obvious sense. Elaborate in some detail on that if you will.
Mr. DEMPSEY. Well, I think we do have nationwide communication systems and for a crime in California the evidence may be—the electronic evidence may be stored in Virginia.
It is appropriate I think for a judge in California to issue that warrant to be served in Virginia, to send the evidence back to California where the locus of the investigation is. My only concern is that a little bit tips the balance in the other direction, and if the service provider gets a warrant that looks over broad, that looks burdensome, that may sweep too broadly or it may be unclear, the person in California issuing the warrant may not have understood the computer network of the person in Virginia.
The person in Virginia, they want to do the right thing. But they also want to be careful. They should have the opportunity to go to a judge in Virginia or in California, but certainly in Virginia where they are and say we want to cooperate. We will give it over, but we—it should be focused a little bit more.
Mr. COBLE. I got you. I thank you. My time has expired. The Gentleman from Virginia.
Page 76 PREV PAGE TOP OF DOC
Mr. SCOTT. Thank you, Mr. Chairman. We keep talking about how you're going to use the information as the kind of violation of privacy that you actually use it. Some of us may think that just looking at, because we're not talking about robots. We're talking about somebody who could be your neighbors and people are kind of thinking terrorism. Let's kind of think mental health records and medical records that people—that your neighbors may be looking at if they happen to work for the FBI. And when you think of it in that nature, I mean sometimes you don't want people looking at your medical records and your mental health records, and your private communications with your friends, colleagues, or spouse. You may not want the—your neighbors to know that you're having marital problems and all that kind of stuff. So just the idea that you get to look at it, I mean. And then after you get to sharing it all—and we're not even getting into that—but some people are going to be looking at your very private communications. And you don't know going in what's going to pop out of that e-mail.
Ms. MARTINEZ. If I may address that very example, I think health records is a good one. There have been intrusions into medical facilities and health records have been compromised. In working a computer intrusion investigation, it would be very important for us to determine what type of data was targeted. And it may very well be that we determine that very specific health records of very specific individuals were targeted. But without us being able to do the investigation and drill to that level of detail we wouldn't know and that would impede our ability to work that case back to identify——
Mr. SCOTT. You don't know—you don't know when you start reading your—I mean it—doesn't the e-mail from me to my doctor or from a person to his priest doesn't start off by saying personal information enclosed. Caution. Warrant required. You just start reading and start tripping over all this information that could affect—it could be your neighbor. You know you didn't know that about your neighbor.
Page 77 PREV PAGE TOP OF DOC
Mr. SWIRE. Congressman, can I—one of the things that the Government's position has been if the record is stored, then you're pretty much out of luck. You're under much less luck than you used to be. Once it's stored, there's no constitutional protections—reasonable expectation to privacy—you've handed that over to a third party. Once it's stored, you're under the Stored Communications Act at best. You're not getting wiretap protections anymore.
So they're saying once these things get stored——
Mr. SCOTT. And you can do it by subpoena. You don't even need a search warrant? Is that right?
Mr. SWIRE. It depends on the time, and they have different things, but a lot of times you can do it through a grand jury subpoena, through this 2703(d) order, or you can do it through a search warrant. The Government gets to choose.
Mr. SCOTT. Now, we keep talking about these delayed notices. If you trip over this embarrassing information about your neighbor and don't use it and don't notify anybody, there are, in fact, no sanctions if you're not going to use the information; is that right?
Ms. PARSKY. Well, if I may, I think one important thing to keep in mind here, particularly when we're talking about section 217 is that we're talking about, number one, the fact that when you have these communications that are going on on a service provider's network, there is already the ability for the service provider to monitor those communications. So regardless of whether law enforcement is involved, you have the service provider monitoring. But in section 217, we're talking about the additional situation where these private records, whether they be, you know, medical records or personal notes to a neighbor, those are being also accessed by a trespasser.
Page 78 PREV PAGE TOP OF DOC
So the additional insertion of law enforcement into that calculus actually adds more protections because law enforcement——
Mr. SCOTT. But you're kind of getting over broad——
Ms. PARSKY. —is subject to other restrictions that criminals are not.
Mr. SCOTT. Do you need a trespasser to trigger all of these search warrants and subpoenas?
