SPEAKERS CONTENTS INSERTS Tables
Page 1 TOP OF DOC
67–305
2000
FOURTH AMENDMENT ISSUES RAISED BY THE FBI'S ''CARNIVORE'' PROGRAM
HEARING
BEFORE THE
SUBCOMMITTEE ON THE CONSTITUTION
OF THE
COMMITTEE ON THE JUDICIARY
HOUSE OF REPRESENTATIVES
ONE HUNDRED SIXTH CONGRESS
SECOND SESSION
JULY 24, 2000
Serial No. 137
Printed for the use of the Committee on the Judiciary
Page 2 PREV PAGE TOP OF DOC
For sale by the U.S. Government Printing Office
Superintendent of Documents, Congressional Sales Office, Washington, DC 20402
COMMITTEE ON THE JUDICIARY
HENRY J. HYDE, Illinois, Chairman
F. JAMES SENSENBRENNER, Jr., Wisconsin
BILL McCOLLUM, Florida
GEORGE W. GEKAS, Pennsylvania
HOWARD COBLE, North Carolina
LAMAR S. SMITH, Texas
ELTON GALLEGLY, California
CHARLES T. CANADY, Florida
BOB GOODLATTE, Virginia
STEVE CHABOT, Ohio
BOB BARR, Georgia
WILLIAM L. JENKINS, Tennessee
ASA HUTCHINSON, Arkansas
EDWARD A. PEASE, Indiana
CHRIS CANNON, Utah
JAMES E. ROGAN, California
LINDSEY O. GRAHAM, South Carolina
MARY BONO, California
SPENCER BACHUS, Alabama
JOE SCARBOROUGH, Florida
DAVID VITTER, Louisiana
Page 3 PREV PAGE TOP OF DOC
JOHN CONYERS, Jr., Michigan
BARNEY FRANK, Massachusetts
HOWARD L. BERMAN, California
RICK BOUCHER, Virginia
JERROLD NADLER, New York
ROBERT C. SCOTT, Virginia
MELVIN L. WATT, North Carolina
ZOE LOFGREN, California
SHEILA JACKSON LEE, Texas
MAXINE WATERS, California
MARTIN T. MEEHAN, Massachusetts
WILLIAM D. DELAHUNT, Massachusetts
ROBERT WEXLER, Florida
STEVEN R. ROTHMAN, New Jersey
TAMMY BALDWIN, Wisconsin
ANTHONY D. WEINER, New York
THOMAS E. MOONEY, SR., General Counsel-Chief of Staff
JULIAN EPSTEIN, Minority Chief Counsel and Staff Director
Subcommittee on the Constitution
CHARLES T. CANADY, Florida, Chairman
HENRY J. HYDE, Illinois
ASA HUTCHINSON, Arkansas
Page 4 PREV PAGE TOP OF DOC
SPENCER BACHUS, Alabama
BOB GOODLATTE, Virginia
BOB BARR, Georgia
WILLIAM L. JENKINS, Tennessee
LINDSEY O. GRAHAM, South Carolina
MELVIN L. WATT, North Carolina
MAXINE WATERS, California
BARNEY FRANK, Massachusetts
JOHN CONYERS, Jr., Michigan
JERROLD NADLER, New York
CATHLEEN CLEAVER, Chief Counsel
BRADLEY S. CLANTON, Counsel
JONATHAN A. VOGEL, Counsel
PAUL B. TAYLOR, Counsel
C O N T E N T S
HEARING DATE
July 24, 2000
OPENING STATEMENT
Canady, Hon. Charles T., a Representative in Congress From the State of Florida, and chairman, Subcommittee on the Constitution
Page 5 PREV PAGE TOP OF DOC
WITNESSES
Baker, Stewart, attorney, Steptoe & Johnson
Blaze, Matt, research scientist
Corn-Revere, Robert, attorney, Hogan & Hartson
Davidson, Alan, staff counsel, the Center for Democracy and Technology
DiGregory, Kevin V., Deputy Associate Attorney General, Department of Justice
Kerr, Donald M., Director, Lab Division, Federal Bureau of Investigation
Parkinson, Larry R., General Counsel, Federal Bureau of Investigation
Perrine, Tom, principal investigator, Pacific Institute for Computer Security
Sachs, Peter William, ICONN, L.L.C.
Steinhardt, Barry, associate director, American Civil Liberties Union
Page 6 PREV PAGE TOP OF DOC
LETTERS, STATEMENTS, ETC., SUBMITTED FOR THE HEARING
Blaze, Matt, research scientist: Prepared statement
Corn-Revere, Robert, attorney, Hogan & Hartson: Prepared statement
Davidson, Alan, staff counsel, the Center for Democracy and Technology: Prepared statement
DiGregory, Kevin V., Deputy Associate Attorney General, Department of Justice: Prepared statement
Kerr, Donald M., Director, Lab Division, Federal Bureau of Investigation: Prepared statement
Perrine, Tom, principal investigator, Pacific Institute for Computer Security: Prepared statement
Sachs, Peter William, ICONN, L.L.C.: Prepared statement
Steinhardt, Barry, associate director, American Civil Liberties Union: Prepared statement
APPENDIX
Material submitted for the record
Page 7 PREV PAGE TOP OF DOC
FOURTH AMENDMENT ISSUES RAISED BY THE FBI'S ''CARNIVORE'' PROGRAM
MONDAY, JULY 24, 2000
House of Representatives,
Subcommittee on the Constitution,
Committee on the Judiciary,
Washington, DC.
The subcommittee met, pursuant to call, at 1 p.m., in Room 2141, Rayburn House Office Building, Hon. Charles Canady [chairman of the subcommittee] presiding.
Present: Representatives Charles T. Canady, Henry J. Hyde, Asa Hutchinson, Spencer Bachus, Bob Barr, William L. Jenkins, Melvin L. Watt, John Conyers, Jr. and Jerrold Nadler.
Staff Present: Jonathan A. Vogel, counsel; Paul B. Taylor, counsel; Susana Gutierrez, clerk; Anthony Foxx, minority counsel; and Perry Apelbaum, minority general counsel, Committee on the Judiciary.
OPENING STATEMENT OF CHAIRMAN CANADY
Mr. CANADY. The subcommittee will be in order. It is probably going to be necessary for the staff to close the doors. Otherwise, we will have noise from the hallway.
Page 8 PREV PAGE TOP OF DOC
In recent years, with the growth of the Internet, the FBI has encountered an increasing number of criminal investigations in which criminal subjects have used the Internet to communicate with each other or their victims. Because the FBI believes many Internet Service Providers lack the ability to discriminate between communications in order to isolate the specific types of information that may be authorized to be gathered under a court order, the FBI has designed and developed a program called ''Carnivore'' which enables the FBI to isolate, intercept and collect communications that are the subject of lawful orders.
The first news of Carnivore came in April during testimony before the Subcommittee on the Constitution by attorney Robert Corn-Revere, who represented an Internet Service Provider that tried to resist attaching the Carnivore program to its network.
It has also been reported that one of the Nation's largest Internet Service Providers, EarthLink, Inc., has refused to install Carnivore on its network because attaching the program in the past caused its remote access servers to crash, eliminating service to customers. Other ISPs have stated publicly that they would challenge an order to attach Carnivore to their networks. While these industry officials have expressed willingness to cooperate with law enforcement to comply with legitimate court orders, they are concerned about the effects attaching Carnivore to their networks will have on the security of their infrastructure and the privacy of their customers.
At a press conference on July 12, Attorney General Reno stated that she does not want Carnivore ''to be a tool that is, in any way, a cause of concern for privacy interests.'' Today's hearing provides Federal law enforcement the opportunity to address those privacy concerns that have been raised.
Page 9 PREV PAGE TOP OF DOC
More broadly, Carnivore raises the question as to whether or not existing statutes protecting citizens from ''unreasonable searches and seizures'' under the fourth amendment appropriately balance the concerns of law enforcement and privacy. Law enforcement is concerned that the information needed to keep the public safe remains available. Individual citizens are concerned that a sufficient degree of privacy and the integrity of personal information be maintained in an age of modern communications and information storage where information that may have traditionally been kept in a file cabinet at home is now electronically stored by a third party in cyberspace. The hearing today will address this balance of interests.
As we consider the use of Carnivore, it is important that our deliberations be based on facts and not on unsupported suspicions and irrational fears. At the same time, we should be sensitive to any potential for abuse of the Carnivore system. Even a system designed with the best of intentions to legally carry out essential law enforcement functions may be a cause for concern if its use is not properly monitored.
I look forward to hearing from all of our witnesses today.
I now recognize Mr. Watt.
Mr. WATT. Thank you, Mr. Chairman.
I confess that up until about 10 days to 2 weeks ago, I had paid very little attention to this whole Carnivore project, and at about that point I started to get inquiring telephones calls from the media and press about what I knew about Carnivore. I don't know much more about it today, and that is why I want to start by praising the Chair of the subcommittee for convening this hearing, because I agree with the Chair that whatever information we have and however we proceed as a committee and as a Congress needs to be based on the facts.
Page 10 PREV PAGE TOP OF DOC
So I try to bring to this hearing a level of open-mindedness to try to understand the facts and try to figure out with as much of an open mind as I can what disposition, if any, may be required by Congress, what legislative steps may be warranted.
I suppose I would be less than honest if I didn't say that I have had for quite a while a generalized concern about the government's ability to invade the privacy of its citizens. There seems to me to be a growing level of generalized concern about Big Brotherisms I suspect is being fed by the increasing electronic world.
When the fourth amendment was passed and put into the Constitution, there was at least a feeling that, if the government came to do a search, it at least had to bring a warrant and present it to you or come and kick in your door; and, in some of our communities, we have always had probably an exaggerated fear of whether the latter was likely to occur than the former; and it is probably from that perspective that I have always had this kind of generalized concern.
But, notwithstanding that, I will make every effort I can to try to be objective and impartial about this issue; and I think those general comments point up the context in which we are operating and point up the importance of having such a hearing as this.
From my perspective, it is good to see a number of people who, as long as the unwarranted searches and wiretaps and invasions or potential invasions were being visited on parts of the community that they weren't necessarily that interested in protecting anyway—it is great to see some greater exposure and concern being expressed about what our government does and how it does it, and this gives us an opportunity to look into that and evaluate it.
Page 11 PREV PAGE TOP OF DOC
I welcome the opportunity, and I thank the chairman for convening the hearing for that purpose.
Thank you, Mr. Chairman. I yield back.
Mr. CANADY. Thank you, Mr. Watt.
Mr. Hyde.
Mr. HYDE. Thank you, Mr. Chairman.
Very briefly, this is a very important hearing, as attested to by the interest shown with so many people here today. But the tension between the law enforcement forces of our country, symbolized and personified by the Federal Bureau of Investigation, who need access to information if they are to stay on top of terrorists, counterfeiters, drug dealers, and criminals of all sorts, the need for that information comes into tension with the need for the public, for average citizens, to have privacy, which is a very valued commodity. So that tension creates some serious problems that it is the job of legislators to try and solve, and that is what we are going to try and do in this hearing and in succeeding hearings.
So I congratulate you, Mr. Canady, for calling this hearing; and I welcome the statements of our friends, the witnesses from the FBI and others and will follow this with great interest. Nothing could be more important in terms of national security and in protecting constitutional rights. I hope we get a good solution.
Page 12 PREV PAGE TOP OF DOC
Thank you, Mr. Chairman.
Mr. CANADY. Thank you, Mr. Watt.
Mr. Conyers.
Mr. CONYERS. Thank you very much.
Over the past few weeks, the details about this, I hope, misnamed technology has begun to emerge. We all know that it was only a matter of time before law enforcement would develop the ability to conduct the equivalent of wiretaps on the Internet. The news about Carnivore comes at a time when there is growing concern about how many Americans sacrifice their privacy by using it. Not only do Websites get all kinds of information about us when we make purchases on line or even when we just surf the web, but now we learn that the FBI can read our e-mails in the course of a criminal investigation.
So where I come from in the beginning on this is that, are we minimizing the interception of nonincriminating communications of a target of a wiretap order or are we maximizing the law enforcement access to the communication of nontargets? I think this is a very important question that has to be resolved. It is not at all clear that law enforcement should use authority under the pen register statute to access a variety of data, and it is not clear that law enforcement should install a super trap to get the information that they think they need.
Now, the Internet, as it takes its place alongside the telephone and ''snail mail'' as a central means of communication, illegal activities are migrating there as well; and within constitutional boundaries law enforcement needs tools to be able to intercept unlawful communications by those who will use the Internet for illegal conduct in the hope that they can conspire without leaving fingerprints or footprints. At the same time, Carnivore—and I said I wasn't going to say that word—at the same time, this system that we are looking at today must not bite off more than it can chew when it comes to FBI's electronic surveillance activities.
Page 13 PREV PAGE TOP OF DOC
Constitutional rights do not end where cyberspace begins. In many ways, today's hearing is not a new story. The potential for law enforcement to overstep constitutional boundaries for electronic surveillance on a new stage goes way back to the 1970's when the Church Committee investigated the FBI's use of electronic surveillance against Dr. Martin Luther King, Jr. The committee then recognized that technological developments in this century have rendered most private conversations of Americans vulnerable to interception and monitoring by government agents.
So now, in this new century, the Church Committee's conclusion is as timely as ever. So, should we now be comfortable with a ''trust us, we are the government approach''? I don't think anybody on the committee has this view, and I hope the hearing marks the beginnings of a careful examination of how the FBI's technology fits within the existing laws and the new technology.
I hope this hearing will put to rest our fears about this system. Maybe they are unfounded. Maybe it is unclear, and we will need some legislative guidance for our law enforcement. Does it give the FBI the ability to conduct indiscriminate searches of an individual's e-mail activity beyond what a court order would allow? Does it gives the FBI the ability to search more than is permitted under the agency's pen register and trap and trace authority? And why does the FBI need to put this system's terminals on site at Internet Service Providers, rather than letting the ISP turn over the information the FBI needs, much in the same way that the telephone company does?
These are the questions I am looking forward to having some resolution on, and I am happy we are here inquiring into this matter.
Page 14 PREV PAGE TOP OF DOC
Mr. Chairman, I ask that the statement of another member, Congresswoman Zoe Lofgren, be included in these opening remarks.
Mr. CANADY. Without objection, it will be included in the record.
Mr. CONYERS. Thank you.
Mr. CANADY. The gentleman from Arkansas is now recognized for 5 minutes.
Mr. HUTCHINSON. Thank you, Mr. Chairman. I, likewise, express my appreciation for your leadership on scheduling this hearing. I want to make a couple of brief comments.
First of all, I want to extend my appreciation to the FBI and the Department of Justice for the way they have been open about this new technology. It is my understanding that you have allowed the media to review it, you have provided demonstrations of this, and I think this is exactly the type of approach that we need to have when we are looking into a new arena of your legitimate need for surveillance of suspects.
I think the more the public knows, the more the Congress knows and the more light that is shed, then the better judgments that will be rendered. I do believe that the FBI has engaged Carnivore as a minimization tool to limit the review of third-party documents or content as well as that of the suspect's. But I think that there are some legitimate questions that need to be asked.
Page 15 PREV PAGE TOP OF DOC
One, is this new technique properly monitored? We are entering, again, into an arena that I did not have when I was United States Attorney back in the 1980's. We had title IIIs, we had court approval, we had pen registers, but this is a totally new environment, and I think that the FBI has to step gingerly. Obviously the law enforcement community have a responsibility to engage in legitimate law enforcement activities in terms of surveillance. But who monitors this?
Another way to phrase the question is, who reviews and controls the appetite of Carnivore? I think that that is really what the purpose of this hearing is, and as we go into the new arena of privacy I think we all have to recognize how complex this is.
For that reason, I want to finally mention that there is a privacy commission bill that I have sponsored with Congressman Jim Moran of Virginia, a bipartisan bill that has moved out of the Government Reform Committee. It should be coming up on the House Floor. But this privacy commission legislation would set up a commission for the first time in 25 years to review our privacy laws. When we had our last privacy commission, we didn't have the Internet, and yet they still called it Privacy in the Information Age. So I think it is time that we did review this again, and one of the specific goals and the responsibility of the commission will be to review the activities of law enforcement in terms of privacy and its impact on privacy.
So it is not just commercial, but it is also governmental, it is also law enforcement, a broad-ranging privacy commission. This is one thing that we can look at not in a reactionary fashion but in a studied, thoughtful fashion and set the tone as we enter into the next century.
Page 16 PREV PAGE TOP OF DOC
So, with that, Mr. Chairman, I want to again thank you; and I look forward to the testimony of the witnesses.
Mr. CANADY. Thank you, Mr. Hutchinson.
The gentleman from Alabama is now recognized for 5 minutes.
Mr. BACHUS. I thank the chairman.
I think obviously what we have here is that technology has outrun the law. We have an Internet explosion, and I don't think the law has kept pace with it. I don't think the laws on the books fit very well what we are talking about here today.
I have two concerns that I would express to you. One is that we have a balance between legitimate law enforcement needs and the right of privacy, that we try to maintain that balance, which is a delicate balance.
The second is that we have a balance between our different types of communications. Because if we have certain types of communications where we have the potential to monitor everything that goes through them but we have other types of communications that we are limited in our surveillance, criminals are going to be the first ones to figure out what is their safest mode of communications. And, sooner or later, you will be—if you have restrictions in one type of communications but not a lot of restrictions in another type of communications, the criminals are going to move to the least restricted or the least monitored form of communication. Of course, we have to ask ourselves, what level of monitoring do we, as a country, want to have on private conversations to achieve what level of surveillance?
Page 17 PREV PAGE TOP OF DOC
Let me give you an example. Today—and this is an example sort of, quote, from the old world. But today, coming into this country, Federal Express packages are randomly opened, UPS packages are randomly opened, but U.S. mail is not. I mean, the mail is not opened.
Now, criminals have pretty well figured out that the safest way of mailing something into the United States is not UPS or FedEx or Parcel Post; use the U.S. mail. The same going out. They have adjusted. They found out where the loopholes are. They found out where the least surveillance is, and they have gone with using the U.S. mail to send things, because they are not randomly checked. The criminals are going to figure out sooner or later, I would think, and my question to you is, are they not going to figure it out?
The illustration that you have given us is that you can take a word like bomb and you can search the Internet for ''bomb.'' Well, aren't our criminals—or aren't the terrorists, for instance, aren't they going to very quickly realize not to use the word ''bomb'', or won't they figure out to use the word ''dog'' as opposed to ''bomb''? As opposed to explosive device, won't they come up with some other word? Won't they figure out a way, beyond you using key words, to get around this, and you are basically left sweeping the conversations of law-abiding citizens. How do you get around criminals who are going to adapt to this? They are going to be the first to adapt to learn how to evade this system.
At the same time, my other concern is this: I have heard all sorts of assurances that this won't fall in the wrong hands, that there are safeguards. Well, today there are safeguards on the FBI files. The FBI files, only certain people have access to those files. Only certain people can have possession of those files. Only certain people can look in those files. Yet, a few years ago, we found out that 1,000 of those files were over at the White House. So what assurance do we have that we are not going to have another situation here where we have, like FBI files, that they got out of the restricted area and that people viewed them and perhaps utilized them for things they weren't intended to be?