Ms. PARSKY. Section 217 is specific to hacker trespassers and that is where the system—the system provider—the service provider can—they have the ability to monitor the communications. They can provide the consent to law enforcement to assist them in protecting their own property.
Mr. SCOTT. So if AOL is listening into—is reading all of my e-mails, then they can invite law enforcement to look over their shoulder as they look at my e-mails?
Ms. PARSKY. Rather than their collecting it and providing it to law enforcement afterwards, when law enforcement doesn't have the ability to help protect them and to help solve the crime.
Page 79 PREV PAGE TOP OF DOC
Mr. SCOTT. If AOL has a privacy agreement with me, then they can't do that.
Ms. PARSKY. That's correct. That's a contractual matter.
Mr. SWIRE. AOL can read your e-mail only for the purpose of protecting their service or their rights or for purposes of protecting the security of their system. But I think we've sort of shifted over a little bit—mushed up 209 and 217. Two seventeen is limited to trespasser cases. 209, the warrant or subpoena access, is for all investigations. And I think though one of the issues you were getting at with the question of the medical records, et cetera, the real-time interception cases have almost a two-layered protection. You get the warrant, which has the particularity required by the fourth amendment giving the Government the right to get into somebody's communications stream.
The law imposes what is almost an extra protection, which is the minimization requirement, which says that you can only record specifically what is incriminating. There is no real minimization requirement on the stored records side. The minimization requirement is in title III, not on the Stored Records Act.
So one you're in there and particularly because you don't know what you're getting until you actually open it. You don't know whether it's relevant or not until you actually look at it. The Government I think does acquire a lot of information in a stored capacity, bring it back, sit there, open it, go through it, and at that point there, they are looking at and they have in their possession a lot of material that turns out to be extraneous.
Page 80 PREV PAGE TOP OF DOC
Mr. SCOTT. Mr. Chairman, let me just say that one of the problems after you get in there and start reading and reading if you do not use the—if you don't want to use the material, there is not requirement—there's no sanction for continuing to read.
Mr. DEMPSEY. Not really.
Mr. SCOTT. With a requirement of a warrant going in, you don't know what you're going to get so if you mess up, if you break into somebody's house and get—find the drugs, you can't use the drugs under the exclusionary rules. So you have no incentive to break in.
Under this, with this delayed notice and all that, if you find some goodies, you can find the notice. But if you don't find anything, there is no sanctions.
Mr. DEMPSEY. Right.
Mr. COBLE. Well, the Gentleman's time has expired. Ms. Parsky, you and Mr. Martinez want to weigh in before I recognize the Gentleman from Massachusetts?
Ms. PARSKY. I think we both want to make a couple of brief comments. I thank you very much.
Mr. COBLE. And briefly if you can because we've got to move along.
Page 81 PREV PAGE TOP OF DOC
Ms. PARSKY. Very briefly. But the one thing that I think is important to understand is that if you have a search warrant, there is very specific requirement that it be relevant to criminal activity and that there be a defined scope for that search warrant. So you don't go in and you're able to inspect or search or seize anything you want. You go in within the scope of the search warrant and there is the ability for someone to challenge whether, in fact, you stayed within the scope.
Mr. SCOTT. Yes, but that doesn't apply to a subpoena?
Ms. PARSKY. But that applies to a search warrant whether it's for physical records or electronic records and to the same extent that you might have a search warrant to search physical files and you may have to open up the file to see if what's in there is within the scope of your search warrant, the same applies to the electronic world. I think Mr. Martinez.
Mr. MARTINEZ. And I think to follow up on that. Again, I'll make the analogy with the physical seizure of health records. You may, in the course of an investigation, try to determine if there are victims that are part of the health organization's records, and you may see some information about someone's very, very personal health profile. Again, if it doesn't go the specific violation that I'm trying to prove or determine elements of, I don't know that I would have a positive requirement to then go back and tell everyone whose record I looked at that I set aside because it wasn't pertinent to my investigation that I looked at your health record.
Page 82 PREV PAGE TOP OF DOC
We'd go on to the next one and aggregate evidence and move on from there.
Mr. SWIRE. May I have one sentence just to follow? Under new technology, we're storing lots and lots more things than we used to. That may mean the laws about stored records deserves some reexamination.
Mr. COBLE. The Gentleman's time has expired. The Gentleman from Massachusetts, Mr. Delahunt.
Mr. DELAHUNT. Yeah. I think that goes to—you know, and I appreciate the distinctions obviously between electronic records and physical records.
But people understand a physical record. As I indicated earlier, there's a lot of us that really can't put our—we don't grasp the extent of and the volume of electronic records. That's where the unease of the American people are in terms of their privacy.
And I think that was the debate and the discussion, that's what we have to remember, and we have to—if we're going to—and I think we should. Okay. If we're going to give law enforcement the updated means to conduct investigations, at some time we have to do this in a way that's thoughtful enough to balance the concerns that Americans have about privacy. And the best we can do is, you know, in my judgment, is transparency and notification. If we do that, even though it's burdensome, it doesn't impede the investigation.
You know, Mr. Martinez, I mean everything that's done post the investigation by virtue of that definition doesn't impede the Government from, you know, fulfilling its role in terms of protecting the American people or, you know, enhancing public safety. I mean that's what I'm suggesting here.
Page 83 PREV PAGE TOP OF DOC
Mr. MARTINEZ. Well, I want to make one point about the emerging new technologies. I think as we look at technologies emerge, we have to be very careful to determine whether that technology is really unique. Does it really present a set of circumstances that did not exist before or that hasn't been analyzed and very, very carefully thought through before, because—just because it is a new technology, it doesn't necessarily mean that there isn't already an existing paradigm in the law to handle it.
So I wouldn't want to make the assumption—you know, when we transition from an analog telephone to cellular telephone—you know, we still had conversations going over it.
Now, there were a lot of implications to that. The technology was indeed different, but I think much of the circumstance was similar to what existed before.
Mr. DELAHUNT. But it's the speed.
Ms. PARSKY. Well, I think as an important——
Mr. DELAHUNT. The problem you have in terms of the transmission, the communication itself is so quick and so instantaneous, you need to be upgraded. Okay. And I think what we have to do is look at concomitant ways to again ensure that those privacy rights and—if there's anything about the American people and in terms of the essence of our democracy it's the right to privacy. If you don't have privacy, that's the beginning in my judgment of totalitarianism. Okay.
Page 84 PREV PAGE TOP OF DOC
And that's why Americans emphasize so much this checks and balances issue and this transparency. And that I think is the framework, the mind set that should come to this. Before my time runs out, what I'm going to do is adopt the questions that were presented by Prof. Swire as mine. And I'm asking you, and I'm going to put this on you, Ms. Parsky, to respond to those questions in writing. In the past, under other Attorneys General, I've made those requests. Somehow it gets lost in the black hole. But this is a new Attorney General, a new Administration. I would hope that those questions, which are now Delahunt's questions, okay, would be responded to and, you know, please would you direct the answers to those questions to me? I'll give Mr. Coble and Mr. Scott—you can Cc: them. Right? But I think they're good questions, because I think they go to the clarify—I think really what some of this is about is clarification.
Ms. PARSKY. If I may just briefly respond quickly or follow up on what Mr. Martinez said. I think that it's important to recognize that there are still laws that we can apply to these new and complicated technologies. And as Professor Swire says, yes, with, you know, Internet protocol and with packets of information, it may be easier to store information. That doesn't mean that it's authorized to store information. So even if a network administrator may be able to store it, the same rules still apply in terms of what kind of contractual relationship, what kind of consent those working under that network administrator have entered into and that have——
Mr. DELAHUNT. And I understand that, and I'm sympathetic, and I understand that.
You know, I think what we hear from Mr. Scott in terms of his concerns about mental health records. I think we need to explain, you know, the concept of minimization and what it means whether we're intercepting a telephone conversation and how the concept of minimization in terms of review of records applies to electronic records.
Page 85 PREV PAGE TOP OF DOC
Mr. DEMPSEY. Congressman, I think that one of the things you mentioned was speed and volume. And it goes to Representative Scott's questions. Well, I remember a couple of years ago, FBI Director Freeh was testifying in support of his budget request and talking about how the FBI needed more money to process the data that they were collecting, and he cited one case——
Mr. DELAHUNT. Well, didn't he get a new computer for that?
Mr. DEMPSEY. Well, different issue. Different issue, Congressman.