Page 18 PREV PAGE TOP OF DOC
You have read reports, I am sure, as I have, about IRS agents who pulled people's income tax forms; and they have used them to go up against their wives and their ex-wives on child support matters. Or they have gone up against someone who is dating their girlfriend to try to embarrass them. And there have been all sorts of reports on what IRS agents did with files or what confidential information, which we are all assured would not fall into—would be restricted, where someone used those files within the IRS to their advantage or to embarrass someone else.
So I would simply say that, despite all of the assurances, we know as a practical matter that there are examples just recently of restricted information being used for purposes for which it was not intended. So I would ask, how would this be any different? How is this any different from IRS information which we were told would not be disclosed and has been in any number of cases? How is this any different from FBI files who found themselves being used for political purposes?
Thank you, Mr. Chairman.
Mr. CANADY. Thank you.
We will now move to hearing testimony from our first panel. Our first panel will address the Federal Bureau of Investigation's Carnivore program and its relevance to Federal law enforcement in the digital age.
On this panel, first, we would like to welcome Dr. Donald Kerr. Dr. Kerr is an Assistant Director of the Federal Bureau of Investigation and Director of the FBI's Lab Division which develops surveillance and tactical communications technologies.
Page 19 PREV PAGE TOP OF DOC
Next, we will hear from Larry Parkinson, the General Counsel for the FBI.
Following Mr. Parkinson, it will be Kevin V. DiGregory. Mr. DiGregory is Deputy Associate Attorney General at the Department of Justice, and members of the Justice Department's Computer Crimes Unit report to him.
Mr. DiGregory is joined at the table today by Christopher Painter, the Deputy Chief of the Computer Crime and Intellectual Property Section at the Department of Justice. Mr. Painter will not be making a separate statement but will be at the table with Mr. DiGregory to answer questions.
I want to thank each of you for being with us here today and for patiently listening to our opening statements. I would ask that you do your best to summarize your testimony in 5 minutes or less, although I don't think anyone will insist on strict adherence to the 5-minute rule.
Without objection, your full written statements will be made a part of the permanent record of today's hearing.
Dr. Kerr.
STATEMENT OF DONALD M. KERR, DIRECTOR, LAB DIVISION, FEDERAL BUREAU OF INVESTIGATION
Page 20 PREV PAGE TOP OF DOC
Mr. KERR. Thank you, Mr. Chairman, members of the committee. I am grateful for the opportunity to discuss with you our program for interception, lawful interception, of information on the Internet and data networks.
As you know, the use of computers and the Internet has grown rapidly, and has been paralleled by the exploitation of computers, networks and databases to commit crimes and to harm the safety, security and privacy of others. Criminals use computers to send child pornography to each other using anonymous encrypted communications; hackers break into financial service companies' systems and steal customers' home addresses and credit card numbers; criminals use the Internet's inexpensive and easy communications to commit large scale fraud on victims all over the world; and terrorist bombers plan their strikes using the Internet.
Investigating and deterring such wrongdoing requires tools and techniques designed to work with new and evolving computer and network technologies. The systems employed must strike a reasonable balance between competing interests. The privacy interests of telecommunications users, the business interests of service providers, and the duty of government investigators to protect public safety.
I would like to discuss how the FBI is meeting this challenge in the area of electronic mail interception. In the interest of your time, I have submitted a longer statement and what I will do is try to summarize the high points, particularly addressing some of the questions the subcommittee has raised in opening remarks.
First, moving to how we protect the privacy interests of telecommunications users requires me to talk a little about the Carnivore system, what is it, how it works?
Page 21 PREV PAGE TOP OF DOC
Put very simply, it is very much like what some in the networking industry would call a packet sniffer: that is, something able to pick out those packets using the addressing information of the Internet, and only those packets to which we have been given access. It works by being placed at a service provider's location in order to get a part of the traffic that is passing through that service provider's portal. In every case, we require a court order. That court order is specific to the numbers we can target; if you will, the addresses we can target, and as to whether it is the equivalent of a pen register, trap and trace, or, in fact, full content recovery akin to a title III intercept.
To be very clear on the point, we don't do broad searches or surveillance with this system. That is not authorized by a court order, and in my view, could not be.
The way it works in detail is that once the court order is issued, the system basically has a filter mask, and that filter mask is prepared with an understanding of the court order so that, for example, the Internet protocol addresses that are the legitimate target of the investigation are called out in the court order and set forth in this filter mask. Second, we are able also to sort on the ''to'' and ''from'' line of the e-mail. And maybe the best way to think about that is to think about a piece of standard mail. What it is basically allowing us to do is record the address to which the envelope is being sent and the return address on the outside of the envelope. We are not permitted to read the subject line, and, in fact, do not capture that and record it, because we are not authorized to open the envelope with either a pen register or a trap and trace order. If we have an order that allows us to recover content, we are able to open the envelope, and in this case, what we would then do is capture all of the packets that relate to that e-mail in order to record them on a stable medium, magnetic tape or some other stable medium, or later reassemble them at another location.
Page 22 PREV PAGE TOP OF DOC
It is installed by a Supervisory Special Agent who has training and experience in responding to court orders of this sort, assisted by one of our electronic technicians, and, in every case, by one or more technical people from the Internet Service Provider. I think it is important for you to know that that team of people that reports it, or records it, or puts the system in place is not made up of the case agent leading the investigation. These are technical people, three or more people, and it probably also includes an electronics technician from whichever of our field offices is responsible. We don't look at the text on site until it is recorded and returned, either to a field office or to someone at headquarters. And the installation, to put a picture in your mind, looks very much like a desktop personal computer. It is often bolted into a rack-like or other piece equipment at the Internet Service Provider location, but an important difference is that it has no keyboard, no mouse, and, in fact, it is locked up as far as the enclosure is concerned (where the magnetic media are written), because this in fact is the first step in the evidentiary chain. So it is important that it be locked, and access only provided to the Special Agent who comes on site to collect the lawfully-obtained information and who treats it just like we treat physical evidence, in terms of chain of custody, from there on.
An important further point is that we produce a record for audit of the filter setting and the configuration on each installation. In the first few times that it was used, that was done by the people doing the installation. We have now grown concerned, because of discussions that have been ongoing, that we record that evidence in a way so that it is authenticated, and so we now, in fact, overwrite it with a hashing algorithm, so that if someone tried to rewrite that audit trail, that could be detected. That record of filter settings and configuration, in fact, becomes part of the evidentiary record available to the court and the defense as required.
Page 23 PREV PAGE TOP OF DOC
There are also sanctions for misuse, and no one should forget that. There are both criminal and civil sanctions that cover both title III and Electronic Communications Privacy Act installations. It is a Federal felony, calling for a prison term of up to 5 years, a fine, plus possible recovery of civil damages. So I don't think our technical teams installing these devices are going to risk their jobs, their integrity, and their future by attempting to operate this equipment improperly at the ISP.
Moving on to the method by which we respect the business interests of the service providers, every installation has, in fact, been done in collaboration with the service provider's technical staff. To do it efficiently, we, in fact, only want to intercept the very smallest slice of the relevant traffic. In fact, where the ISP itself is technically capable of performing the intercept (that is, they have the equipment and the personnel, as many of the large ones do, so they can respond to the court order), we are, in fact, very happy for them to do that and simply provide us the information, which is the subject of the court order, and we never do install our equipment. We also in those cases bear some part of the cost of doing that.
ISPs come in all sizes. I think there are various numbers of them estimated in the United States at the present time, but it is upward of 10,000. They are not all large listed companies; some of them are more ''mom'' and ''pop'' operations. They don't have large amounts of equipment and a great deal of technical sophistication. And where the ISP cannot perform in a timely way under the court order, we are then willing to bear the technical and cost burden by installing our system.
Our system is passive on the network. It only receives information through the filter as authorized by the court order, and it emanates no signals and no communications over the network. So we don't believe that it in any way would interfere with the proper functioning of the service provider's equipment delivering e-mail to customers.
Page 24 PREV PAGE TOP OF DOC
Lastly, the equipment is removed immediately upon the expiration of the court order. It does not remain at the Internet Service Provider, nor is there anyone who can get in and make a decision on their own to leave it in place.
Lastly, does it support us in carrying out investigations in our most important cases? We think it is a well-focused capability. It uses some of the very attributes of the Internet, in particular, the Internet protocol addressing capability, the ''to'' and ''from'' lines of the e-mail, in order to restrict our collection to just those who are the targets of the court order. In a sense, it is automatic minimization up front. Not to say there is not minimization after the fact, because when the messages are reassembled back at the field office or at headquarters, if we have, in fact, incorrectly or inadvertently captured information we shouldn't, it is, in fact, deleted at that time. And it is really no different than the minimization that occurs first real-time on a title III wiretap and then subsequently on the recording of that wiretap, to be sure there is nothing there that shouldn't be. It produces evidence with an appropriate first step in the chain of custody. We are trying to maximize the opportunity to properly gather evidence, authenticate it, and be able to testify that we have neither added to, nor subtracted from, nor altered that which we have captured. It is a flexible tool, because it is a combination of software and hardware, and so we can, in fact, adjust it to fit subsequent court orders, and we can move from one case to another with it. We maximize the use of commercial software to reduce risk and cost, and, as I mentioned before, we have used authentication.
Finally, one of the things we are going to do as a consequence of our discussion over the last 18 months with people in industry, staff and Members of Congress, five of the Department of Justice components, a number of U.S. Attorneys—some 15 Federal and State law enforcement agencies, we think it is important to lay to rest this question: Does this thing, in fact, do that which we say it does, and only those things which we say it does? So we are working right now to undertake an independent verification and validation of the software that we use. We are going to do it with academic members of the team as well as industry members, and, by the way, we are not going to contract for those people; they will be selected by the organization that carries this out for us.
Page 25 PREV PAGE TOP OF DOC
But what we are going to do is very akin to what, for example, NASA does with software developed for their launch operations: ask some independent party to verify that the software we have and deploy will, in fact, do those things that we say it will and not provide capabilities that we should not have.
Our year-to-date use of this tool, that is, this present year, the first three-quarters of the fiscal year, we have deployed it some 16 times. It has been used in 6 criminal cases and 10 national security cases. A number of those were simply pen registers and some involved full content. None of those cases have been adjudicated, so we cannot speak to details today, but I think it is probably of interest that it is not a very large number. It is reported in the annual Wiretap Report in that category called ''other,'' so if you are wondering where the number will be found, either now or in the future, that is where it will be.
In summary, I think we have tried to develop a tool, not in advance of policy and precedent, but, in fact, with a great deal of care in understanding the legal authorities under which we are authorized to use this, and to target it precisely and well at those that the court orders.
Thank you very much, Mr. Chairman.
[The prepared statement of Mr. Kerr follows:]
PREPARED STATEMENT OF DONALD M. KERR, DIRECTOR, LAB DIVISION, FEDERAL BUREAU OF INVESTIGATION
Page 26 PREV PAGE TOP OF DOC
Good afternoon, Mr. Chairman, and Members of the Subcommittee. I am grateful for this opportunity to discuss the Internet and data interception capabilities developed by the Federal Bureau of Investigation. The use of computers and the Internet is growing rapidly, paralleled by exploitation of computers, networks, and data bases to commit crimes and to harm the safety, security, and privacy of others. Criminals use computers to send child pornography to each other using anonymous, encrypted communications; hackers break into financial service companies systems and steal customer home addresses and credit card information; criminals use the Internet's inexpensive and easy communications to commit large scale fraud on victims all over the world; and terrorist bombers plan their strikes using the Internet. Investigating and deterring such wrongdoing requires tools and techniques designed to work with new evolving computers and network technologies. The systems employed must strike a reasonable balance between competing interests—the privacy interests of telecommunications users, the business interest of service providers, and the duty of government investigators to protect public safety. I would like to discuss how the FBI is meeting this challenge in the area of electronic mail interception.
Two weeks ago, the Wall Street Journal published an article entitled ''FBI's system to covertly search E-mail raises privacy, legal issues.'' This story was immediately followed by a number of similar reports in the press and other media depicting our Carnivore system as something ominous and raising concerns about the possibility of its potential to snoop, without a court order, into the private E-mails of American citizens. I think that it is important that this topic be discussed openly—and in fact this was the reason we choose to share information about this capability with industry experts several weeks ago. It is critically important as technology, and particularly communications technology, a continues to evolve rapidly, that the public be guaranteed that their government is observing the statutory and constitutional protections which they demand. It is also very important that these discussions be placed into their proper context and that the relevant facts concerning this issue are made clear. I welcome this opportunity to stress that our intercept capabilities are used only after court approval and that they are directed at the most egregious violations of national security and public safety.
Page 27 PREV PAGE TOP OF DOC
The FBI performs interceptions of criminal wire and electronic communications, including Internet communications, under authorities derived from Title III of the Omnibus Crime Control and Safe Streets Act of 1968 (as amended), commonly referred to as ''Title III'', and portions of the Electronic Communications Privacy Act of 1986 (as amended), or ''ECPA''. Such federal government interceptions, with the exception of a rarely used ''emergency'' authority or in cases involving the consent of a participant in the communication, are conducted pursuant to court orders. Under emergency provisions, the Attorney General, the Deputy or the Associate Attorney General may, if authorized, initiate electronic surveillance of wire or electronic communications without a court order, but only if an application for such order is made within 48 hours after the surveillance is initiated.
Federal surveillance laws apply the Fourth Amendment's dictates concerning reasonable searches and seizures , and include a number of additional provisions which ensure that this investigative technique is used judiciously, with deference to the privacy of intercepted subjects and with deference to the privacy of those who are not the subject of the court order.
For example, unlike search warrants for physically searching a house, under Title III, applications for interception of wire and electronic communications require the authorization of a high-level Department of Justice (DOJ) official before the local United State Attorneys offices can make an application to a federal court. Unlike typical search warrants, federal magistrates are not authorized to approve such applications and orders, instead, the applications are veiwed by federal district court judges. Further, interception of communications is limited to certain specified federal felony offenses.
Page 28 PREV PAGE TOP OF DOC
Applications for electronic surveillance must demonstrate probable cause and state with particularity and specificity: the offenses being committed, the telecommunications facility or place from which the subject's communications are to be intercepted, a description of the type of conversations to be intercepted, and the identities of the persons committing the offenses and anticipated to be intercepted. Thus, criminal electronic surveillance laws focus on gathering hard evidence—not intelligence.
Applications must indicate that other normal investigative techniques have been tried and failed to gather evidence of crime, or will not work, or are too dangerous, and must include information concerning any prior electronic surveillance regarding the subject or facility in question. Court orders are initially limited to 30 days, with extensions possible, and must terminate sooner if the objectives are met. Judges may, and usually do, require periodic reports to the court, typically every 7 to 10 days, advising it of the progress of the interception effort. This assures close and on-going oversight of the electronic surveillance by the United States Attorney's office handling the case and frequently by the court as well. Interceptions are required to be conducted in such a way as to ''minimize the interception of communications not otherwise subject to interception'' under the law, such as unrelated, irrelevant, and non-criminal communications of the subjects or others not named in the application.
To ensure the evidentiary integrity of intercepted communications they must be recorded, if possible, on magnetic tape or other devices, so as to protect the recording from editing or other alterations. Immediately upon the expiration of the interception period, these recordings must be presented to the federal district court judge and sealed under his or her directions. The presence of the seal is a prerequisite for their use or disclosure, or for the introduction of evidence derived from the tapes. Applications and orders signed by the judge are also to be sealed by the judge.
Page 29 PREV PAGE TOP OF DOC
Within a reasonable period of time after the termination of the intercept order, including extension, the judge is obligated by law to ensure that the subject of the interception order, and other parties as are deemed appropriate, are furnished an inventory, that includes notice of the order the dates during which the interceptions were carried out, and whetehr or not the communication were intercepted. Upon motion, the jusge may also direct that portion of the contents of the intercepted communication be made available to affected person for their inspection.
Under Title III, any person who was a part to an intercepted communication or was a party against whom an interception was directed may in any trial, hearing, or other proceeding move to suppress the contents of any intercepted communication or any evidence derived therefrom if there are grounds demonstrating that the communication was not lawfully intercepted, the order authorizing or approving the interception was insufficient on its face or the interception was not in conformance with the order.
The illegal, unauthorized conduct of electronic surveillance is a federal criminal offense punishable by imprisonment for up to five years, a fine, or both. In addition, any person whose communications are unlawfully intercepted, disclosed, or used, may recover in a civil action damages, including punitive damages, as well as attorney's fees and other costs against the person or entity engaged in the violation.
The technical assistance of service providers in helping a law enforcement agency execute an electronic surveillance order is always important, and in many cases it is absolutely essential. This is increasingly the case with the advent of advanced communication services and networks such as the Internet. Title III mandates service provider assistance incidental to law enforcement's execution of electronic surveillance orders by specifying that a court order authorizing the interception of communication shall upon the request of the applicant, direct that a telecommunications ''service provider, landlord, custodian, or other person shall furnish the applicant forthwith all information, facilities, and technical assistance necessary to accomplish the interception unobtrusively and with a minimum of interference with the services that such service provider, landlord, custodian, or person is according the person whose communications are to be intercepted. In practice, judges may sign two orders: one order authorizing the law enforcement agency to conduct the electronic surveillance, and a second, abbreviated, assistance order directed to the service provider, specifying, for example, in the case of E-mail, the E-mail account name of the subject that is the object of the order and directing the provision of necessary assistance.
Page 30 PREV PAGE TOP OF DOC
Service providers and their personnel are also subject to the electronic surveillance laws, meaning that unauthorized electronic surveillance of their customers (or anyone else) is forbidden, and criminal and civil liability may be assessed for violations. Not only are unauthorized interceptions proscribed, but so also is the use or disclosure of the contents of communications that have been illegally intercepted. It is for this reason, among others, that service providers typically take great care in providing assistance to law enforcement in carrying out electronic surveillance pursuant to court order. In some instances, service providers opt to provide ''full'' service, essentially carrying out the interception for law enforcement and providing the final interception product, but, in many cases, service providers are inclined only to provide the level of assistance necessary to allow the law enforcement agency to conduct the interception.
In recent years, it has become increasingly common for the FBI to seek, and for judges to issue, orders for Title III interceptions which are much more detailed than older orders which were directed against ''plain old telephone services.'' These detailed order, in order to be successfully implemented, require more sophisticated techniques to ensure that only messages for which there is court authorization to intercept are, in fact, intercepted. The increased detail in court orders responds to two facts.
First, the complexity of modern communications networks, like the Internet, and the complexity of modern users' communications demand better discrimination than older analog communications. For example, Internet users frequently use electronic messaging services, like E-mail, to communicate with other individuals in a manner reminiscent of a telephone call, only with text instead of voice. Such messages are often the targets of court ordered interception. Users also use services, like the world wide web, which looks more like print media than a phone call. Similarly, some Internet services, like streaming video, have more in common with broadcast media like television, than with telephone calls. These types of communications are less commonly the targets of an interception order.
Page 31 PREV PAGE TOP OF DOC
Second, for many Internet services, users share communications channels, addresses, etc. These factors make the interception of messages for which law enforcement has court authorization, to the exclusion of all others, very difficult. Court orders, therefore, increasingly include detailed instructions to preclude the interception of communications that lie outside the scope of the order.
In response to a critical need for tools to implement complex court orders, the FBI developed a number of capabilities including the software program called ''Carnivore.'' Carnivore is a very specialized network analyzer or ''sniffer'' which runs as an application program on a normal personal computer under the Microsoft Windows operating system. It works by ''sniffing'' the proper portions of network packets and copying and storing only those packets which match a finely defined filter set programmed in conformity with the court order. This filter set can be extremely complex, and this provides the FBI with an ability to collect transmissions which comply with pen register court orders, trap & trace court orders, Title III interception orders, etc.
It is important to distinguish now what is meant by ''sniffing.'' The problem of discriminating between users' messages on the Internet is a complex one. However, this is exactly what Carnivore does. It does NOT search through the contents of every message and collect those that contain certain key words like ''bomb'' or ''drugs.'' It selects messages based on criteria expressly set out in the court order, for example, messages transmitted to or from a particular account or to or from a particular user. If the device is placed at some point on the network where it cannot discriminate messages as set out in the court order, it simply lets all such messages pass by unrecorded.
Page 32 PREV PAGE TOP OF DOC
One might ask, ''why use Carnivore at all?'' In many instances, ISPs, particularly the larger ones, maintain capabilities which allow them to comply, or partially comply with lawful orders. For example, many ISPs have the capability to ''clone'' or intercept, when lawfully ordered to do so, E-mail to and from specified user accounts. In such cases, these abilities are satisfactory and allow full compliance with a court order. However, in most cases, ISPs do not have such capabilities or cannot employ them in a secure manner. Also, most systems devised by service providers or purchased ''off the shelf'' lack the ability to properly discriminate between messages in a fashion that complies with the court order. Also, many court orders go beyond E-mail, specifying other protocols to be intercepted such as instant messaging. In these cases, a cloned mailbox is not sufficient to comply with the order of the court.
Now, I think it is important that you understand how Carnivore is used in practice. First, there is the issue of scale. Carnivore is a small-scale device intended for use only when and where it is needed. In fact, each Carnivore device is maintained at the FBI Laboratory in Quantico until it is actually needed in an active case. It is then deployed to satisfy the needs of a single case or court order, and afterwards, upon expiration of the order, the device is removed and returned to Quantico.
The second issue is one of network interference. Carnivore is safe to operate on IP networks. It is connected as a passive collection device and does not have any ability to transmit anything onto the network. In fact, we go to great lengths to ensure that our system is satisfactorily isolated from the network to which it is attached. Also, Carnivore is only attached to the network after consultation with, and with the agreement of, technical personnel from the ISP.
Page 33 PREV PAGE TOP OF DOC
This, in fact, raises the third issue—that of ISP cooperation. To date, Carnivore has, to my knowledge, never been installed onto an ISP's network without assistance from the ISP's technical personnel. The Internet is a highly complex and heterogeneous environment in which to conduct such operations, and I can assure you that without the technical knowledge of the ISP's personnel, it would be very difficult, and in some instances impossible, for law enforcement agencies to successfully implement, and comply with the strict language, of an interception order. The FBI also depends upon the ISP personnel to understand the protocols and architecture of their particular networks.
Another primary consideration for using the Carnivore system is data integrity. As you know, Rule 901 of the Federal Rules of Evidence requires that authentication of evidence as a precondition for its admissibility. The use of the Carnivore system by the FBI to intercept and store communications provides for an undisturbed chain of custody by providing a witness who can testify to the retrieval of the evidence and the process by which it was recorded. Performance is another key reason for preferring this system to commercial sniffers. Unlike commercial software sniffers, Carnivore is designed to intercept and record the selected communications comprehensively, without ''dropped packets.''
In conclusion, I would like to say that over the last five years or more, we have witnessed a continuing steady growth in instances of computer-related crimes, including traditional crimes and terrorist activities which have been planned or carried out, in part, using the Internet. The ability of the law enforcement community to effectively investigate and prevent these crimes is, in part, dependent upon our ability to lawfully collect vital evidence of wrongdoing. As the Internet becomes more complex, so do the challenges placed on us to keep pace. We could not do so without the continued cooperation of our industry partners and innovations such as the Carnivore software. I want to stress that the FBI does not conduct interceptions, install and operate pen registers, or use trap & trace devices, without lawful authorization from a court.
Page 34 PREV PAGE TOP OF DOC
I look forward to working with the Subcommittee staff to provide more information and welcome your suggestions on this important issue. I will be happy to answer any questions that you may have. Thank you.
Mr. CANADY. Thank you very much.
Mr. Parkinson.
STATEMENT OF LARRY R. PARKINSON, GENERAL COUNSEL, FEDERAL BUREAU OF INVESTIGATION
Mr. PARKINSON. Thank you, Mr. Chairman. I do not have a prepared statement. I will be very brief.
I want to echo, first of all, what Dr. Kerr said. Despite its unfortunate name, this is a tool that is very surgical, and I think Representative Hutchinson had it right, that this really is a minimization tool. I will leave the technical aspects to Dr. Kerr.
What I am here primarily to emphasize, and I am delighted to be here and answer any questions that the committee may have, is to emphasize that the FBI and the Department of Justice have a true commitment to the rule of law.
I want to respond just briefly to the notion that we have deployed this system without controls or without proper authorization. That is simply not the case. We are also not saying, simply trust us, we are the government. I think we are not naive. We have had enough situations in the course of our history to know that that is not enough. We have significant oversight, both within the Bureau, within the Department of Justice, and most importantly, within the judicial branch that overseas the deployment of this device and any other surveillance device. In addition to that, we obviously have vigorous and appropriate congressional oversight.
Page 35 PREV PAGE TOP OF DOC
So that is why I am here. I am happy to answer questions. I just want to emphasize to you and to the American people that this is a tool that is deployed rarely, and it is never deployed without a court order, and we do not deploy it in a way that exceeds the court order. It is very discriminating, and I hope that this gives us the opportunity to explore that and give some comfort to the committee, as well as to the American people.
Thank you very much, Mr. Chairman.
Mr. CANADY. Thank you, Mr. Parkinson.
Mr. DiGregory.
STATEMENT OF KEVIN V. DIGREGORY, DEPUTY ASSOCIATE ATTORNEY GENERAL, DEPARTMENT OF JUSTICE
Mr. DIGREGORY. Thank you, Mr. Chairman.
Mr. Chairman and members of the subcommittee, thank you again for allowing me this opportunity to testify about the law enforcement tool Carnivore and the fourth amendment. We have seen, as Dr. Kerr has noted, magnificent growth of the Internet over the last 10 years and it has created vast benefits for our citizens, for businesses and for governments. It seems to hold boundless promise if we can harness it. The Internet has spurred a new and thriving economy. Many businesses have prospered by providing their products and services through the Internet. Others have assisted in building, maintaining and improving the Internet itself. The Internet has given people jobs, supported families and communities and created new opportunities for commerce for America and for the world. The Internet has touched both our working lives and our family lives.
Page 36 PREV PAGE TOP OF DOC
As we have seen throughout history, however, there are those who would use powerful tools of progress to inflict harm upon others. The Internet has not escaped, unfortunately, this historical truth.
Even in the Internet's relatively short existence, we have seen a wide range of criminal use of this technology. It has been used to commit traditional crimes against an ever-widening number of victims. There are also those criminals intent on attacking and disrupting computers, computer networks and the Internet itself. In short, although the Internet provides unparalleled opportunities for Americans to freely express ideas, it also provides a very effective means for ill-motivated persons to breach the privacy and security of others.
Many of the crimes that we confront every day in the physical world are beginning to appear in the on-line world. Crimes like threats, extortion, fraud, identity theft and child pornography are migrating to the Internet. The fourth amendment and laws addressing privacy and public safety serve as a framework for law enforcement to respond to this new forum for criminal activity. If law enforcement fails properly to respect individual privacy in its investigative techniques, the public's confidence in government will be eroded, evidence will be suppressed, and criminals will elude successful prosecution.
If law enforcement is too timid in responding to cybercrime, however, we will, in effect, render cyberspace a safe haven for criminals and terrorists to communicate and carry out crime, without fear of authorized government surveillance. If we fail to make the Internet safe, people's confidence in using the Internet and e-commerce will decline, endangering the very benefits brought about by the information age. Proper balance, Mr. Chairman, is the key.
Page 37 PREV PAGE TOP OF DOC
Now, despite the fervor over Carnivore, the truth of the matter is that Carnivore is, in reality, a tool that helps us achieve this balance. To satisfy our obligations to the public to enforce the laws and preserve public safety, we use the same sorts of investigative techniques and methods on-line as we do in the physical world, with the same careful attention to the strict constitutional and legal limits that are imposed upon us.
Carnivore is simply an investigative tool that helps us to investigate on-line in the same way as in the physical world, and enables us to obtain only the information we are authorized to obtain through a court order.
To illustrate, law enforcement often needs to find out from whom a drug dealer, for instance, is buying his illegal product or to whom the drug dealer is selling his goods. It is, therefore, important to determine with whom the drug dealer is communicating. In the olden days of perhaps 10 years ago, the drug dealer would have communicated with his supplier and customers exclusively through the use of telephones and pagers, law enforcement would obtain an order from a court authorizing the installation of a trap and trace and a pen register device on the drug dealer's phone or pager. Now, that same drug dealer or kidnapper or a child pornographer may be just as likely to send an e-mail as to call his confederates in today's world.
When law enforcement uses a trap and trace or a pen register in the on-line context, however, we have found that, at times, the Internet Service Provider has been unable or, even unwilling, to supply this information. It is for that narrow set of circumstances that the FBI designed Carnivore.
Page 38 PREV PAGE TOP OF DOC
Law enforcement cannot abdicate its responsibility to protect public safety simply because technology has changed. Rather, the public rightfully expects that law enforcement will continue to be effective as criminal activity migrates to the Internet. We cannot do this without tools like Carnivore. Carnivore is, in essence, a special filtering tool that can gather the information authorized by a court order and only that information. It permits law enforcement, for example, to gather, pursuant to an order, only the e-mail addresses of those persons with whom the drug dealer is communicating, without allowing any human being either from law enforcement or the service provider to view private information outside the scope of the court order.
In other words, as I understand it, Carnivore is a minimization tool that permits law enforcement to comply with court orders to protect privacy and to enforce the law to protect the public interest.
In addition, as Dr. Kerr has noted, Carnivore creates an audit trail that demonstrates exactly what it is capturing.
As with many other investigative tools, there are many mechanisms we have in place to prevent possible misuse of Carnivore. The fourth amendment and the courts, of course, restrict what law enforcement can do on-line with or without Carnivore, as do the statutory requirements of title III and the Electronic Communication Privacy Act. In the case of Federal title III application, the Department of Justice imposes its own guidelines on top of the privacy protections provided by the Constitution, statutes, and the courts.
For example, before Carnivore may be used to intercept wire or electronic communications, with the limited exception of digital display pagers, the requesting investigative agency must obtain approval for the title III application from the Department of Justice. Specifically, in the Department of Justice, the Office of Enforcement Operations in the Criminal Division reviews each proposed title III wiretap application for content to ensure that that interception of content satisfies the fourth amendment requirements and is in compliance with applicable statutes and regulations. If the proposal clears the Office of Enforcement Operations, approval must generally be given by a Deputy Assistant Attorney General in the Criminal Division. Typically, investigative agencies such as the FBI have similar but separate internal requirements.
Page 39 PREV PAGE TOP OF DOC
If the investigative agency and the Department of Justice approve a title III request, it still must, of course, be approved by the proper court using familiar, but exacting standards. By statute and internal regulation, the interception may last no longer than 30 days without an extension by the court, and courts also often impose their own additional requirements. In addition, remedies for violating title III or the Electronic Communication Privacy Act by improperly intercepting electronic communications include criminal and civil sanctions. For violations of the fourth amendment of course the remedy of suppression is also available.
Despite this panoply of protections, we recognize that concerns remain about this tool, and as Dr. Kerr has noted, the Attorney General has asked tore an independent review of the Carnivore source code to ensure that its capabilities are what we understand them to be. A report generated from the review will be publicly disseminated to interest groups within industry, academia and elsewhere, and should alleviate any concerns regarding unjustified intrusions on privacy from the use of this tool.
Mr. Chairman, my testimony today necessarily highlights a few of the more significant aspects of the balance between privacy and security that the Department believes must be struck. The Department of Justice has provided the committee with my full written statement, and it is my sincere hope and expectation that through this and other fora, those of us who are concerned about privacy and public safety will recognize that responsible law enforcement can enhance both goals. Mr. Painter and I are available to try to answer any of your questions, along with the rest of the panel.
Page 40 PREV PAGE TOP OF DOC
Thank you, Mr. Chairman.
[The prepared statement of Mr. DiGregory follows:]
PREPARED STATEMENT OF KEVIN V. DIGREGORY, DEPUTY ASSOCIATE ATTORNEY GENERAL, DEPARTMENT OF JUSTICE
Mr. Chairman and Members of the Subcommittee, thank you for allowing me this opportunity to testify about the law enforcement tool ''Carnivore'' and the Fourth Amendment. On April 6, 2000, I had the privilege of testifying before you during a hearing on Internet privacy and the Fourth Amendment; I am pleased to continue to participate in the discussion today about ''Carnivore'' and its role in protecting individual privacy on the Internet from unwarranted governmental intrusion, and about the critical role the Department plays to ensure that the Internet is a safe and secure place.
PRIVACY AND PUBLIC SAFETY
It is beyond dispute that the Fourth Amendment protects the rights of Americans while they work and play on the Internet just as it does in the physical world. The goal is a long-honored and noble one: to preserve our privacy while protecting the safety of our citizens. Our founding fathers recognized that in order for our democratic society to remain safe and our liberty intact, law enforcement must have the ability to investigate, apprehend and prosecute people for criminal conduct. At the same time, however, our founding fathers held in disdain the government's disregard and abuse of privacy in England. The founders of this nation adopted the Fourth Amendment to address the tension that can at times arise between privacy and public safety. Under the Fourth Amendment, the government must demonstrate probable cause before obtaining a warrant for a search, arrest, or other significant intrusion on privacy.
Page 41 PREV PAGE TOP OF DOC
Congress and the courts have also recognized that lesser intrusions on privacy should be permitted under a less exacting threshold. The Electronic Communications Privacy Act (''ECPA'') establishes a three-tier system by which the government can obtain stored information from electronic communication service providers. In general, the government needs a search warrant to obtain the content of unretrieved communications (like e-mail), a court order to obtain transactional records, and a subpoena to obtain information identifying the subscriber. See 18 U.S.C. §2701–11.
In addition, in order to obtain source and destination information in real time, the government must obtain a ''trap and trace'' or ''pen register'' court order authorizing the recording of such information. See 18 U.S.C. 3121, et seq.
Because of the privacy values it protects, the wiretap statute, 18 U.S.C. §2510–22, commonly known as Title III, places a higher burden on the real-time interception of oral, wire and electronic communications than the Fourth Amendment requires. In the absence of a statutory exception, the government needs a court order to wiretap communications. To obtain such an order, the government must show that normal investigative techniques for obtaining the information have or are likely to fail or are too dangerous, and that any interception will be conducted so as to ensure that the intrusion is minimized.
The safeguards for privacy represented by the Fourth Amendment and statutory restrictions on government access to information do not prevent effective law enforcement. Instead, they provide boundaries for law enforcement, clarifying what is acceptable evidence gathering and what is not. At the same time, those who care deeply about protecting individual privacy must also acknowledge that law enforcement has a critical role to play in preserving privacy. When law enforcement investigates, successfully apprehends and prosecutes a criminal who has stolen a citizen's personal information from a computer system, for example, law enforcement is undeniably working to protect privacy and deter further privacy violations. The same is true when law enforcement apprehends a hacker who compromised the financial records of a bank customer.
Page 42 PREV PAGE TOP OF DOC
As we move into the 21st century, we must ensure that the needs of privacy and public safety remain in balance and are appropriately reflected in the new and emerging technologies that are changing the face of communications. Although the primary mission of the Department of Justice is law enforcement, Attorney General Reno and the entire Department understand and share the legitimate concerns of all Americans with regard to personal privacy. The Department has been and will remain committed to protecting the privacy rights of individuals. We look forward to working with Congress and other concerned individuals to address these important matters in the months ahead.
LAW ENFORCEMENT TOOLS IN CYBERSPACE:
Although the Fourth Amendment is over two centuries old, the Internet as we know it is still in its infancy. The huge advances in the past ten years have changed forever the landscape of society, not just in America, but worldwide. The Internet has resulted in new and exciting ways for people to communicate, transfer information, engage in commerce, and expand their educational opportunities. These are but a few of the wonderful benefits of this rapidly changing technology. As has been the case with every major technological advance in our history, however, we are seeing individuals and groups use this technology to commit criminal acts. As Deputy Attorney General Eric Holder told the Crime Subcommittee of this Committee in February, our vulnerability to computer crime is astonishingly high and threatens not only our financial well-being and our privacy, but also this nation's critical infrastructure.
Many of the crimes that we confront everyday in the physical world are beginning to appear in the online world. Crimes like threats, extortion, fraud, identity theft, and child pornography are migrating to the Internet. The Fourth Amendment and laws addressing privacy and public safety serve as a framework for law enforcement to respond to this new forum for criminal activity. If law enforcement fails properly to respect individual privacy in its investigative techniques, the public's confidence in government will be eroded, evidence will be suppressed, and criminals will elude successful prosecution. If law enforcement is too timid in responding to cybercrime, however, we will, in effect, render cyberspace a safe haven for criminals and terrorists to communicate and carry out crime, without fear of authorized government surveillance. If we fail to make the Internet safe, people's confidence in using the Internet and e-commerce will decline, endangering the very benefits brought by the Information Age. Proper balance is the key.
Page 43 PREV PAGE TOP OF DOC
To satisfy our obligations to the public to enforce the laws and preserve the safety, we use the same sorts of investigative techniques and methods online as we do in the physical world, with the same careful attention to the strict constitutional, statutory, internal and court-ordered boundaries. Carnivore is simply an investigative tool that is used online only under narrowly defined circumstances, and only when authorized by law, to meet our responsibilities to the public.
To illustrate, law enforcement often needs to find out from whom a drug dealer, for instance, is buying his illegal products, or to whom the drug dealer is selling. To investigate this, it is helpful to determine who is communicating with the drug dealer. In the ''olden days'' of perhaps 10 years ago, the drug dealer would have communicated with his supplier and customers exclusively through use of telephones and pagers. Law enforcement would obtain an order from a court authorizing the installation of a ''trap and trace'' and a ''pen register'' device on the drug dealer's phone or pager, and either the telephone company or law enforcement would have installed these devices to comply with the court's order. Thereafter, the source and destination of his phone calls would have been recorded. This is information that courts have held is not protected by any reasonable expectation of privacy. Given the personal nature of this information, however, the law requires government to obtain an order under these circumstances. In this way, privacy is protected and law enforcement is able to investigate to protect the public.