One case the FBI seized enough electronic information that if it were printed out, it would have filled the Library of Congress one and one half times over. That was FBI Director Freeh's testimony. That was the volume of stored records that were available to them in that one investigation.
Mr. COBLE. The Gentleman's time has expired. The Gentlelady from California, Ms. Waters.
Ms. WATERS. Thank you very much, Mr. Chairman. First, I'd like to ask unanimous consent to enter my statement into the record.
Mr. COBLE. Without objection.
Page 86 PREV PAGE TOP OF DOC
Ms. WATERS. And secondly, I think the discussion was going in a direction that I have great interest. I think that we all have a very special need to believe that we have control over our lives, and it is very disconcerting to think about people having access to every tidbit of information about your life because they are able to store your telephone conversations, your e-mail messages, and on and on and on. It's just pretty overwhelming.
And so I think we certainly need to understand the new technology and who has the ability to store what and for how long. And whether or not, you know, there is certain kind of permission needed in some cases to be able to give that information or share that information.
And I do think that perhaps we need to look at this new body of law relative to this new technology so if nothing more comes out of it then disclosure to the client. We get credit reports. I mean we force credit card companies to give us a report every year to tell us what they're holding and what they're advising people about us.
For our medical records, our doctors have to have written permission from us to give it to somebody, I just think we need to find out what—well, we need to develop this body of law that will help us feel we have some control. I recognize the need for, you know, the criminal justice system to be able to access certain things through warrants and subpoenas, but I do think I have a right to know whether or not my computer or company or my server is holding information and what form it's in, and how long it's held. Some of those things I think are just very basic to being able to have some kind of contractual relationship with those who are holding significant information about you.
Page 87 PREV PAGE TOP OF DOC
I think I would feel better if I just had disclosure, because I understand that the technology works in different ways and we don't know what technology is being used by what companies. Then I may have a right to choose a particular company because they don't keep certain information or they discard information after a certain period of time. So I think we should——
Mr. COBLE. Would the Gentlelady suspend for a moment?
Ms. WATERS. Yes.
Mr. COBLE. Reverting to Mr. Delahunt's suggestion, the record will remain open for 7 days folks so we can have exchange and this will be ongoing. This is not the day of finality on this matter by any means.
Ms. WATERS. So I—let me ask, Mr. Delahunt, when you referred to Mr. Swire's questions, I don't know what those were, but are they included in——
Mr. DELAHUNT. They are an appendix to his testimony.
Ms. WATERS. Do they relate to the concerns that I——
Mr. DELAHUNT. Some of them do.
Ms. WATERS. Just, and if I may, I have a few more seconds left here, Mr. Swire. Could you comment on what I tried to communicate just a few moments ago about possible disclosure or having some choices in the selection of companies that I deal with, et cetera, et cetera.
Page 88 PREV PAGE TOP OF DOC
Mr. SWIRE. I have two comments. One is when it comes to stored records, this Committee in the fall of 2000, in H.R. 5018, passed I think unanimously or almost unanimously a number of provisions about stored records, and there's a Committee report about that. So that might be a place to look where Republicans and Democrats worked together that year.
On disclosure, that comes up to issues of should every company have privacy policies they communicate out there. We do have most companies with privacy policies. There's no Federal laws that say they have to do that, and a lot of companies have over time watered those down in the last three or 4 years because they don't want to be constrained if they feel like using data later. And I think if you look at those privacy policies in general they're less detailed and less full today than they were 3 or 4 years ago, and that might be something for people to look at also.
Ms. WATERS. Well, that's a good idea. Let me just say based on some of the recently developed laws, we are supposed to be given an opportunity to opt-in or opt-out——
Mr. SWIRE. Yes.
Ms. WATERS. —on information that's shared about us. But I don't think it gets to the stored information at all. I'll go back and take a look at that.
Mr. SWIRE. For your medical data and financial data, the stored records at the bank or the hospital, those are subject to some of those choices the Congress put into law.
Page 89 PREV PAGE TOP OF DOC
Mr. DEMPSEY. Although in every case, those provisions have law enforcement and intelligence exceptions.
Ms. WATERS. Oh.
Mr. SCOTT. What do you mean by an exception?
Mr. DEMPSEY. That basically it doesn't matter what the privacy policy says. When the Government comes in with whatever compulsory process is permitted, whether it's a warrant, a subpoena or a court order, the privacy policy evaporates.