Now, that same drug dealer may be just as likely to send an e-mail as call his confederates. When law enforcement uses a ''trap and trace'' or ''pen register'' in the online context, however, we have found that, at times, the Internet service provider has been unable or even unwilling to supply this information. Law enforcement cannot abdicate its responsibility to protect public safety simply because technology has changed. Rather, the public rightfully expects that law enforcement will continue to be effective as criminal activity migrates to the Internet. We cannot do this without tools like Carnivore.
Page 44 PREV PAGE TOP OF DOC
When a criminal uses e-mail to send a kidnaping demand, to buy and sell illegal drugs or to distribute child pornography, law enforcement needs to know to whom he is sending messages and from whom he receives them. To get this information, we obtain a court order, which we serve on the appropriate service provider. Because of the nature of Internet communications, the addressing information (which does not include the content of the message) is often mixed in with a lot of other non-content data that we have no desire to gather. If the service provider can comply with the order and provide us with only the addressing information required by court order, it will do so and we will not employ Carnivore. If, however, the service provider is unwilling or unable to comply with the order, we simply cannot give a criminal a free pass. It is for that narrow set of circumstances that the FBI designed ''Carnivore.''
Carnivore is, in essence, a special filtering tool that can gather the information authorized by court order, and only that information. It permits law enforcement, for example, to gather only the email addresses of those persons with whom the drug dealer is communicating, without allowing any human being, either from law enforcement or the service provider, to view private information outside of the scope of the court's order. In other words, Carnivore is a minimization tool that permits law enforcement strictly to comply with court orders, strongly to protect privacy, and effectively to enforce the law to protect the public interest. In addition, Carnivore creates an audit trail that demonstrates exactly what it is capturing.
As with any other investigative tools, there are many mechanisms we have in place to prevent against possible misuse of Carnivore, and to remedy misuse that has occurred. The Fourth Amendment, of course, restricts what law enforcement can do with Carnivore, as do the statutory requirements of Title III and the Electronic Communications Privacy Act, and the courts.
Page 45 PREV PAGE TOP OF DOC
For federal Title III applications, the Department of Justice imposes its own guidelines on top of the privacy protections provided by the Constitution, statutes and the courts. For example, before Carnivore may be used to intercept wire or electronic communications, the requesting investigative agency must obtain approval for the Title III application from the Department of Justice. Specifically, the Office of Enforcement Operations (OEO) in the Criminal Division of the Department reviews each proposed Title III application to ensure that the interception satisfies the Fourth Amendment requirements, and is in compliance with applicable statutes and regulations. Even if the proposal clears the OEO, approval must be given by a Deputy Assistant Attorney General. Although this requirement of high-level review is required by Title III only with regard to proposed intercepts of wire and oral communications, the Department voluntarily imposes the same level of review for proposed interceptions of electronic communications (except digital-display pagers). Typically, investigative agencies such as the Federal Bureau of Investigation have similar internal requirements, separate and apart from Constitutional, statutory or Department of Justice requirements.
If the investigative agency and the Department of Justice approve a federal Title III request, it still must, of course, be approved by the proper court. The court will evaluate the application under the Fourth Amendment and using the familiar standards of Title III. By statute, for example, the application to the court must show, through sworn affidavit, why the intercept is necessary as opposed to other less-intrusive investigative techniques. The application must also provide additional detail, including whether there have been previous interceptions of communications of the target, the identity of the target (if known), the nature and location of the communications facilities, and a description of the type of communications sought and the offenses to which the communications relate. By statute and internal Department regulation, the interception may last no longer than 30 days without an extension by the court.
Page 46 PREV PAGE TOP OF DOC
Courts also often impose their own requirements. For example, many federal courts require that the investigators provide periodic reports setting forth information such as the number of communications intercepted, steps taken to minimize irrelevant traffic, and whether the interceptions have been fruitful. The court may, of course terminate the interception at any time.
The remedies for violating Title III or ECPA by improperly intercepting electronic communications can include criminal sanctions, civil suit, and for law enforcement agents, adverse employment action. For violations of the Fourth Amendment, of course, the remedy of suppression is also available.
Carnivore itself also contains self-regulating features. For example, because of its sophisticated passive filtering features, it automates the process of minimization without intrusive monitoring by investigators, and simply disregards packets of information that do not satisfy the criteria in the court's authorization. Indeed, one of the most powerful privacy-protecting features of Carnivore is its ability to ignore information that is outside the scope of the court-ordered authority. For later verification, it also logs the filter settings. In addition, as a practical matter, Carnivore is not deployed except with close cooperation with the appropriate system provider. In any event, the FBI does not use Carnivore in every instance in which the court orders a Title III electronic communication intercept. Indeed, I understand that the Bureau uses Carnivore only in those instances when the service provider is unable to comply with the court order using its own equipment, or when the provider asks the FBI to use Bureau equipment.
Page 47 PREV PAGE TOP OF DOC
As I testified in April, we face three major categories of challenges in trying to keep the Internet a safe and secure place for our citizens. These are:
1. Technical challenges that hamper law enforcement's ability to locate and prosecute criminals that operate online;
2. Certain substantive and procedural laws that have not kept pace with the changing technology, creating significant legal challenges to effective investigation and prosecution of crime in cyberspace; and
3. Resource needs that must be addressed to ensure that law enforcement can keep pace with changing technology and has the ability to hire and train people to fight cybercrime.
Carnivore is an investigative tool that assists us in meeting the first challenge. As we have witnessed, tracking a criminal online is not always an impossible task using our investigative tools. For example, last year federal and state law enforcement combined to successfully apprehend the creator of the Melissa virus and the individual who created a fraudulent Bloomberg News Service website in order to artificially drive up the stock price of PairGain, a telecommunications company based in California. Although we are proud of these important successes, we still face significant challenges as online criminals become more and more sophisticated.
In nearly every online case, tracking the online criminal requires law enforcement to attempt to trace the ''electronic trail'' from the victim back to the perpetrator. In effect, this ''electronic trail'' is the fingerprint of the twenty-first century—only much harder to find and not as permanent as its more traditional predecessor. In the physical world, a criminal and his victim are generally in the same location. But cybercriminals do not have to physically visit the crime scene. Instead they cloak their illegal activity by weaving communications through a series of anonymous remailers, by creating forged e-mail headers with powerful point and click tools readily downloadable from hacker websites, by using a ''free-trial'' account or two, or by ''wiping clean'' the logging records that would be evidence of their activity.
Page 48 PREV PAGE TOP OF DOC
In some cases, the criminal may not even be in the same country as the victim. The global nature of the Internet, while one of the greatest assets of the Internet to law-abiding citizens, allows criminals to conduct their illegal activity from across the globe. In these cases, the need to respond quickly and track the criminal is increasingly complicated and often frustrated by the fact that the activity takes place throughout different countries. With more than 190 countries connected to the Internet, it is easy to understand the coordination challenges that face law enforcement. Furthermore, in these cases, time is of the essence and the victim may not even realize they have been victimized until the criminal has long since signed-off. Clearly, the technical challenges for law enforcement are real and profound.
This fact was made clear in the findings and conclusions reached in the recently released report of the President's Working Group on Unlawful Conduct on the Internet, entitled, ''The Electronic Frontier: The Challenge of Unlawful Conduct Involving the Use of the Internet.'' This extensive report highlights in detail the significant challenges facing law enforcement in cyberspace. As the report states, the needs and challenges confronting law enforcement, ''are neither trivial nor theoretical.'' The Report outlines a three-pronged approach for responding to unlawful activity on the Internet:
1. Conduct on the Internet should be treated in the same manner as similar conduct offline, in a technology neutral manner.
2. We must recognize that the needs and challenges of law enforcement posed by the Internet are substantial, including our need for resources, up-to-date investigative tools and enhanced multi-jurisdictional cooperation.
Page 49 PREV PAGE TOP OF DOC
3. Finally, we need to foster continued support for private sector leadership in developing tools and methods to help Internet users to prevent and minimize the risks of unlawful conduct online.
I would encourage anyone with an interest in this important topic to review carefully the report of the Working Group. The report can be found on the Internet by visiting the website of the Department of Justice's Computer Crime and Intellectual Property Section, located at www.cybercrime.gov. In addition to the report, www.cybercrime.gov also contains other useful information on a wide array of Internet related issues, including the topic of today's hearing—privacy.
Despite the type of difficulties outlined in the Unlawful Conduct Report and discussed today, the Justice Department and law enforcement across this nation are committed to continuing to work together and with their counterparts in other countries to develop and implement investigative strategies to successfully track, apprehend, and prosecute individuals who conduct criminal activity on the Internet. In so doing, the same privacy standards that apply in the physical world remain effective online.
Mr. Chairman, the Department of Justice has taken a proactive leadership role in making cyberspace safer for all Americans. The cornerstone of our cybercrime prosecutor program is the Criminal Division's Computer Crime and Intellectual Property Section, known as CCIPS. CCIPS was founded in 1991 as the Computer Crime Unit, and became a Section in 1996. CCIPS has grown from five attorneys in 1996 to nineteen today, and we need more to keep pace with the demand for their expertise. The attorneys in CCIPS work closely on computer crime cases with Assistant United States Attorneys known as ''Computer and Telecommunications Coordinators,'' or CTC's, in U.S. Attorney's Offices around the nation. Each CTC receives special training and equipment and serves as the district's expert on computer crime cases. CCIPS and the CTC's work together in prosecuting cases, spearheading training for local, state and federal law enforcement, working with international counterparts to address difficult international challenges, and providing legal and technical instruction to assist in the protection of this nation's critical infrastructures. We are very proud of the work these people do and we will continue to work diligently to help stop criminals from victimizing people online.
Page 50 PREV PAGE TOP OF DOC
I also note that public education is an important component of the Attorney General's strategy on combating computer crime. As she often notes, the same children who recognize that it is wrong to steal a neighbor's mail or shoplift do not seem to understand that it is equally wrong to steal a neighbor's e-mail or copy a proprietary software or music file without paying for it. To remedy this problem, the Department of Justice, together with the Information Technology Association of America (ITAA), has embarked upon a national campaign to educate and raise awareness of computer responsibility and to provide resources to empower concerned citizens. The ''Cybercitizen Awareness Program'' seeks to engage children, young adults, and others on the basics of critical information protection and security and on the limits of acceptable online behavior. The objectives of the program are to give children an understanding of cyberspace benefits and responsibilities, an awareness of consequences resulting from the misuse of the medium and an understanding of the personal dangers that exist on the Internet and techniques to avoid being harmed.
Finally, Mr. Chairman, the Subcommittee may be aware that the Administration will soon be transmitting to Congress a legislative proposal addressing various issues relating to cyber-security. I know that the focus of today's hearing is the Carnivore program, and this is not the time to undertake any detailed discussion of the Administration's proposal. I would, however, like to mention two points that relate directly to today's discussion. First, the Administration supports raising the statutory standards for intercepting the content of electronic communications so they are the same as those for intercepting telephone calls: high-level approval, use only in cases involving certain predicate offenses that are specified by statute, and statutory suppression of evidence derived from improper intercepts. Second, the Administration supports requiring federal judges to confirm that the appropriate statutory predicates have been satisfied before issuing a pen register or trap-and-trace order. Those changes would apply to the use of Carnivore—and would, in important respects, simply confirm by statute the policies and procedures already followed by the Department of Justice. Beyond those specific points, I will simply note here that the Administration supports a balanced updating of laws to enhance protection of both privacy and public safety, and that the forthcoming proposal will contain important provisions whose enactment would be most helpful in the ongoing fight against cyber-crime.
Page 51 PREV PAGE TOP OF DOC
CONCLUSION:
Mr. Chairman, I want to thank you again for this opportunity to testify today about our efforts to fight crime on the Internet while preserving the rights conferred by the Fourth Amendment and statute. Ultimately, the decision as to the appropriate parameters of law enforcement activity lies squarely within the Constitution and the elected representatives of the people, the Congress. The need to protect the privacy of the American people, not just from the government but also from criminals, is a paramount consideration, not just in the context of the Internet, but in general. The Department of Justice stands ready to work with this Subcommittee and others to achieve the proper balance between the important need for protecting privacy and the need to respond to the growing threat of crime in cyberspace.
Mr. Chairman, that concludes my prepared statement. I would be pleased to attempt to answer any questions that you may have at this time.
Mr. CANADY. Thank you very much.
Let me say to each of you who have testified that I think your remarks have helped clear up at least some of the questions that have been raised about the system called Carnivore and I think your testimony has been very helpful to us. I am going to have a few questions and I know other members will have questions. I do want at the outset to acknowledge that we probably will not get to all of the questions that we want to ask, so we would ask you to provide us written responses to any additional questions that any members of the committee may have. It would also give you an opportunity to provide any additional comments that you wish to make in light of subsequent testimony that comes out in the hearing today.
Page 52 PREV PAGE TOP OF DOC
Having said that, let me go over some ground that I think you have already covered concerning the use of Carnivore under the pen register or trap and trace authority. When you are using the pen register or trap and trace authority, would you ever obtain any letters or information other than those that make up an e-mail address such as JohnSmith@home.com? In other words, have you ever or would you ever make a request under the pen register or trap and trace authority that included the capture of words or sentences other than the e-mail address?
Mr. KERR. The answer from our side, in terms of how we set it up, is that if it is a pen register order, we only get the address, and we capture nothing else.
Mr. PAINTER. I might say also that even the subject line we consider to be content, and that would require full title III. It is just the addressing information, and that is solely just as in the telephone context, the numbers dialed, the numbers received.
Mr. CANADY. Because it is your understanding that your legal authority is limited to the e-mail address, and of course it has been your practice, it is your practice and has been your practice only to obtain the e-mail address when you are using the trap and trace or the pen register authority?
Mr. PAINTER. In the electronic communications context, yes, that is correct.
Mr. CANADY. Let me ask you this. In your view, does Federal law enforcement have authority under the Pen Register Act to capture so-called URL addresses which are the Websites a person has visited?
Page 53 PREV PAGE TOP OF DOC
Mr. PAINTER. The URL addresses are really not what are contemplated under the pen register trap and trace, the statute. What we are talking about there is, it is possible it could be captured if, for instance, it was a Hotmail service. The Hotmail service, as Dr. Kerr can talk about more specifically in a technical way, is a Web-based e-mail service, and so you would capture that part of it that identifies it as a Hotmail service and then specifically limits it to a specific, authenticating code, and I think Dr. Kerr can talk a little bit more about that.
Mr. CANADY. If you would.
Mr. KERR. I think that is a very good point. There are services such as Hotmail where we have to capture the Web page and then look for the authenticators and other indications that it is an e-mail service. Having done that, we limit the collection to simply the e-mail that is provided through that service. We don't capture the users' other use of the Internet. We are not interested in what they do when they surf the Web, and we restrict what we do only to that e-mail traffic over the Web page.
Mr. CANADY. Okay. Now, in your comments, Dr. Kerr, you indicated that Carnivore has been used only a few times. I think 16 was the number for this year; is that correct?
Mr. KERR. That is correct, 16 times this year. I think about a total of 25 in the life of the program, over the last 2 years.
Page 54 PREV PAGE TOP OF DOC
Mr. CANADY. Over that same time period, how many title III intercepts on e-mail would you have done not using Carnivore?
Mr. KERR. We have used Carnivore and earlier versions of the same technology, and in some other cases we have used a commercial product to try to capture e-mails. One reason that we moved from the commercial product to Carnivore was in fact to get some of the selectivity and audit properties that I briefed you on earlier, because the commercial product had been developed for quite another purpose. Products like this are used by the service providers to monitor the quality of their service. In that case, they have no legal restrictions on what they can observe. In our case, we are quite limited and need the more discriminating technique.
Mr. CANADY. My time has expired, but by unanimous consent, I will have 3 additional minutes. Let me follow up on that. Let me change—we have a limited amount of time—to a different subject.
How many—have you contemplated allowing the use of Carnivore by other, not only Federal law enforcement agencies, but State or local law enforcement agencies?
Mr. KERR. At this point in time, we have used it on at least one occasion in support of another Federal law enforcement agency. We have not yet brought it to the point where we would be talking about it in terms of providing it to State agencies. As you are aware, the authorities under which they operate are different than at the Federal level, and so we are not necessarily assured at this point in time that it would be a suitable tool for us to turn over.
Page 55 PREV PAGE TOP OF DOC
That said, anytime we turn over title III or other intercept equipment to State and local authorities, we do so with the signature of the Attorney General. She has, in fact, the decision on that. We don't.
Mr. CANADY. In my opening statement, I made reference the a media report that Earthlink was required to attach Carnivore's to its network in one instance, and doing so caused part of this network to crash and caused customers to lose service. From your comments, Dr. Kerr, I understand that shouldn't happen, so I would like your—to hear your comments about those reports of what actually took place there, and whether this system can pose a threat to the functioning of an ISP, and whether you have had other complaints similar to that made by Earthlink.
Mr. KERR. In the specific case, what I will do is try to give you something for the record that is more complete than I can do right now. But initially, when we went to Earthlink and they were ultimately compelled to move ahead to do this, they attempted to do it themselves with software that they essentially tried to put together in real-time. It didn't work and it didn't provide information consistent with the court order.
It is not clear to us that anything we subsequently did had any adverse effect on their network, and, in fact, in at least one other case, we have had quite good cooperation from them. It is the only case where we have, in fact, had to go back and get the judge to emphasize that he meant what he said in the order. In all other cases, we have had excellent cooperation, particularly at the technical level and normally at the level of the general counsel of the company involved.
Page 56 PREV PAGE TOP OF DOC
Mr. PAINTER. I would add also that in any of these cases you have to work with the service provider to actually install this; the FBI couldn't just go in and do it themselves. So even when the court orders it, and that happens in each case, you have to work with the technical people to install it.
Mr. CANADY. Thank you very much.
Mr. Watt is recognized for 5 minutes.
Mr. WATT. Thank you, Mr. Chairman.
Let me start at a pretty basic level, Dr. Kerr, and pick up on something that you said in response to one of Mr. Canady's questions having to do with your sharing of this tool with other law enforcement agencies; and as I recall, your response was that the authorities of the States are different than the authority under which you are operating. Unless I am missing something, everybody's operating under the Fourth Amendment to the United States Constitution. So unless you are saying that the Wiretapping Protection Act gives the Federal Government some additional authority than the States are able to exercise under the fourth amendment to the Constitution, maybe I shouldn't speculate about what you are saying.
Tell me what it is you are saying when you say that you are operating under a different authority than the States.
Mr. KERR. I certainly take your point that the States are operating under the same Constitution that we are. But we in addition, of course, have the title 18 statutes that guide the Federal use of electronic surveillance.
Page 57 PREV PAGE TOP OF DOC
Mr. WATT. But that is in—I would take it that that is in furtherance of whatever authority you have as a basic proposition under the Constitution of the United States. It doesn't give you any additional authority, does it?