Ms. WATERS. But if I got disclosure, if I understand what it is you are storing, and, you know, how you do this, how much information you hold on to for what periods of time, I may have some options about whether or not I want to deal with you or I may want to handle my business in a different way. For example, let me just tell you here in the Congress of the United States, you know, people keep in their computers, you know, all of the daily calls. They keep telephone numbers. They keep everything. Well, you know, some people may want to decide I don't want that in the computer for whatever reasons. I want to use some old systems. And I knew and understood, which I'm going to ask now, what is being stored for how long in the systems that we use, then I may, you know, make some different decisions.
Mr. COBLE. The Gentlelady's time has expired. We have the Lady from Texas has just joined us. We will include, professor, your questions in our post-hearing letter. And that can be addressed then.
Page 90 PREV PAGE TOP OF DOC
The Gentlelady from Texas is recognized for 5 minutes.
Ms. JACKSON LEE OF TEXAS. Thank you very much, Mr. Chairman. To the panelists, thank you. We are at the same time in a Homeland Security mark up and so I thank you for your testimony and apologize for my tardiness in this hearing.
But let me just take the opportunity. This hearing deals with certain sections of the PATRIOT Act for reauthorization that are not necessarily that controversial. But I am going to take this opportunity to press some points that may be somewhat more global.
And that is that the idea of the PATRIOT Act, of course, was to ensure safety or to correct some of the ailments that many thought could cure the tragedy that we faced on 9/11. Some of the weaknesses as we moved into cyber security and technology. We just passed a bill in Homeland Security to establish an Assistant Secretary in the Homeland Security Department for Cyber Security. Again, the whole issue of integration if you will to provide more security for the Nation.
I raise the question, however, as an opponent of the PATRIOT Act and a huge skeptic of the reauthorization of any of the sections, meaning that I want close scrutiny is where we are in 2005. Some will say that the aviation industry is not that much safer. Questions are being raised about our security personnel as we—our screeners. It's certainly out of the jurisdiction of this Committee, but I think the main question is whether we have been made safer by downsizing on some of our civil liberties and the ability, of course, for unreasonable search and seizure.
Page 91 PREV PAGE TOP OF DOC
I think my colleague from California made the point that now vastness is a vast wasteland dealing with e-mail and I believe that we have lost the touch of writing the written letter, if you will. And so cyber security has become our means of communication. I am concerned with even the minimal, if you will elimination or impacting on the use of e-mails and the privacy of individuals and the intrusion by law enforcement entities on the basis of homeland security or national security.
So I'm going to start with Mr. Swire in terms of putting you on the immediate hot seat for this global question that I've asked and that is are we safer and is the—are we necessarily having to do this—having to reenact these provisions on the PATRIOT Act to ensure that safety?
Mr. SWIRE. That feels pretty hot. Are we overall safer? There was certainly some provisions of the PATRIOT Act that I supported when I was in the Clinton Administration and that were sensible updating to take account of new technology.
I think that when I think of safer and downsizing civil liberties, the one point I stress is that the current law seems to be once the record is stored, once it's held at the ISP or the bank or something like that, you've lost all your constitutional protections of reasonable expectation to privacy. I think that hasn't been fully understood by a lot of people; that those stored records that we've heard so much about today, once they're out there, the constitutional protections are gone. That means Congress is the only place that writes those privacy rules.
Page 92 PREV PAGE TOP OF DOC
And so this Committee and the rest of the Congress has to think about if the courts aren't going to do it, what's the Congress going to do to right the law so that we have safety and civil liberties going forward.
Mr. DEMPSEY. Congresswoman, we are safer, but not safe. Progress has been made, but still a lot more needs to be done.
On the question of cyber security, I think that clearly the PATRIOT Act focuses almost exclusively on after the fact prosecutorial efforts. Clearly, a lot more needs to be done on building secure systems.
But I think finally the question of civil liberties is I believe, and I think there should be pretty wide agreement. If you look at the 9/11 Commission Report, if you look at the Gilmore Commission Reports, the Markle Task Force, what we should be seeking here is not a trade-off, not a surrender of some civil liberties in order to purchase some security, not a trade-off, but a balance. But a little bit here I hear the Justice Department saying give us more power to deal with new technology, but don't adjust the privacy protections to deal more—with the new technology. The technology is changing. We need to change the laws in ways that make it easier for the Government, and there's some validity to that. But don't change the law in ways that would improve the checks and balances. And I think we need those checks and balances. I think they do not hurt us.
Our rights are not what is wrong with our counter terrorism approach. We need these checks and balances. They can be effective with all the authorities we've talked about today.
Page 93 PREV PAGE TOP OF DOC
Ms. JACKSON LEE OF TEXAS. And this is a very strong point that you made, Mr. Chairman. I think—I hope the halls of this—or the walls of this Committee room have heard Mr. Dempsey and Mr. Swire and not to ignore Mr. Martinez and Ms. Parsky. I'm sure that I'll be able to read your testimony, but my point is the importance of privacy and balancing our national security.
I yield back.
Mr. COBLE. I thank the lady. Mr. Martinez, Mr. Dempsey referred to DOJ, either one of you want to respond to that?
Ms. PARSKY. Well, I appreciate the opportunity, and I would like to just respond briefly that the Justice Department's position is that we should be able to bring our law enforcement tools up to speed with modern technology, while preserving all the checks and balances and the constitutional protections and other protections that are built into our criminal procedures. And all we are looking to do is apply those exact same checks and balances protections of privacy to the modern world.
Mr. COBLE. Well, this——
Mr. SCOTT. Mr. Chairman? Can I ask——
Mr. COBLE. Yes.
Page 94 PREV PAGE TOP OF DOC
Mr. SCOTT. —one. There's one point I——
Mr. COBLE. I will. But I say to my friend from Virginia——
Mr. SCOTT. It will be quick.
Mr. COBLE. Well, if you can, 'cause I got 50 constituents who are waiting on me for about 10 minutes now. So, Mr. Scott.
Mr. SCOTT. Well, if AOL doesn't care about my privacy, what—and they give anybody—they give Government permission, where does it say—am I without safeguards, is that what I understand?
Mr. SWIRE. That's section 217. If AOL invites the Government in, and the Government is supposed to only look at the hackers, but they look at everyone else, right now they get to use all that evidence in court and in future investigations.
Mr. SCOTT. Or look at it, because the question, the point was made that if you're in the doctor's office, you can look at the file. You don't know what's going to be in it when you open it up, but you know what file you're looking at. You're not—you didn't have—you're not in the doctor's office looking at all the files.
Thank you, Mr. Chairman.
Page 95 PREV PAGE TOP OF DOC
Mr. COBLE. I thank the Gentleman, and I thank the panelists. This has been a very worthwhile hearing it seems to me. As I said before, the record will remain open for 7 days, and I again thank the witnesses for your testimony. The Subcommittee very much appreciates this.
In order to ensure full record and adequate consideration of this important issue, the record will be left open for additional submissions for 7 days. Also any written questions that a Member wants to submit should be submitted within that same 7-day timeframe. This concludes the oversight hearing on the ''Implementation of the USA PATRIOT Act: Crime, Terrorism and the Age of Technology.''
Thank you for your cooperation and your attendance, and as well as those in the audience and the Subcommittee stands adjourned.
[Whereupon, at 11:49 a.m., the Subcommittee was adjourned.]
A P P E N D I X
Material Submitted for the Hearing Record
PREPARED STATEMENT OF THE HONORABLE ROBERT C. SCOTT, A REPRESENTATIVE IN CONGRESS FROM THE STATE OF VIRGINIA, AND RANKING MEMBER, SUBCOMMITTEE ON CRIME, TERRORISM, AND HOMELAND SECURITY
Thank you, Mr. Chairman, for scheduling this hearing on USA PATRIOT Act provisions to investigate and prosecute crimes through the use of electronic evidence. Section 209 of he Act references ''Seizure of Voice Mail Messages Pursuant to Warrant.'' However, that section authorizes access to much more than voice mail and authorizes access through ways other warrants, such as by administrative, grand jury and court issued subpoenas, under the appropriate circumstances. And they can be ''sneak and peek,'' whether warrants, court subpoenas or administrative subpoenas. So we are talking about a section that is not only misleading relative to the breadth of the police powers it authorizes, but a title that is also deceptive as to the extraordinary nature of the powers.