Mr. KERR. No, it certainly doesn't, but the point is that some States, in fact, do not have a statutory basis for State and local law enforcement to do electronic surveillance or they have statutory limitations—all still within the Constitution, but in fact more restricted, or nonexistent, in some cases.
Mr. WATT. All right. Let me ask another pretty basic question.
How long has Carnivore or some predecessor form of Carnivore been in use by your department?
Mr. KERR. Roughly 2 years.
The program began in terms of a development program about 3 years ago, but in terms of actual court orders and deployment over the last 2 years.
Mr. WATT. Square for me, if you would, the notion that you have now engaged in 25 uses of this, 16 of them this year—or are engaging in them, I guess, on an ongoing basis because none of them have come to trial yet; and the statement that you made that you are now undertaking or preparing to undertake verification that the system does what you say it does and that only? It seems to me that such verification would have taken place at some earlier stage, not 25 cases into public concern or legal concern.
Page 58 PREV PAGE TOP OF DOC
Mr. KERR. The essence of the development program of course is that you do learn as you develop and deploy. As I pointed out, we had initially tried to use a commercial product and found that it did not have all of the properties we thought should be in place for long-term use in a law enforcement context, and so——
Mr. WATT. What properties did it not have that you were looking for?
Mr. KERR. It didn't have the same discrimination capabilities. It didn't have the same ability to provide an audit report and to report on configuration that we require.
Mr. WATT. Who is it that—now that you have the audit capability, who is it that has the oversight at your department to audit—to really review the information that you obtain from the audit?
Mr. KERR. I think that will actually happen quite outside the FBI in that the results of the intercept will, in fact, be provided to the court. They will of necessity become available to the defense, and consequently, they will be more aggressively questioned, in fact, in that circumstance than they would be in any internal administrative review.
Mr. CANADY. The gentleman's time has expired. The gentleman will have 3 additional minutes.
Page 59 PREV PAGE TOP OF DOC
Mr. WATT. Let me turn to a different area, if I can.
You have compared this to the Internet capabilities, it is to a phone tap or the authority that you have to tap phones. Does your authority to tap phones get you into the internal phone mechanisms of the phone company, or is your authority limited to tapping individual phones of individual suspects?
Mr. KERR. That is an area that is, in fact, in a state of change today.
Mr. WATT. Who is changing it?
Mr. KERR. You did, sir, in that the——
Mr. WATT. ''You'' being Congress, I take it. I think I voted against this bill as I recall. I still have some concerns about it, to be honest with you.
But go ahead. I am lumped with everybody else for that purpose.
Mr. KERR. Sorry. Some of my colleagues know this better than I, but the point is——
Mr. WATT. Maybe I should be directing this to Mr. Park; he is the general counsel. He should know these things I guess or Mr. DiGregory. I didn't mean to be beat up on the technician here.
Page 60 PREV PAGE TOP OF DOC
Mr. DIGREGORY. In its most basic sense, as I understand it, the telephone tap is conducted at the phone company, but is restricted to the individual line which you wish to tap, whether you wish to obtain numbers dialed, numbers coming in, or whether you wish to obtain content.
Mr. WATT. Okay. Now how does that compare with the capability that Carnivore has for Internet communications?
Mr. DIGREGORY. I will go back to the science side.
Mr. KERR. Not to try to confuse you by switching back and forth but the——
Mr. WATT. I am pretty confused without you switching back and forth, but go ahead.
Mr. KERR [continuing]. The telephone tap refers to the ability to intercept switched circuits, which was the basis historically of the telephone system.
The Internet provides a different kind of technology that we are trying to intercept. It is a so-called ''packet switched'' network, and it doesn't work by my, in effect, leasing a circuit in order to make a phone call from my house to yours and that is, if you will, for the time of the conversation, our private circuit.
Page 61 PREV PAGE TOP OF DOC
In the case——
Mr. WATT. Let me stop you right there, because my light's going to go off—has already gone off. If you needed additional legal authority to get mobile-owned phone taps, why would not additional legal authority be necessary to—for you to be doing what you are doing under this system? And maybe again——
Mr. KERR. I will give you my view.
Mr. CANADY. The gentleman will have an additional minute.
Mr. KERR. We do, in fact, have legal authority to do what we are doing today, and I think it is because of the correct belief, from my perspective, that the addressing information on the Internet is, in fact, a useful and appropriate analog to the telephone number in the switch circuit world.
But perhaps Mr. DiGregory or Mr. Parkinson would like to add to that.
Mr. PARKINSON. I think that is correct, and it's appropriate also to point out that there are gradations of authority and there is a higher level of authority within the Department and a higher level of authority in the courts, depending on what sort of intrusion you are talking about. If you are talking about simply numbers, then we have the pen register and trap and trace authority. If you need to go beyond that, then we have to move it up a notch or several notches to a title III authority.
Page 62 PREV PAGE TOP OF DOC
Mr. WATT. Thank you, Mr. Chairman.
Mr. CANADY. Chairman Hyde.
Mr. HYDE. Thank you, Mr. Chairman.
You can understand the skittishness of some people whose concern is privacy; and when you see some of the things that have happened here in Washington, it gives one reason to wonder and to worry. I speak of the Defense Department releasing an employment application with information that was supposed to be private, and it ends up in the New Yorker magazine; and that person, I think he got a letter mildly critical of what he did, which doesn't go in his file and no prosecution.
A less compelling case, I guess, is over the so-called ''Filegate,'' where the law wasn't breached at all, but one sense of privacy was—took a beating I should think.
And so there are people, who are skeptical about how this culture of privacy, how porous it is. That doesn't call for an answer; that is just kind of a comment.
Can you tell us how—I will ask this maybe of Mr. DiGregory—how terrorist cells and organized crimes and others use technology, and how does Carnivore address the growing use of technology by criminals?
Mr. DiGregory. Well, I think that terrorist cells and organized crimes can use the Internet to communicate, can use e-mail to communicate. In simply the same way that a pen register addressed their use of the telephone to perpetrate their criminal activity, Carnivore addresses or can address their use of the Internet with respect to those activities and obtain, pursuant to a pen register order, the numbers that are being called by the organized crime figure or the drug trafficker.
Page 63 PREV PAGE TOP OF DOC
Mr. HYDE. Could you tell me what reasons you have for not letting the Internet Service Providers gather the requested information? I take it they have made themselves available to do that for the most part. Maybe some of them haven't, but what are the reasons why you don't let them do it?
Mr. DIGREGORY. I don't think it is a question—and anybody up here is invited to correct me if I am wrong. I don't think it is a question of not letting them do it. I think Carnivore's use is limited to those situations where the Internet Service Provider is unable to provide the minimized, court-ordered information that the FBI requires pursuant to the order.
Mr. PAINTER. And let me amplify on that a little bit.
The FBI, in my understanding, will always allow the Internet Service Provider to do it if they can, in fact, do it in a timely fashion. The one time this was actually changed, not talking about who the ISP was in that one instance, the ISP tried to work with its own tool, it was not effective; it was not capturing all of the addresses. It was only capturing incoming and not outgoing addresses. It wasn't giving the whole information, and in that case, the FBI was forced to use the Carnivore tool.
That is not their first line. The first line is to let the Internet Service Provider do it if they can, and in fact, I think the FBI would like the Internet Service Providers to do it if they can.
Page 64 PREV PAGE TOP OF DOC
Mr. HYDE. Fine. Thank you very much.
I have no more questions. I am through, Mr. Chairman.
Mr. CANADY. The gentleman from Michigan is recognized.
Mr. CONYERS. Thank you very much.
I think one of the basic questions here is to determine whether or not you are minimizing your activities or whether you are maximizing them; and of course it has already been asserted that you are minimizing them. My job is to find out—maybe before the hearing ends, but certainly after the hearing—whether that is correct.
And it seems to me that this system that we are overseeing today, unlike other trap and trace devices or the others that we use, is available for—subject to the maximization of information—getting more information than is required or is authorized by a court order. If so, that is very unclear as of now.
I am not sure how we are going to sort this out, but I think we have witnesses here who are going to come forward later to complain about the fact that there was other information that was available through this system that might not have been available if we weren't going through the Internet.
Isn't it possible that you can get more information and look at other things that would not have otherwise been available?
Page 65 PREV PAGE TOP OF DOC
Mr. KERR. One of the points, Mr. Conyers, that I was taking some time with was to try to make it clear that the only information we can capture is, in fact, that specified in the court order; and to go outside of the court order, in fact is a Federal felony with substantial sanctions for those who would do so. We, in fact, think of this as a tool that is designed explicitly to meet the requirement of the court order. We don't have the authority, nor are our people allowed the opportunity to step outside of those bounds.
Mr. CONYERS. Well, right, that is the law. But I mean, that is the problem. If I could be assured that everybody wouldn't do the wrong thing because there was a statute making it criminal, that would reduce the need for a lot of our efforts, and even those of law enforcement people I hasten to add.
Mr. DiGregory.
Mr. DIGREGORY. Mr. Conyers, as I understand the way the system operates, certainly that is correct and that is what the law is, but there are checks and balances with respect to Carnivore, which would make it extremely difficult for someone to counter those checks and balances and violate the court order. It is not just a situation where, as I understand it, a rogue FBI agent, for example, could broaden the coverage of the Carnivore intercept and violate the court order. In order to do that, he would need to engage the aid of technical people, perhaps even technical people at the Internet Service Provider; and he would also have to find some way to cover up or change the audit trail that is left by the system so that it doesn't expose his going beyond the court order.
Page 66 PREV PAGE TOP OF DOC
And again, I will stand corrected by those who are more expert in the way this system functions, but that is how I understand it. And although, yes, that is the law, there are checks and balances which would make it extremely difficult for someone to violate the court order.
Mr. PAINTER. It is also a law we take very seriously. If a law enforcement person violates the wiretap law, they will be prosecuted. The computer crime section has a responsibility for doing that, and would prosecute particularly law enforcement individuals who violate the wiretap law.
Mr. DIGREGORY. And we have done that, not in the context of these kinds of intercepts, but in the context of telephone interceptions.
Mr. CONYERS. So our assurances are that, first of all, there is a law against it which you would assiduously prosecute if your own people were to violate it. And there are other technological measures that make it very difficult to do, because there is a box that actually can search to preclude getting more information than you want.
Is that the way I understand that it operates, Dr. Kerr?
Mr. KERR. Actually the way it works is that it is set up in conformance with the order to collect and record that which is part of the order, and in so doing that setup and arranging of the configuration, the knowledge of that setup and configuration is in fact recorded right along with the evidence. Once that evidence is collected, it is, in fact, delivered to the Federal court where it is sealed by the judge who issued the order so—and with an appropriate chain of custody to get it there.
Page 67 PREV PAGE TOP OF DOC
Mr. CANADY. The gentleman's time has expired. Without objection, the gentleman will have 3 additional minutes.
Mr. CONYERS. Thank you. I am not sure if I need them, Mr. Chairman, but let me just say that I don't know. Maybe the committee is in a more difficult position than I appreciate. I don't know if we have any way of verifying the technological part of the response to my question that you have given me; and I know that you know.
Unfortunately, in the past, we have had many agencies, including law enforcement, that have gone beyond the scope of their responsibility. There is hardly anything new about that. So I am trying to figure out how we are going to get to the bottom of this. We may need a technology expert to match yours to verify what you are telling us to make everybody believe it is okay, it is the government and——
Mr. CANADY. Would the gentleman yield?
Mr. CONYERS. Of course.
Mr. CANADY. I think the gentleman raises a valid point, but I think that has already been addressed to a certain extent by the department's announced plan to have this system reviewed by an independent body of experts who would issue a report that everyone could examine. And I suppose, ultimately, representatives of the independent body of experts could come here to the Congress and answer questions that we might have of them, based on their independent review.
Page 68 PREV PAGE TOP OF DOC
Mr. NADLER. Would the gentleman yield for question?
Mr. CONYERS. If—yes.
Mr. NADLER. Thank you. I am just concerned about that.
Let us assume that an independent body of experts reviewed this system and said it was fine and do only what it is supposed to do, et cetera. That could change at any time after that. And how would you maintain the trustworthiness that the system was still limited after they had investigated it, unless you were going to have an independent group looking over the FBI's shoulder forever? Because obviously you can't trust the police agency forever not to go beyond what they are supposed to do.
Mr. CONYERS. Well, I raised this, Chairman Canady, merely to point out that we are sort of in the process of taking their word for it. And, of course, we are happy to take the government's word, but you know, this—as I recall it, Carnivore wasn't sent to us. We sort of found out about it in the scope of things, and it began to take on a life of its own that led to this hearing.
So I am anxious to hear from the nongovernment witnesses to see how their understanding of what has been happening with this system comports with what we are being told. But I thank the witnesses anyway; that is what your job is about. I mean, that is what you are supposed to do.
Page 69 PREV PAGE TOP OF DOC
Thank you, Mr. Chairman.
Mr. CANADY. Thank you, Mr. Conyers. The gentleman from Arkansas, Mr. Hutchinson, is now recognized for 5 minutes.
Mr. HUTCHINSON. Thank you, Mr. Chairman.
On that particular point, you all are willing to submit the source codes to an independent review and audit. I think the dispute is that the ISP community would like to have open access to the source codes for purposes of reviewing them and determining their authenticity and to accomplish what it is that you desire.
What problems would you see, if any, in allowing open access to the source codes that make up Carnivore, Dr. Kerr?
Mr. KERR. There are two points that we would raise. We wouldn't have any problem releasing it to a group set up to do verification and validation. We would have a problem with full, open disclosure because that, in fact, would allow anyone who chose to develop techniques to spoof what we do an easy opportunity to figure out how to do that.
Beyond that, some of the code we have used is in fact commercial, off-the-shelf software; and it is proprietary to the companies that have developed it, and we are not at liberty to divulge their source code under the license we have paid for.
Mr. HUTCHINSON. So you would be open, and it would not compromise legitimate law enforcement activities if there was an ongoing review system of the source codes for Carnivore or any subsequent adjustments to it?
Page 70 PREV PAGE TOP OF DOC
Mr. KERR. I think the only concern we would have at some point is, you know, when is enough enough? Do you review it each time you set it up for a new case? I don't think that is workable. Do you do it as part of an annual review of electronic surveillance beyond simply counting the occasions when it is in use, that may be more workable?
But clearly when the number of reviewers are larger than our group that develops the system, we probably have reached some form of imbalance at that point.
Mr. HUTCHINSON. Thank you.
If you have a content court order to use the Carnivore system, then of course you have to show probable cause. At that point, is innocent, third-party information reviewed by Carnivore?
Mr. KERR. If we have, in fact, gotten proper information on the target addresses and the ''to'' and ''from,'' because that is important too, since more than one person might be using a particular computer. In principle, we should only get the authorized communication. That said, if we were to find that we had in error or because of misinformation recorded something to which we were authorized no access, we would have to minimize that just as we would on a normal telephone wiretap.
Mr. HUTCHINSON. It has been explained to me as a ''pipe,'' in which Carnivore looks at all the data going through the pipe to see that which is the subject of the court order.
Page 71 PREV PAGE TOP OF DOC
Mr. KERR. Right. In fact——
Mr. HUTCHINSON. Is that pretty much——
Mr. KERR. Yes, our problem is that the pipes are too big for us to do that, and we rely on the service providers to give us just part of the traffic coming through their big pipe.
Mr. HUTCHINSON. And I have learned on computers that sometimes ''delete'' does not mean ''delete,'' that information continues to be restored. Is the information that is not captured pursuant to the court order, is it ever retrievable in any form by any means?
Mr. KERR. No, it is not, because it is all in random access memory and volatile memory. So, for example, if the power goes off, we will lose everything in that memory, none of it gets to.
Mr. HUTCHINSON. What if the power doesn't go off?
Mr. KERR. None of it gets to a stable recording medium like magnetic media in a hard drive or a ZIP drive, or a floppy disk. Only that which we are authorized, and which the filter is set up for, gets to that permanent media.
Mr. HUTCHINSON. Now, you indicated that year to date, Carnivore's been used 16 times. I believe 20 times total. But did you also, in addition to that, use court-ordered wiretaps or pen registers to retrieve Internet information by using ISP capabilities?
Page 72 PREV PAGE TOP OF DOC
Mr. KERR. In some of the cases, we have been able to ask the ISP, and they have provided us the information.
Mr. HUTCHINSON. I am trying to get a contrast. The 16 that you mentioned were not by using ISP capabilities, this is when the FBI went in and used the Carnivore system; is that correct?
Mr. KERR. That is correct.
Mr. HUTCHINSON. All right. So I am trying to get an idea how many others were out there that were used by ISP capabilities.
Mr. KERR. I don't have the number with me. We could certainly provide it to you.
Mr. HUTCHINSON. Does anyone know that? I mean, I am trying to figure out if we are looking at 100 others versus 16.
Mr. PAINTER. My understanding for title III intercept is, it is not a large number trap and trace, it might be a little larger.
Mr. DIGREGORY. We can certainly try to provide, though, as Dr. Kerr indicated for the committee.
Page 73 PREV PAGE TOP OF DOC
Mr. CANADY. The gentleman's time has expired. The gentleman will have three additional minutes.
Mr. HUTCHINSON. Thank you. It strikes me, considering the number of title III wiretaps of telephone communications, that is much greater than the 16 or what you have used by ISP capability. What I am leading to is that it looks like if the bad guys are moving, as the whole population as a whole is moving to data communications through the Internet, looks like we are missing a whole lot here, that we are only on the surface of what we might need to be doing.
Mr. KERR. That is certainly true. The tool we have been discussing to this point today, Carnivore has, in fact, only been used in the framework of e-mail intercept. As you are properly pointing out, there is a lot of other traffic on networks. We continue to work to try to see how we could develop appropriate and lawful tools to go after that traffic on as well. We would tend, again, to try to use the properties of the network itself, the need for me to be able to move data from my computer to your computer and capture it because of the addressing information that would be there, not by trying to view the content on the fly.
Mr. CANADY. Would the gentleman yield?
Mr. HUTCHINSON. Yes, happy to yield.
Mr. CANADY. I don't understand what other kind of traffic you are talking about if it is not e-mail. What realm are we talking about if we are not talking about e-mail?
Page 74 PREV PAGE TOP OF DOC
Mr. KERR. Well, one could use other protocols, for example, to move large files, to move imagery, to move larger quantities of data, and it wouldn't move as e-mail in the sense that we have been talking about it today with a from-me-to-you subject, whatever. It might just move as a block of data. It could, in fact, be information that companies are moving from one location to another.
Mr. HUTCHINSON. Have you ever had occasion to try to retrieve any of that information pursuant to court order?
Mr. KERR. We have not had any occasion that I am aware of where we have tried to intercept that kind of information. In general, large files like that we would expect to come to rest some place, and we would probably be picking it up as another part of an investigation.
Mr. HUTCHINSON. Finally, looking ahead a little bit, there was a question asked of whether the pen register orders that are applied to the Internet reveal far more than the numbers that are dialed in traditional telephone wiretaps, and I know that you are restricting it to the ''from'' information, you have specifically deleted capturing the subject information because that would be content-oriented, but this is still a concern, I guess, that even the ''to,'' with the address, is sometimes a descriptive term. Have you, from your history of the 16 instances that Carnivore has been used this year, found any instances where you captured more information then you believed you needed pursuant to a pen register-type capture? Information that you believe might go into the content area and therefore you had to minimize it?
Page 75 PREV PAGE TOP OF DOC
Mr. CANADY. The gentleman's time is expired. The gentleman will have one additional minute.
Mr. KERR. I will reserve the opportunity to answer carefully after review, but there are none to my knowledge.
Mr. HUTCHINSON. In other words, you are saying the system is working, you are not capturing content information beyond that which is intended by the court order?
Mr. KERR. That is correct.
Mr. HUTCHINSON. Thank you, gentlemen. I yield back.
Mr. CANADY. Thank you, Mr. Hutchinson. The gentleman New York, Mr. Nadler, is recognized for 5 minutes.
Mr. NADLER. Thank you, Mr. Chairman. Forgive me if I ask any question that may be repetitive, because of a plane delay, I arrived late to the hearing. As I understand it, Carnivore can be used either for content or for, in effect, the trap and trace, to just know who a person is communicating with, is that true?
Mr. KERR. Yes, that is correct.
Mr. NADLER. So it can be used for either purpose?
Page 76 PREV PAGE TOP OF DOC
Mr. KERR. Or both.
Mr. NADLER. Or both. And whether it's used for, either purpose depends on the nature of the court order.
Mr. KERR. That is correct.
Mr. NADLER. And can it be set either way?
Mr. KERR. It is, in fact, set specifically to meet the terms of the court order.
Mr. NADLER. Now when you had, in effect, a trap and trace, you want to know who someone is talking to, this is for past tense or for ongoing?
Mr. KERR. Basically, we would capture under the trap and trace pen register order the ''to'' and ''from'' information. It would be recorded.
Mr. NADLER. No, no. Is it past tense? You get a court order, want to know who this guy talked to in the last 2 months, or we want to know who he is talking to in the next 2 months.
Mr. KERR. It is prospective.
Page 77 PREV PAGE TOP OF DOC
Mr. NADLER. It is prospective. Now, what is the difference in terms of what you have to show, presumably you have to show probable cause that a crime may be committed. Why would you ask sometimes to know only who he is talking to and sometime what is being said if they are both prospective?
Mr. KERR. I will let my colleague lead with that one, please.
Mr. DIGREGORY. It depends upon the nature of the information that you have available to you at the time. You may not have enough information at the time that you seek the pen register or the trap and trace order to establish the probable cause necessary to seek the order of the title III order for the content.
Mr. NADLER. But you have enough to—you need a lesser standard of probable cause to get a trap and trace?
Mr. DIGREGORY. It is not a probable cause standard at all. It is simply a certification to the court by the prosecutor and the law enforcement agency that the information that will be obtained through the use of the pen register and the trap and trace or the trap and trace is relevant to an ongoing criminal investigation.
Mr. NADLER. With no probable cause?
Mr. DIGREGORY. With no probable cause.
Mr. NADLER. You can get it on anybody with no probable cause?
Page 78 PREV PAGE TOP OF DOC
Mr. DIGREGORY. That's correct, and I want to point out to you that the Supreme Court held in Maryland v. Smith, I believe in 1979, that there was no reasonable expectation of privacy in numbers dialed by a telephone because essentially, when someone turns over information to a third party like the telephone company, they should not have either a subjective or an objective reasonable expectation of privacy in that information.
Mr. NADLER. And does that mean that when I send a letter, there is no reasonable expectation of privacy as to whom I am sending the letter in the snail mail? Could you get an order from the Post Office to tell you, without any probable cause, who is sending me mail or whom I am sending mail to?
Mr. DIGREGORY. We do mail covers all the time which essentially do that.
Mr. NADLER. Without probable cause?
Mr. DIGREGORY. That is right.
Mr. NADLER. That is very interesting. Let me ask you a different question.
Mr. DIGREGORY. May I just add one more thing, Mr. Nadler. The authority under which we operate is codified at 18 United States code. I believe it is 3125 with respect to or 3123.
Page 79 PREV PAGE TOP OF DOC
Mr. NADLER. 31?
Mr. DIGREGORY. 3121 at section which includes 3125, I believe.
Mr. NADLER. Now let me ask you a different question. You started using this Carnivore system about 2 years ago.
Mr. KERR. That is correct.
Mr. NADLER. And no one ever bothered telling Congress about it, we just found out about it because Earthlink complained about it?
Mr. KERR. Well, no one ever bothered telling Congress in the sense of all of Congress. There certainly have been members and staff briefed on it over the last year. It has been wide——
Mr. NADLER. Judiciary Committee staff?
Mr. KERR. Yes. It has been rather widely discussed with industry, Internet Service Providers, other companies that provide software and hardware to the network. It has been fairly substantially briefed within the Department of Justice, including at the training center in Columbia, South Carolina, where the United States Attorneys and AUSAs go for training. All of the major investigative programs have been briefed.
Page 80 PREV PAGE TOP OF DOC
Mr. NADLER. What institutional safeguards have you set up to make sure that the assurances that you have given us, that information gathered by Carnivore on subjects not under investigation is not used?
Mr. KERR. Every time that it has been used, it has gone through the internal review of the FBI that all such uses require. My colleague, Larry Parkinson, can speak to more detail on that. Second, it goes to the Office of Enforcement Operations in the Department of Justice where it is, in fact, reviewed prior to ever going to a court to get a court order. So there is a very substantial level of review internal to the FBI, internal to the Department, as well as the subsequent review of the court before an order is issued.
Mr. NADLER. Subsequent review to the court—I am sorry, I think I asked, once you have Carnivore online, what institutional safeguards do we have that information gathered by Carnivore presumably, after the court issues an order to install it, is not misused?
Mr. CANADY. The gentleman's time is expired. The gentleman will have 3 additional minutes.
Mr. NADLER. Thank you.
Mr. KERR. The answer to that is, particularly in a full content intercept, that the information we intercept and record is provided under seal back to the court, which can itself determine that we have properly followed the order.
Page 81 PREV PAGE TOP OF DOC
Mr. NADLER. It is provided back under seal to the court?
Mr. KERR. Correct.
Mr. NADLER. Is there a proceeding in the court? If there is not a proceeding in the court, it will be simply placed in storage, no one will look at it.
Mr. PAINTER. That is not completely true, because it is placed under seal with the court in a title III content intercept, and then at some point in the future the court can, under title III, make that available to, for instance, the person whose conversations were intercepted and/or his defense counsel.
Mr. NADLER. If a person has been the subject of such an order and his content has been intercepted, or simply that whoever he was e-mailing to has been made known to the FBI, and it is determined that this person should not be subjected to any charges, did nothing wrong, is he ever made aware that his privacy was so violated?
Mr. PAINTER. Under title III, under the provision of title III, if a title III order is denied by the judge or if it expires, after a certain period of time, I believe it is 90 days, there has to be notice to the people whose conversations were intercepted. I think that has been done very broadly, as I understand it.
Mr. NADLER. So people whose conversations were intercepted or on whose e-mail there was a trace are eventually told?
Page 82 PREV PAGE TOP OF DOC
Mr. PAINTER. Under the provisions of title III, when you are dealing with content, yes, that is correct.
Mr. NADLER. What about when you are not dealing with content, when you are dealing with a trap and trace?
Mr. PAINTER. Again, a trap and trace, and I should emphasize something that Mr. DiGregory said earlier, a trap and trace, the reason probable cause is not required is this is a very preliminary investigative step. It is really literally the addressing information and nothing more.
Mr. NADLER. I understand that, but without probable cause to believe that I have committed a crime or done anything wrong, but simply a private investigation, you have followed who I am talking to by e-mail, or for that matter, not by e-mail, you put a trap and trace on my phone for the last 6 months, and now you have determined that there is nothing further to investigate, do you ever tell me that my privacy was violated in that way? Do I ever know about it?
Mr. DIGREGORY. I don't believe that there is any requirement for disclosure in the law, and I would only—I understand you are using the term that my privacy was violated and only relying upon the case law which indicates that there is no reasonable expectation of privacy in such information, I just wanted to make that point yet again.
Mr. NADLER. That may be from the Supreme Court's point of view. There is no reasonable expectations of privacy, but I think as a practical matter, most people would be somewhat upset if they thought that someone was following exactly who they were talking to on the telephone or who they were mailing e-mails to, but be that as it may, from a legal standard, that may not be, but the fact is there wasn't—in a practical sense, there was an invasion of privacy, government-gathered information that maybe I didn't want people to know, I think I should know about that and maybe I should be able to say to the government on what basis did you do this, did you have any reason to do it. Maybe they did, maybe they didn't. Right now there is no provision for that.
Page 83 PREV PAGE TOP OF DOC
Mr. PAINTER. First of all, the prosecutor has to certify to the court that it is relevant to an investigation, and then second, it is that class of information alone, and it is limited to a period. It can't be done ad infinitum.
Mr. NADLER. What period is it limited to?
Mr. PAINTER. It is 60 days.
Mr. NADLER. Can it be renewed?
Mr. PAINTER. It can be renewed.
Mr. NADLER. How often can it be renewed?
Mr. PAINTER. I am not sure. There is a limitation.
Mr. NADLER. What is the longest anyone has ever been subject to this?
Mr. PAINTER. We would have to look into that to be sure.
Mr. NADLER. Has anyone ever been subject for more than, let us say, a year?
Page 84 PREV PAGE TOP OF DOC
Mr. PAINTER. Again, I don't have that information available at this point.
Mr. NADLER. 5 years? Could you rule that out?
Mr. PAINTER. I mean, if you want us to try to find out the longest time that anybody has ever been subjected, we can try to do that. I don't know that we have those records, but we can try to do that.
Mr. NADLER. Thank you, Mr. Chairman.
Mr. CANADY. Thank you. The gentleman from Alabama is recognized for 5 minutes.
Mr. BACHUS. Thank you. The potential for abuse here is tremendous, would you all agree?
Mr. PARKINSON. Congressman, I guess I don't agree with that.
Mr. BACHUS. All right. And you don't have to give an explanation.
Mr. PARKINSON. Well, I think at a certain point in time we have to rely on the good faith of public servants who have a number of checks and balances.
Page 85 PREV PAGE TOP OF DOC
Mr. BACHUS. I think you are exactly right, I think what you are saying is trust us, you have to rely on us and what that reminds me of is these IRS agents who used the information to check up on their ex-spouses and their boyfriends and their girlfriends and potential adversaries for affections, and, you know, all that we have heard for really years and years and years. J. Edgar Hoover, what he did. But let us talk about those checks and balances, because I think you are exactly right. You certainly have to rely on that because you can't go to AT&T today and say we are going to analyze all the phone calls that come through your system, can you?
Mr. KERR. That is correct, we can't do that.
Mr. BACHUS. But you can do that with this, with Carnivore.
Mr. KERR. No. We, in fact, specifically don't do that.
Mr. BACHUS. But you do have to analyze, or you do have the ability to analyze everything coming through that information stream, don't you?
Mr. KERR. No, we, in fact, restrict.
Mr. BACHUS. You restrict it, but you have the ability to monitor.
Mr. KERR. We don't have a system with the capability to do the real-time processing of that much information.
Page 86 PREV PAGE TOP OF DOC
Mr. BACHUS. But you can move it around and just capture whatever you want on that system, I mean, you don't have the ability to go to a telephone company——
Mr. KERR. We don't have the right or the ability to just go fishing.
Mr. BACHUS. Well, you have the ability to monitor anything within that information stream.
Mr. KERR. No. We, in fact, have the lawful opportunity——
Mr. BACHUS. Okay. You say you don't have the legal ability, but you have the technology to monitor that information stream, anything in it.
Mr. KERR. We are not sitting looking at the information stream and moving our filter around. It is, in fact, put in place with a court order. It is not——
Mr. BACHUS. But you have the technology to go in and monitor every one of those e-mails on the system if you want—not all of them at once, but you could monitor here, you can monitor there.
Page 87 PREV PAGE TOP OF DOC
Mr. KERR. Certainly, if you had access to the technology, in principle, you could do that.
Mr. BACHUS. And you can't with telephone calls?
Mr. KERR. Well, in fact, depending on where you are in the telephone system and what kind of switch you are in, you might be able to do a great deal, but again, it is the same thing. Remember, the big telephone switches are simply computers as well, and so if you got into one, you presumably could see a lot of traffic. The fact is that there are a lot of bars to our doing that, starting with——
Mr. BACHUS. There are safeguards, they are safeguards.
Mr. KERR. It is the law, it is illegal.
Mr. BACHUS. I mean, it is the law, one of the checks and balances?
Mr. KERR. Correct.
Mr. BACHUS. Now one of those you said the Justice can want, you have to go to the Justice Department and notify them and get their approval, and you said that it takes higher level of authorities there to get approval for your activities; is that correct?
Mr. KERR. What Mr. Parkinson was saying is that for the trap and trace and pen register, which only allows addressing information, it is a different level of review, but to get content where probable cause needs to be demonstrated——
Page 88 PREV PAGE TOP OF DOC
Mr. BACHUS. You have to go higher up.
Mr. KERR. It, in fact, takes high level approval in the Justice Department before we are able to——
Mr. BACHUS. Let me ask you this: Why did Janet Reno not know about this, although it is going on for 3 years and she is, in fact, the Attorney General?
Mr. KERR. Well, I would remind you that the Department of Justice has some 127,000 people.
Mr. BACHUS. Okay.
Mr. KERR. And multiple——
Mr. BACHUS. I think that is a valid point, there are 127,000 people over there.
Mr. DIGREGORY. I believe that Attorney General Janet Reno said she has known about the capacity to do this. She was interested in taking a closer look at the systems application and implementation and ensure that we are balancing privacy and law enforcement need s, and I think that is what is going to happen with respect to this independent verification and validation.
Page 89 PREV PAGE TOP OF DOC
Mr. BACHUS. All right. How about Echelon? I understand that the National Security Council testified before Congress and said that they routinely shared information they gathered with Echelon to law enforcement informations. Do they share information with the FBI?
Mr. KERR. What you are referring to, of course, is whether the National Security Agency——
Mr. BACHUS. I mean, through their Echelon program.
Mr. KERR. Their various intercept programs may, from time to time, appropriately share information with law enforcement, but there are, in fact, some very important hurdles there, including the Classified Information Procedures Act and others, so that, in fact, the primary purpose of a system may have been intelligence collection. Incidental to that priority purpose, it may have collected important information about a crime either committed or being planned, and there are mechanisms to take advantage of that.
Mr. CANADY. The gentleman's time has expired. Without objection, the gentleman will have 3 additional minutes.
Mr. BACHUS. Echelon, as I understand it, they monitor all telephone call, all e-mails, all faxes; is that your understanding?
Mr. PARKINSON. I think we should defer to the National Security Agency to talk precisely about Echelon. I don't think we are prepared to talk about it today.
Page 90 PREV PAGE TOP OF DOC
Mr. BACHUS. I guess I would ask the FBI. You say when he said they routinely shared information with law enforcement agencies, do they share information with the FBI?
Mr. PARKINSON. We have, as you probably know, a very significant national security responsibility in addition to law enforcement, so it is not uncommon at all for the National Security Agency to selectively share pieces of information that it may acquire, but it does so, as Dr. Kerr pointed out, with significant hurdles about legal constraints.
Mr. BACHUS. I think you have raise d a good point. I would like to use that as my final question, and that is, you say the National Security Council, I think we all presume they are dealing with national security, but then they gain information on another subject. I mean, if it's national security, obviously, they can share it with you. But let us say it is another subject, or let us just say that we are talking about Carnivore—what is the name of it? Carnivore. Now, the examples you gave us were about espionage or terrorists, but do you say this is an antitrust investigation, would you use it in income tax evasion cases? Can it be used in, say, OSHA investigations or EPA violations? Are there any restrictions there?
Mr. KERR. It would have, of course, have to be a Federal felony to come under Electronic Communications Privacy Act, and it would have to be, in fact, one of the predicate offenses under title III to come under those authorities. So no, it is not every offense. Clearly, Internet fraud would be an appropriate target. Child pornography on the Internet would be an appropriate target. These are major programs within the FBI that——
Page 91 PREV PAGE TOP OF DOC
Mr. BACHUS. Other than e-mail, can you get into files? Do you have the ability to get into someone's files?
Mr. KERR. We have been in one—at least one case, been able to intercept using a different protocol, a file transfer protocol, but with relatively small files. We can only get at what we have the addresses for within the protocol that is being employed.
Mr. BACHUS. But once you have that and the passwords, you could actually get into maybe a mainframe or someone's database?
Mr. KERR. No. We are only authorized for what the court order says. It is not a matter of going and doing exploration or surveillance with the tool.
Mr. WATT. Will the gentleman yield for a second?
Mr. BACHUS. Yes.
Mr. WATT. Does that extend to e-mails that have already been transmitted? If you had the address, would you have the authority and/or the capacity to go in and either look at the content of a prior e-mail or look at the number or instances in which there has been communication to deliver that e-mail?
Mr. CANADY. The gentleman's time has expired.
Page 92 PREV PAGE TOP OF DOC
The gentleman will have 1 additional minute.
Mr. BACHUS. After he answers it, may I have my minute then?
Mr. KERR. Shall I try to answer Mr. Watt's question?
Mr. CANADY. Yes.
Mr. KERR. The Carnivore system basically deals with message traffic on the fly. If the messages have already been sent and received, another way we, for example, might get it would be if, for example, a search warrant were offered and we seized a computer, and we found the messages on the hard drive of that computer; or, as one of the members of the subcommittee pointed out, deletion doesn't necessarily mean deletion. We can, in fact, sometimes recover messages even though they have been thought to have been deleted, and we have a unit that does that. But they work under a more normal search warrant environment.
Mr. DIGREGORY. And under certain circumstances, stored communication held by ISPs can be obtained by search warrant as well.
Mr. BACHUS. Here is my final minute.
Mr. CANADY. The gentleman will have 1 additional minute.
Mr. BACHUS. You mentioned judicial oversight, and Dr. Kerr, you mentioned that you have the defense attorney and he is looking over our shoulders. You have the judge, he is looking over our shoulders. And obviously, if the defense attorney has the ability to do that, that is a pretty potent weapon in limiting what you do.
Page 93 PREV PAGE TOP OF DOC
But are you saying when you say that, all of these cases are ongoing criminal cases in court where there is, in fact, a defense attorney? What about a case of an investigation where there is no attorney or no active court case?
Mr. KERR. Well, I think——
Mr. BACHUS. Or can it be used——
Mr. KERR. Mr. DiGregory pointed out the provisions of title III that would lead to judicial notice to those who had been intercepted. They certainly, at that 60- or 90-day point, having been informed that their communications had been intercepted, would take a great interest, with or without their attorney. So I think that the system is oriented very well to protect their privacy and rights.
Mr. BACHUS. Are you unable to take information you gain from these investigations and pass them on to other law enforcement agencies about unrelated investigations, or is that information off limits?