Page 96 PREV PAGE TOP OF DOC
Quite frankly, Mr. Chairman, the more I review the extent of the powers we have extended to law enforcement through provisions such section 209, the more I am pleased with our decision to provide for a sunset on some of these powers in order that we may review in earnest what we have done, and so that the law enforcement authorities who get access to our private information pursuant to these powers, is aware we will be reviewing them. This is a section whose original purpose was to protect our electronic data against intrusion. When I see the ''mack truck'' hole we carved out of that purpose for law enforcement access, and the limitations on traditional methods of holding law enforcement accountability such as prior notice with right to quash, and oversight of a court through return reports to the court within a certain number of days, the more I am convinced that sunset review in this area is absolutely essential to our oversight responsibilities to the public. And this is especially true in the areas of electronics and general technology, given the growing impact of technology on our society. I have the same concerns about Section 217, which allows an ISP to give law enforcement wide latitude to look at private electronic communications without court oversight or review. Its one thing to call law enforcement to look at a trespass that is occurring; its another thing to call in law enforcement to look o see if there is anything suspicious going on, prior to a trespass occurring. And while I can understand the efficiency and exigency arguments for a nationwide search warrant authority in the arena of electronic communications, I am also concerned with the sufficiency of the notice and, right to challenge and oversight of such warrants.
For law enforcement, the good news in what I am saying is that I think these powers should be available in appropriate circumstances, so I am not calling for sunsetting them. However, for the public's protection of their privacy as well as their safety, I am saying that we need to look more precisely our notice, oversight and reporting requirements for these powers, and make appropriate adjustments. We should also continue this kind of oversight through sunsets, where we have to periodically look at the use of these powers in an arena of evolving technologies, and where law enforcement is aware that the use of these powers will need to be scrutinized and justified. So, Mr. Chairman, I look forward to the testimony of our witnesses on how we might best do that, and to working with you on implementing their recommendations. Thank you.
Page 97 PREV PAGE TOP OF DOC
PREPARED STATEMENT OF THE HONORABLE MAXINE WATERS, A REPRESENTATIVE IN CONGRESS FROM THE STATE OF CALIFORNIA
Mr. Chairman, sections 209, 217, and 220 of the Patriot Act, violate Americans' privacy rights and civil liberties and should not be renewed. None of these sections are limited in their application—they can be used for any kind of criminal investigation that the DOJ sees fit, and are not limited to terrorism.
Mr. Chairman, section 209, the ''Seizure of Voicemail Messages Pursuant to Warrants'' of the Patriot Act allows law enforcement agencies, in some circumstances, depending on the amount of time the messages have been stored, to seize American citizens' stored voicemail messages without a search warrant or subpoena. Section 209 also is not subject to the exclusionary rule. Therefore, if law enforcement illegally seizes an American citizen's voicemail messages, the illegally seized voicemails still can be used as evidence against a person in court. Since section 209 has no notice requirement, the citizen would not even know she was the subject of surveillance, until she is brought to court.
Mr. Chairman, even if law enforcement gains access to an American citizen's voicemail in adherence to section 209, there are no limitations as to how the information will be used or publicized. This power far overreaches into the constitutionally guaranteed right to privacy.
Mr. Chairman, section 217, or the ''Interception of Computer Trespasser Communications'' section, is just as harmful as section 209. Under section 217, if a computer service provider claims that an individual is ''trespassing'' on its network, law enforcement is free to intercept that individual's private communications without permission from a judge. This section fails to address the question of, who qualifies as a ''trespasser.''
Page 98 PREV PAGE TOP OF DOC
Mr. Chairman, the DOJ would like Americans to believe this section is limited to computer hackers. However, section 217 never specifically describes a ''computer trespasser'' as a computer hacker. The definition given is ''a person who accesses a protected computer without authorization and thus has no reasonable expectation of privacy, in any communication transmitted to...the protected computer.'' This definition leaves open several definitions as to what constitutes a ''computer trespasser.''
Mr. Chairman, this vague definition is dangerous because there is no judicial oversight or notice requirement in section 217. Therefore, this section, like many other Patriot Act provisions, allows law enforcement to freely and secretly spy on Americans, with no checks or supervision from a judge to make sure this power is not abused. Section 217 places all power within the hands of law enforcement and the system owner or operator.
Mr. Chairman, section 220, or the ''Nationwide Service of Search Warrants for Electronic Evidence'' section, amends the Federal Rules of Criminal Procedure to expand the jurisdictional authority of a court to authorize search warrants outside of the court's judicial district in a criminal investigation. This section allows law enforcement to pick and choose which court it can ask for a search warrant. This leaves open the possibility that law enforcement agents can ''shop'' for judges that have demonstrated a strong bias toward law enforcement with regard to search warrants, using only those judges least likely to say no—even if the warrant does not satisfy the strict requirements of the Fourth Amendment of the Constitution. This section also has no notice requirement.
Mr. Chairman, only local judges and courts should be allowed to grant warrants for investigations falling within their jurisdictions. Judicial oversight is only effective if the presiding judge is within the jurisdiction where the search and/or investigations are taking place. Local judicial oversight is a key check against unreasonable searches and seizures. Also, Americans have the right to due process and should be notified if they, or their property, are the subject of a search warrant or criminal investigation, even if the notice is issued after the search or investigation has commenced.
Page 99 PREV PAGE TOP OF DOC
Mr. Chairman, absent a clear demonstration from law enforcement that these new surveillance powers are necessary, sections 209, 217, and 220 should be allowed to expire. These sections of the Patriot Act threaten the basic constitutional rights of millions of Americans.
I yield back the balance of my time.
SUBMISSION BY PETER SWIRE ENTITLED ''THE SYSTEM OF FOREIGN INTELLIGENCE SURVEILLANCE LAW''
PPS0001.eps
PPS0002.eps
PPS0003.eps
PPS0004.eps
PPS0005.eps
PPS0006.eps
PPS0007.eps
PPS0008.eps
Page 100 PREV PAGE TOP OF DOC
PPS0009.eps
PPS0010.eps
PPS0011.eps
PPS0012.eps
PPS0013.eps
PPS0014.eps
PPS0015.eps
PPS0016.eps
PPS0017.eps
PPS0018.eps
PPS0019.eps
PPS0020.eps
Page 101 PREV PAGE TOP OF DOC
PPS0021.eps
PPS0022.eps
PPS0023.eps
PPS0024.eps
PPS0025.eps
PPS0026.eps
PPS0027.eps
PPS0028.eps
PPS0029.eps
PPS0030.eps
PPS0031.eps
PPS0032.eps
PPS0033.eps
Page 102 PREV PAGE TOP OF DOC
PPS0034.eps
PPS0035.eps
PPS0036.eps
PPS0037.eps
PPS0038.eps
PPS0039.eps
PPS0040.eps
PPS0041.eps
PPS0042.eps
PPS0043.eps
PPS0044.eps
PPS0045.eps
Page 103 PREV PAGE TOP OF DOC
PPS0046.eps
PPS0047.eps
PPS0048.eps
PPS0049.eps
PPS0050.eps
PPS0051.eps
PPS0052.eps
PPS0053.eps
PPS0054.eps
PPS0055.eps
PPS0056.eps
PPS0057.eps
PPS0058.eps
Page 104 PREV PAGE TOP OF DOC
PPS0059.eps
PPS0060.eps
PPS0061.eps
PPS0062.eps
PPS0063.eps
PPS0064.eps
PPS0065.eps
PPS0066.eps
PPS0067.eps
PPS0068.eps
PPS0069.eps
PPS0070.eps
Page 105 PREV PAGE TOP OF DOC
PPS0071.eps
PPS0072.eps
PPS0073.eps
PPS0074.eps
PPS0075.eps
PPS0076.eps
PPS0077.eps
PPS0078.eps
PPS0079.eps
PPS0080.eps
PPS0081.eps
PPS0082.eps
PPS0083.eps
Page 106 PREV PAGE TOP OF DOC
PPS0084.eps
PPS0085.eps
PPS0086.eps
PPS0087.eps
PPS0088.eps
PPS0089.eps
PPS0090.eps
PPS0091.eps
PPS0092.eps
PPS0093.eps
PPS0094.eps
PPS0095.eps
Page 107 PREV PAGE TOP OF DOC
PPS0096.eps
PPS0097.eps
PPS0098.eps
PPS0099.eps
PPS0100.eps
PPS0101.eps
PPS0102.eps
PPS0103.eps