Mr. CANADY. The gentleman's time—I am sorry, the gentleman's time has expired. The gentleman has had more time than anyone else. We have a limited amount of time. The members of the panel can answer a written question about other things the gentleman might want to ask, but Mr. Barr is entitled to have his time.
So Mr. Barr is recognized.
Page 94 PREV PAGE TOP OF DOC
Mr. BARR. Thank you, Mr. Chairman.
This is actually quite fascinating. The Clinton administration is fascinating. It never ceases to amaze me. For almost a year now, at the other end of this very hallway, in the Government Reform Committee, we have been having a series of hearings, the conclusion of which from the Clinton administration's standpoint is, we don't even know how to keep track of our own e-mails, and now we have a very sophisticated system for tracking other people's e-mails.
The fact of the matter is, I think they know exactly what has happened to their e-mails and they know exactly what has happened. I just think that we have two different directions for the Clinton administration. When they want to protect themselves, they have one standard. When they want to get information out of other people, they have quite a different standard.
The fact of the matter is, with all due respect, simply because there is a Privacy Act or simply because there are sanctions in title XVIII for misuse of the title III provisions does not guarantee that nobody in this or any other administration will abuse it.
So I think we really need a little bit more than simply saying that there are provisions in the code.
The problem that I have with Carnivore, several problems, but the fact of the matter is, Carnivore is not a passive system. It doesn't sit there like a basket and these e-mails just sort of drop into it. It is very much an active system, and it has to have some mechanism for scanning the information in that ISP stream in order to pull out what the court order allows you to pull out.
Page 95 PREV PAGE TOP OF DOC
Let me ask about two things, though, that are particularly problematic. As you all have testified earlier with regard to chapter 206 of title XVIII, which are all of the other provisions that we have been talking about that govern trap and trace and pen register, you are doing something very different here, and that bothers me.
With traditional trap and trace and pen registers with phone numbers, as you all have testified, you get an order; granted, the threshold is substantially lower than the title III, and we understand that; you get that from a court, a court has to grant it, there is no discretion for the court; and the telephone company, as it were, has to comply with it. They can't say, they can't just, you know, give you the high hat and say we are not going to do it, they have to comply with it. You tell them what you want and they give you what you want, and if they don't, then you can bring sanctions against them, because they are required under the statute to do that.
You are doing something very, very different here. What you are doing here is you are going to that ISP provider, which stands in the shoes of the traditional phone company when you are looking at a traditional hard number trap and trace or pen register, and you are saying, we are not satisfied with what the statute says, that you have to install this and give us the information. We don't trust you. I don't know why you—you know, what your rationale is, but you are saying what we are going to do is go outside of the law here basically, and we are going to force you to allow us to put our software into your system; you will not be able to monitor it, it is completely unsupervised; and we are then going to take it from there. Thank you very much, guys, you just give us access and we will do our thing. That is very different from the way trap and trace and pen registers work under the traditional chapter 206 scheme.
Page 96 PREV PAGE TOP OF DOC
Also, I think also there is new legal ground that you all are trying to break here and establish the precedent that I don't think is existing anywhere in Federal law or case law, and I know you are trying to make it in the Earth Link case, where you are saying you have the authority to go in and sort of harvest large quantities of information, and you will filter out what you want.
I think those are two very, very large steps that we are taking here. I don't think this has been well thought out, and that is two areas that I have concern about. Why is it not sufficient? Because we have both testimony as well as a number of articles that indicate that Internet Service Providers have indicated, and I haven't seen anybody refute it, that they can do the very same thing that Carnivore does, but do it in a much—in a way that is much more protective of the privacy of the Internet Service Provider users. And certainly, if you would go to Earth Link, for example, and say this is the information we want, the same as you would do with a phone company for a trap and trace or a pen register, they are obligated, they would be obligated to give that information to you. And if somehow you had evidence that they were not doing it, or that they were not capable of doing it, and I don't think that is the case, then you could seek sanctions against them.
Why is it in both of these areas you are trying to break new legal ground? What is it that is insufficient that you don't like about the existing statute that you are willing to operate within the bounds of it?
Mr. PAINTER. Let me answer with respect to that last point, whether or not there have been cases where the Internet Service Provider could not provide the information, and Dr. Kerr can talk about this as well. There have, in fact, been cases—and one case, without mentioning who the provider is, in fact, the Internet Service Provider was not able to provide all of the information. In that case, in fact, it wasn't just a matter of them saying well, we have to comply with the court order. They went back to the court, there was a proceeding before the court, all of these issues, including the issues about too much material being grabbed by this program or that was at least the argument that was raised with the court, and the court ordered this device be put in place.
Page 97 PREV PAGE TOP OF DOC
Mr. BARR. That was not the Earth Link case?
Mr. PAINTER. Again, since it is an ongoing case, I don't want to mention the provider.
Mr. BARR. I am asking, was that the Earth Link case because that has been reported in the newspapers. It is not like it is some great dark secret, and I think you are describing the Earth Link case.
Mr. PAINTER. The problem is because it is an under-seal proceeding, we could talk about the public facts that were argued at the hearing, but I don't want to mention the name of the provider.
Mr. BARR. I thought you said at the beginning it wasn't the Earth Link case.
Mr. PAINTER. I did not say that. I said I did not want to say.
Mr. BARR. I think it is.
Mr. PAINTER. But in fact, in that case, there was not complete information given, because only the incoming messages were trapped, but not the outgoing messages, and there was some evidence to that effect that was presented to the court in the form of affidavits, et cetera.
Page 98 PREV PAGE TOP OF DOC
Mr. BARR. That is very different from the testimony that we have had from Earth Link.
Mr. PAINTER. What I was going to say is, it is certainly the policy, as I understand it at the FBI, and the preference that if, in fact, the Internet Service Provider can provide that information and do it in a timely fashion, that is what they would prefer. It raises a sort of example.
Mr. CANADY. The gentleman's time has expired.
Without objection, the gentleman will have 3 additional minutes.
Mr. BARR. Thank you. Are you saying then in every one of the 25 cases in which Carnivore has been used, the only reason that it has been used is the Internet Service Provider has told you they cannot provide the information that you need?
Mr. PAINTER. That is my understanding, and I would defer to Dr. Kerr to also address that.
Mr. KERR. I think that that is generally the point. In fact, our favorite outcome is that if the Internet Service Provider can, in fact, provide the information to us covered by the court order, that is what we would like to do. There are some very large Internet providers not too far from here who have the entire capability to do that.
Page 99 PREV PAGE TOP OF DOC
At the same time, in some of the over 10,000 ISPs around the country, you will find some that have very limited technical capability; their capital structure is very small; they are not in a position to buy equipment and set up a capability for us that may only be used once in the entire business history of that company. In those cases where they can't perform, we are prepared to take the technical and cost risk away by bringing in our Carnivore system and employing it.
Mr. BARR. Here we go again. I guess what you are telling us is Carnivore is sort of the privacy advocate's best friend that, you know, hey, we—I mean, do you have ISPs breaking down your door and saying, please, install Carnivore? I don't think so.
Is there any specific statute or case law other than perhaps the Earth Link case which is currently pending, as I understand it, that provides authority for the government to go to a provider of electronic information, a telecommunications firm, and say give us everything you have and we will filter out what we have. That is very different from the traditional rationale underlying both title III and chapter 206; which is, the government can't go in and just harvest everything on its own and then filter it out; you tell somebody exactly what you want and that is all that you get.
Mr. DIGREGORY. In the case referred to by Mr. Painter, we successfully relied upon the pen register statute, and I know of—and I stand corrected if someone has a correction to make—and I know of no other case where an ISP has challenged our reliance on that statute.
Mr. BARR. No, but what I am saying is, is there any statute or case law other than this one case that, as I understand it, is still in litigation——
Page 100 PREV PAGE TOP OF DOC
Mr. DIGREGORY. And I am saying we have relied on the pen register statute successfully in this area and there have been no other challenges other than the one mentioned by Mr. Painter.
Mr. BARR. The Department of Justice position is that chapter 206 provides statutory and, therefore, also constitutional authority. I guess you would argue that the government has the authority, the right, to go in and harvest a large category of information far beyond simply the target, and then itself take out the targeted information?
Mr. CANADY. The gentleman's time has expired.
The gentleman will have 1 additional minute.
Mr. PAINTER. I think when you use the term ''harvest,'' you are using a term that really doesn't apply here. That is not what it is doing. It is only harvesting, it is only capturing the information specifically that you allow and that the court order has mandated.
Mr. BARR. But I mean, this is what I love about the Clinton administration, then you get into this circular argument, somewhat metaphysical. You have to have some way of going in there and finding what you are looking for. Otherwise, it is a non sequitur.
Mr. KERR. Let me, as part of the nonpolitical agency here, try to answer your question directly. What do we actually do in the Carnivore system? What we do is we first ask the ISP to bring us the smallest part of the message traffic that would contain the target messages. We then bring it to an interface where, in fact, a clone of that reduced set is made. The regular message traffic goes on, unimpeded, to the legitimate recipients of it. We then filter the cloned stream of information, and the packets that do not pass our filter because we are not allowed to record them, in fact, vanish at that point. The only thing that passes our filter are the packets with the appropriate addressing information to meet the court order. I think we have demonstrated that a number of times. In fact, we appreciated your visit some months ago when you saw it, as to how——
Page 101 PREV PAGE TOP OF DOC
Mr. BARR. When I saw what?
Mr. KERR. When you were at Quantico, some of the demonstrations we gave you were, in fact, of these capabilities.
Mr. BARR. That was years ago. That was on CALEA. That was like 4 or 5 years ago. That had nothing to do with Carnivore. I hope it didn't, because it wasn't described to me as Carnivore.
Mr. KERR. It hadn't been named yet, perhaps. But the point is that we are not scanning the full message traffic passing through an ISP. In fact, to do it effectively, we want to use the smallest subset of that. A very sophisticated, larger ISP will, in fact, give us the ultimate subset, which is the target messages, and we would have to install nothing. In some cases, we have to provide technical assistance by putting our system in the ISP in order to do that final filtering.
Mr. CANADY. The gentleman's additional time has expired.
I want to thank all of the members of this panel for your testimony. I think we have had good presentations in your testimony. The questioning period has been I think very helpful. We will have additional questions, as I indicated at the outset, and we will do our best to send those to you very soon. I would ask that you do your best to respond to us within a very short period of time after you receive the letter which we will send with the questions.
Page 102 PREV PAGE TOP OF DOC
Again, we thank you for your testimony and your assistance to the committee in this oversight responsibility.
Now we will move to our second panel. I would ask that as people are exiting the room and coming into the room that you try to be as quiet as you can, because I am going to proceed with the introduction of the members of the second panel as they are coming forward to take their seats.
The next panel will discuss privacy concerns and concerns for network security raised by the use of Carnivore. Our first witness on this panel will be Barry Steinhardt. Mr. Steinhardt is the associate director of the American Civil Liberties Union. Next we will hear from Alan Davidson, who is the staff counsel for the Center for Democracy and Technology. Following Mr. Davidson will be Tom Perrine Mr. Perrine is a principal investigator for the Pacific Institute for Computer Security and is also the manager of Security Technologies for the San Diego Supercomputer Center. Robert Corn-Revere will then testify. Mr. Corn-Revere is an attorney at Hogan & Hartson specializing in first amendment, Internet and communications law. Mr. Corn-Revere is also the coauthor of a three-volume treatise entitled ''Modern Communications Law.'' We have heard from Mr. Corn-Revere on this subject previously. Following Mr. Corn-Revere will be Matt Blaze, a research scientist at AT&T labs. Mr. Blaze specializes in the architectural aspects of security and trust and large-scale computing and communications systems. Stewart Baker, an attorney at Steptoe & Johnson, will then testify. Mr. Baker represents major telecommunications manufacturers regarding law enforcement and law enforcement Internet requirements. Mr. Baker was the general counsel of the National Security Agency from 1992 to 1994. Finally, we will hear from Peter William Sachs. Mr. Sachs owns ICONN, L.L.C., a small Internet Service Provider based in New Haven, Connecticut.
Page 103 PREV PAGE TOP OF DOC
I want to thank each of you for being with us here this afternoon. I would ask that each of you do your very best to summarize your testimony in no more than 5 minutes. Without objection, your written statements will be made a part of the permanent record of today's hearing.
Mr. Steinhardt.
STATEMENT OF BARRY STEINHARDT, ASSOCIATE DIRECTOR, AMERICAN CIVIL LIBERTIES UNION
Mr. STEINHARDT. Thank you, Mr. Chairman. I want to thank the committee for the opportunity to speak here today. I also want to thank you for so expeditiously calling this hearing. As I think the prior testimony made clear, we are dealing with an extremely important issue, and one that bears a great deal of scrutiny, more scrutiny than even this hearing will allow for.
Let me begin to put Carnivore into some context. To my knowledge, Carnivore is unprecedented in the history of domestic communication surveillance. Never before has law enforcement installed a device which accesses all of the communications of a service provider's customers, rather than only the communications of a targeted particular order. Never before has a law enforcement agency claimed that it should be granted access to all communications passing through a service provider's network based on an unsupervised promise that it will not stray beyond the confines of its authority.
Page 104 PREV PAGE TOP OF DOC
Carnivore is roughly equivalent, as a number of the members have suggested, it is roughly equivalent to a wiretap capable of accessing the conversation of all of the phone companies' customers; or, to use the analogy that was offered before when it was suggested that the ''to and from'' which the Carnivore box uses as the key to look for which messages to record, the analogy of a letter, this is the equivalent of going to the Post Office and stationing an FBI agent there, looking at the addressing information of every letter that goes through and then picking out those which it wishes to record, either the addressing information or to open up and actually look at the content.
Now, I must say I want to comment on one thing in this section, one thing that you were told about earlier this morning, and that is this audit trail that for the first time we have heard about, this audit trail which apparently we are told records at least what the filter settings are and some of the traffic information.
I think there are probably a number of things worth noting. First, apparently it was created only recently and I would suspect created only after the public disclosure and discussion of Carnivore. But secondly, I think it is worth noting about the audit trail, is that it is only of use in a very limited number of cases, and it really provides very little in the way of assurance. It is, for example, not available in cases where there is a trap and trace pen register order; who is going to look at this? They are not required to turn over even the audit trail to a judge. It is, as a number of members suggested earlier, not particularly helpful if the conversations or the addressing information that has been recorded, picked up, is of an innocent third party, not the subject of the order, not someone who is being prosecuted. They do not have a defense attorney or an opportunity to contest that.
Page 105 PREV PAGE TOP OF DOC
I think what the discussion about the audit trail suggests is that you need to look very, very carefully at all of these details. It is hard to imagine how the operation of Carnivore can be squared either with the fourth amendment or ECPA, which was adopted to implement the fourth amendment in the context of electronic surveillance. The very premise of the fourth amendment is that searches should be narrow and targeted so as to avoid the intrusion of the privacy of persons who are not engaging in a crime, or that law enforcement does not have reasonable cause to think that they are. The government is required to specify the person who is the target of the investigation, crimes under investigation, the particular systems for which the communications are to be accessed; they place on the provider of the communications medium the responsibility to separate out the communications a person is authorized to be intercepted from other communications. Law enforcement is required to minimize the interception of nonincriminating communication of a target of a wiretap order.
Carnivore is not a minimization tool, as has been suggested. Carnivore is, in fact, a maximization tool, because it is capable of giving law enforcement access to the entire stream of communications that is traveling through the service provider's networks.
Now, I think it is fair to say, and I urge you not to take the leap today to think that this is a settled question. I think it is fair to say that the Congress never contemplated or authorized a wire-tapping scheme that allowed law enforcement to access everyone's communications, that had the potential to access an unlimited number of communications, only a small fraction of which involved criminal activity, and that targeted the entire communications network rather than a particular person's communications.
Questions Mr. Barr asked are exactly the right questions. What is the statutory authorization for Carnivore? What in the statute, what in the Constitution gives law enforcement, gives the FBI the authority to insist their service provider install Carnivore? I think that is an extremely important question which is not answered by one case which we know very little about, other than the back and forth in the public and, to some extent before this committee, that we know very little about and that never went higher than one Federal magistrate.
Page 106 PREV PAGE TOP OF DOC
Now, the FBI has two responses to the concerns that have been raised by Carnivore. First, they assure us that they can be trusted to strictly adhere to the constitutional statutes. Second, they argue that they are being hamstrung by new technologies and that Carnivore is necessary to conduct successful investigations. Let me first address the ''trust-us'' argument. The FBI has a very checkered past when it comes to fidelity both to the fourth amendment and first amendment rights of Americans.
As a number of you pointed out, we all know about the wire-tapping of Martin Luther King and other leaders of the civil rights movement and the more recent cases where there has been illegal surveillance of political figures. But even if you assume for the sake of argument that the FBI officials, FBI agents are not going to engage in a bold criminal violation of law, I think you need to look at the recent history of the FBI, which tells us that the FBI cannot be expected to keep its promises on communication surveillance history. Recent history tells us that we can fully expect the FBI to push the envelope of the wall, as they have done in this case, by pushing the envelope of the trap and trace laws, for example, to claim that Carnivore is a permissible result and to eventually break out of the envelope of the law.
Let me give you some examples. I think the best example, and I detail this in the appendix to my testimony, I go through a good deal of this history, but let me give you one example. When Congress passed the Communications Assistance to Law Enforcement Act, CALEA, that was referred to earlier today, in effect, a bargain was struck. In return for requirements that new networks be constructed to preserve the then-existing capabilities for law enforcement—law enforcement—the FBI, in particular, agreed not to use the new law to force service providers to provide it with new surveillance capabilities or with greater capacity than then existed.
Page 107 PREV PAGE TOP OF DOC
Simply put, the FBI has not kept its end of the bargain. The CALEA implementation process has been characterized by an FBI power grab. As I detailed in the appendix to my testimony, the FBI has consistently sought greater capacity and newer surveillance features than existed in 1994. In some cases, it has sought capabilities that were specifically promised to the Congress that they would not seek.
Now, I will only give one example of this; others are in my testimony, but I think this example is worth speaking about. When CALEA was considered, the FBI explicitly told the Congress it would not use the new law to seek to turn cellular phones into location tracking devices. Director Freeh testified that, quote, ''There is no intent whatsoever with reference to this term,''—parenthetically, ''this term'' meant call setup information—''to acquire anything that could properly be called tracking information.''
Well, whether or not that was Director Freeh's intention in 1994, it quickly became the FBI's policy in 1995. And the FBI has fought tooth and nail, first with the cellular telephone industry that was before the Federal Communications Commission, and now in the U.S. Court of Appeals for the District of Columbia, fought tooth and nail for the proposition that CALEA, in fact, does require the cellular operators to provide it with location tracking information.
Now, on the question of the supposed new circumstances that require Carnivore, first you are going to hear testimony from the Internet Service Providers here today, and you have already heard a great deal from them in the press, that they are willing and able to provide law enforcement with the narrow, targeted set of communications to which law enforcement is entitled. They can perform the segregation of communications that is the equivalent of providing access to a dedicated line. There is no need to resort to Carnivore.
Page 108 PREV PAGE TOP OF DOC
I urge you not to simply trust on faith the suggestions of the witnesses that you heard earlier today that there have been cases in which the service providers cannot provide them with that information. Once again, we are in the position of trust us, we know how this black box works or, in this case, we know that the service providers cannot give us this information without resorting to this black box.
The only case that we know anything about in detail, and not many details, because these matters are all under seal, because these cases all come up ex parte, is Earth Link. And it is quite clear this morning, or this afternoon, rather, that the witnesses from the government were not prepared to ask you to do much more than trust us, there are cases.
Mr. CANADY. Mr. Steinhardt, you are now at 10 minutes. So if you can conclude—because let me just explain to all of the members of this panel, this subcommittee has another hearing, that is not to minimize the importance of this in any way, but we do have a hearing on a proposal that Mr. Frank has introduced which we are moving to after this. So to the extent that you can really stay close to that 5 minutes, it would be beneficial, given the size of the panel.
Mr. NADLER. Mr. Chairman, is it the intention of the Chair to adjourn this hearing and go to the next one at 4 o'clock?
Mr. CANADY. It is the intention of the Chair to hear the witnesses and to have one round of questions and then go to the next hearing.
Page 109 PREV PAGE TOP OF DOC
Mr. NADLER. Thank you.
Mr. STEINHARDT. I will stop there and allow the rest of the panel to speak then.
Mr. CANADY. Thank you, Mr. Steinhardt.
[The prepared statement of Mr. Steinhardt follows:]
PREPARED STATEMENT OF BARRY STEINHARDT, ASSOCIATE DIRECTOR, AMERICAN CIVIL LIBERTIES UNION
Chairman Canady, Ranking Member Watt and members of the Subcommittee:
I am pleased to testify before you today on behalf of the American Civil Liberties Union about the Fourth Amendment to the U.S. Constitution and the FBI's Carnivore System. The ACLU is a nationwide, nonprofit, nonpartisan organization consisting of over 275,000 members dedicated to preserving the principles of freedom set forth in the Bill of Rights. Neither the ACLU nor myself has received any funding from the federal government in the past two years.
On April 6, my colleague, ACLU Legislative Counsel Gregory Nojeim, testified before this Subcommittee on the more general subject of the Internet and the Fourth Amendment. In his testimony, Mr. Nojeim offered a detailed analysis of the myriad ways in which the new technologies threaten to undermine the values of the Fourth Amendment. He emphasized that the existing laws related to the Government's interception of our communications need to be updated to reflect the new technological developments and he offered a number of concrete proposals.
Page 110 PREV PAGE TOP OF DOC
My testimony this afternoon will focus more narrowly on the Carnivore system and on the recent proposals made by the Clinton Administration concerning electronic surveillance. I will not repeat our earlier testimony, but I will refer to a number of the relevant points that Mr. Nojeim made in April.
CARNIVORE DOES DAMAGE TO THE 4TH AMENDMENT AND ECPA
Before turning to Carnivore itself, let me try to put the current controversy in some historical context. Wiretapping and electronic surveillance (hereinafter I will generally refer to ''wiretapping'' to cover both traditional telephone tapping and newer methods of electronic surveillance) are a growing practice in this country and is already at record levels. In 1995 and 1996, for the first time in history, the federal government placed more wiretaps than all of the states combined.
In the last reporting period, the Clinton Administration conducted more wiretaps in one year than ever in history, and the number of ''roving wiretaps'' (wiretaps of any phone a target might use, without specifying a particular phone) nearly doubled.
Perhaps most ominously, more and more innocent conversations are being intercepted. According to the Government's own records, when Title III first went into effect 30 years ago, approximately 50% of all of the conversations intercepted contained what law enforcement regarded as ''incriminating'' information. In the mid to late 1990's, the percentage of ''incriminating conversations plummeted to less than 20%. In other words, more than 80% of all intercepted communications are, by the government's own standards, innocent. Last year, approximately 2 million innocent conversations were intercepted in law enforcement electronic surveillance.
Page 111 PREV PAGE TOP OF DOC
Both trends—more and more intercepts and more and more innocent conversations being intercepted—are likely to accelerate because of the advent of digital communications. The interception of ''old fashioned'' analog telephone conversations is very labor intensive and consequently costly. A law enforcement agent must actually listen to all or part of the conversation. Digital communications, especially those that are textual such as e-mail, offer law enforcement the opportunity to intercept and process much greater volumes of communications. Much of the initial evaluation and processing of the communication can be done by computers that are relatively cheap and easy to operate.
The consequence is that law enforcement will be sorely tempted to access an ever-increasing number of communications. With increased numbers and less precision in the targeting, the percentage of innocent communications accessed by law enforcement is likely to grow.
Moreover, digital files kept on computers and transferred over the Internet represent a treasure trove of information for law enforcement. The demand to search those files and intercept them in transmission is likely to grow and will further accelerate the trend of increased surveillance.
Carnivore is a dramatic example of this new digital reality and the opportunity for increased surveillance.
The Carnivore system—essentially a computer running specialized software—is attached directly to an Internet Service Provider's (ISP) network. Carnivore is attached either when law enforcement has a court order under the Electronic Communications Privacy Act (ECPA) permitting it to intercept in real time the contents of the electronic communications of a specific individual, or a trap and trace or pen register order allowing it to obtain the ''numbers'' related to communications from or to a specified target.
Page 112 PREV PAGE TOP OF DOC
But unlike the operation of a traditional pen register, trap and trace device, or wiretap of a conventional phone line, Carnivore gives the FBI access to all traffic over the ISP's network, not just the communications to or from a particular target. Carnivore, which is capable of analyzing millions of messages per second, purportedly retains only the messages of the specified target, although this process takes place without scrutiny of either the ISP or a court.
Carnivore permits access to the e-mail of every customer of an ISP and the e-mail of every person who communicates with them. Carnivore is roughly equivalent to a wiretap capable of accessing the contents of the conversations of all of the phone company's customers, with the ''assurance'' that the FBI will record only conversations of the specified target. This ''trust us, we are the Government'' approach is the antithesis of the procedures required under our wiretapping laws. Those laws authorize limited electronic surveillance of the communications of specified persons, usually conducted by means of specified communications devices. These laws reflect 4th Amendment values of limited searches aimed at particular targets when there is good cause to suspect them of criminal activity.
They place on the provider of the communications medium the responsibility to separate the communications of persons authorized to be intercepted from other communications. Law enforcement is required to ''minimize'' its interception of non-incriminating communications of a target of a wiretap order. Carnivore is not a minimization tool. Instead, Carnivore maximizes law enforcement access to the communications of non-targets.
In essence, Carnivore is a black box into which flows all of the service provider's communications traffic. The service provider knows what goes in, but it has no way of knowing what the FBI takes out.
Page 113 PREV PAGE TOP OF DOC
Indeed it is hard to imagine how the operation of Carnivore can be squared with either the 4th Amendment or ECPA, which was adopted to implement the 4th Amendment in the context of electronic surveillance. The very premise of the 4th Amendment is that searches should be narrow and targeted so as to avoid intrusion into the privacy of persons who are not suspected of engaging in crime. The 4th Amendment was adopted to protect the ''houses, papers and effects'' of Americans against the sort of general searches conducted by the British colonial powers that permitted the search of everyone and everything in their path.
In recognition of this, ECPA requires the Government to specify the person who is the target of the investigation; the crimes under investigation and the particular system from which the communications are to be accessed. I think it is fair to say that the Congress never contemplated or authorized a wiretapping scheme that accessed everyone's communications; that had the potential to access an unlimited number of communications, only a small fraction of which involved criminal activity; and that targeted an entire communications network, rather than a particular person's communications.
In his prior testimony to your subcommittee, Robert Corn-Revere described the experience of his client, an ISP later publicly identified as EarthLink, that was required to install Carnivore when presented with a trap and trace order. The particular case he described involved a trap and trace order. He detailed his client's concerns that a trap and trace order in the context of the Internet revealed information that Congress did not contemplate when it authorized their limited use.
In the traditional telephone context, those orders reveal nothing more than the numbers dialed to or from a single telephone line. In the Internet context, these orders and certainly Carnivore, likely involve ascertaining the suspect's e-mail address, as well as header information that may provide information regarding the content of the communication. He described his client's frustration at not knowing what information law enforcement was collecting and whether it was actually limited to that allowed by a trap and trace order.
Page 114 PREV PAGE TOP OF DOC
He also described his client's willingness and ability to cooperate with law enforcement and law enforcement's rejection of an offer to provide them the communications traffic authorized by the order without having to use Carnivore.
In his prior testimony and other testimony you will hear today, it is clear that the ISP community is willing and able to cooperate with law enforcement and to provide it with the targeted communications information to which it is entitled under a court order. You will hear testimony that the ISP's can give the FBI what it is entitled to without resorting to the use of Carnivore. You will also hear testimony that the ISP's fear both for their subscriber's privacy and the security of their networks. Introducing a device like Carnivore into an ISP's network creates both a potential security hole and the possibility of the sort of service degradation and interruption that Mr. Corn-Revere's client experienced.
In recognition of the multiple dangers of Carnivore and how little the public, service providers or even the Congress knows about its capabilities or operations. The ACLU has filed a Freedom of Information Act request with the FBI that asks for all documents describing Carnivore's operation, including the source code for its software. We believe that the only way to understand Carnivore's capabilities is to subject the computer code to examination by experts genuinely independent of the FBI. A carefully controlled and rehearsed demonstration by the FBI is not likely to reveal Carnivore's full capabilities and potential uses.
The FBI insists it will only record the communications to which it is entitled. The FBI asks you to take an enormous leap of faith that they will stay strictly within the confines of the law. They ask you to trust them with unsupervised access to the entire stream of communications over an ISP's network, which can amount to literally millions of innocent communications of non-targets of any interception order.
Page 115 PREV PAGE TOP OF DOC
If you accept this premise, you reject the 4th Amendment. It is built on the opposite premise: that the Executive cannot be trusted with carte blanche authority when it conducts a search.
Even if we assume that the FBI will not once again engage in spying on the First Amendment activities of Americans or other abuses of the past, recent history tells us that the FBI cannot be expected to keep its promises on communications surveillance issues. Recent history tells us that we can fully expect the FBI to push the envelope of the law and to eventually break out.
In 1994, the Congress passed the Communications Assistance to Law Enforcement Act (CALEA). CALEA was a hotly debated law. It required that the new generation of digital telephone networks be built to be surveillance-ready. At the time, law enforcement and the FBI, in particular, argued that it was necessary to preserve their existing capacity to engage in electronic communication surveillance and assured the Congress that they were only seeking to preserve the status quo and were not seeking any additional power or capacity.
In effect, a bargain was struck. In return for the requirement that the new networks be constructed to preserve then existing capabilities, the FBI and law enforcement agreed not to use the new law to force service providers to provide it with new surveillance capabilities
The FBI did not keep its end of the bargain. The CALEA implementation process, which was supposed to involve only the setting of technical standards by the industry, has been highly contentious and has been characterized by an FBI power grab. The FBI has consistently sought greater capacity and new surveillance features that did not exist in 1994. In some cases, they have sought capabilities that they specifically promised the Congress they would not seek.
Page 116 PREV PAGE TOP OF DOC
Among these have been:
1. demands that cellular telephone providers build their systems to give law enforcement location tracking abilities—despite an explicit promise by FBI Director Freeh that the FBI would not use CALEA for that purpose;
2. a demand that Internet telephony providers turn over the content of communications, even when law enforcement only has a pen register or trap and trace order; and
3. an exorbitant wiretapping capacity requirements for new network.
(Attached to my testimony as Appendix I, you will find a more detailed description of the FBI's broken promises and its elastic concept of the law).
Indeed, the whole history of the CALEA implementation process demonstrates why we should not be so quick to accept the FBI's assurances that it will strictly adhere to the Constitution and the relevant statutes. The FBI has demonstrated that it has very expansive notions of what it is entitled to intercept and when it is entitled to those intercepts. The decisions made by the FBI and its Carnivore box are for all intents and purposes secret and beyond review. Carnivore gives the FBI far too much discretion and creates far too great a risk that they will burst through the envelope of the 4th Amendment and the Congressionally imposed restraints.
THE ADMINISTRATION PROPOSALS MADE IN RESPONSE TO THE CARNIVORE CONTROVERSY
Page 117 PREV PAGE TOP OF DOC
In response to the public controversy over Carnivore, the White House has made a new set of proposals regarding ''Cyber Security.'' The Administration has not yet offered legislative language, so it is difficult to offer a definitive comment, but White House Chief of Staff John Podesta offered the broad outlines in his July 17 remarks at the National Press Club.
While the devil will be in the details that we don't yet have, I will offer some general comments on the proposals. But first let me emphasize that the Podesta proposals are not an adequate response to the issues raised by Carnivore.
Carnivore is an unprecedented system. Never before has law enforcement installed a device, which accesses all the communications of a service provider's customers, rather than only the communications of the target. Never before has a law enforcement agency claimed that it should be granted access to all communications passing through a service provider's network based on an unsupervised promise that it will not stray beyond the confines of its authority.
The Administration's proposals simply do not address those issues. Slightly enhancing the standards for issuing pen register or ECPA orders for content does not address the issue of dragnet searches through an ISP's network. The Administration certainly does not address these problems by proposing to create the authority for nationwide pen register or trap and trace orders.
The problem with Carnivore is not limited to the standard for issuing the orders. It is the operation of a device that can trawl through millions of communications that are wholly unrelated to the target of the order.
Page 118 PREV PAGE TOP OF DOC
Now, let me turn to the proposals, as we understand them. In summary, these proposals offer a few modest steps forward to protect privacy, at least two large steps backward, and miss many opportunities to address the most significant deficiencies in the current law.
Mr. Podesta announced that the Administration would support legislation to require that the same standards that apply to the real time interception of the content of telephone calls (''Title III Standards'') also apply to the real time interception of electronic mail.
Mr. Nojeim made a similar proposal in his April testimony to the Subcommittee. He noted that ECPA has a number of shortcomings that need to be addressed and that in general, it is not as protective of e-mail and other electronic communications as Title III is of voice communications. For example, with regard to real time interception, only a high-ranking DOJ official can authorize an application for a wiretap order. ''Any attorney for the Government'' may authorize an application for an order to intercept e-mail and other electronic communications.
Wiretaps can be issued only upon a showing of probable cause that one of a list of enumerated offenses has been committed; e-mail and other electronic communications can be intercepted with a court order based on probable cause issued in connection with any federal felony. Finally, the statutory exclusionary rule that encourages law enforcement to comply with the proper procedures for electronic surveillance applies only to wiretaps and bugs, not to interception of e-mail and other electronic communications.
Page 119 PREV PAGE TOP OF DOC
But Mr. Podesta's suggestion does not go far enough because it does not address the far more significant differences between the rules for the real time interception and law enforcement access to electronic communications that are in ''storage.''
Once in storage, law enforcement access is obtained far more easily under federal law. A search warrant based on probable cause issued by a federal magistrate (as opposed to a court order with the protections mentioned above) is all that is required to access e-mail in storage for less than 180 days. 18 U.S.C. 2703(a). In other words, by waiting an instant until the message is delivered and ''stored,'' the requirement of a court order with continuing judicial oversight, the statutory requirement for minimization procedures, the substantial fines and prison time for violating the statute, and the requirement that the communication be eavesdropped upon only as an investigative technique of last resort, are all avoided.
Importantly, once the e-mail has been stored with the provider for over 180 days, it can be made available to law enforcement acting with only an administrative subpoena and delayed notice to the customer, or with a warrant without notice. 18 U.S.C. 2703(b). Most importantly, such e-mail can be obtained by law enforcement acting with a court order issued based upon a showing of only ''specific and articulable facts showing that there are reasonable grounds to believe'' that the contents of the communication are ''relevant'' to an ongoing investigation. ''Relevance'' is a far lower threshold for a search than is ''probable cause.'' In effect, the privacy of the contents of an e-mail message or other electronic communication diminishes just because a service provider retained the message an inordinately long time.
The Administration's proposals would be genuinely meaningful if they applied to stored e-mail the same protections which Title III applies to the interception of telephonic communications. Only by adopting this approach would e-mail truly enjoy the same legal protections as voice communications—the goal the Administration claims it would like to achieve.
Page 120 PREV PAGE TOP OF DOC
Moreover, this approach makes intuitive sense for two reasons. First, e-mail should be protected like voice communications because it is a spontaneous communication. People write in e-mail messages in the same way they speak: spontaneously. Second, the e-mail that a person receives that the person regards as most important is the e-mail that the person saves for the longest time. Ironically, that is the e-mail entitled to the least protection under the current statutory scheme.
The Administration has made two proposals with regard to pen register and trap and trace orders. First, Mr. Podesta reaffirmed the Administration's long standing proposal for nationwide orders.
The Department of Justice has previously asked that judges be given authority to issue such orders with nationwide coverage. DOJ argues that to track computer intrusions over the Internet, law enforcement officials must often seek multiple orders because electronic communications jump from computer to computer and jurisdiction to jurisdiction. However, the DOJ's request extends not only to electronic communications, but also to any communications transmitted by telephone, which do not jump from computer to computer.
We urge you to reject this request because: (i) the standard for issuing a pen register or trap and trace order must first be strengthened substantially; (ii) steps must be taken to ensure that forum-shopping for a sympathetic judge is precluded; and (iii) it is unclear exactly what information the Government is currently obtaining with the low evidentiary standard for pen registers and trap and trace devices.
Page 121 PREV PAGE TOP OF DOC
The trap and trace/pen register law is, at best, a very poor fit for the Internet. The statute currently authorizes the interception of only numbers dialed to and from a telephone. On the Internet, the only times numbers are literally ''dialed'' by a telephone is when a user connects to an ISP using a dial up modem—a method of connection that is rapidly becoming less common. Plainly, the existing laws were not drafted with the Internet in mind.
At your April hearing, the Chairman asked Mr. Green of the Justice Department whether law enforcement was currently receiving email addresses using a pen register or trap and trace order. He replied that law enforcement regularly obtains e-mail addresses with only such orders by arguing in an ex parte proceeding ''by analogy'' to the pen register statute. This position—that ''letters'' are ''numbers''—cannot be squared with the statute, and raises further questions about just what information can be obtained with a pen register or a trap and trace order.
In the context of the Internet, e-mail addresses can convey far more meaning—content—than a telephone number. To begin with, as several of your witnesses in April pointed out, e-mail addresses are personal to an individual while telephone lines may be used by multiple persons. More significantly, depending on the circumstances of their capture, e-mail address can tell law enforcement a good deal about the content of the communication.
For example, forcing a web site to reveal the e-mail addresses of all of its visitors or those who accessed a particular file reveals the nature of those visitors specific interests.
Beyond e-mail addresses, there are unanswered questions about whether pen register and trap trace orders are being or can be used to obtain other sensitive information. For example, can they be used to collect the URL's (the web addresses) of sites that a target visited, the names of files that are transmitted, subject headers of email, or other transaction logs of Internet activity.
Page 122 PREV PAGE TOP OF DOC
One of the real dangers of Carnivore is that it is perfectly capable of collecting such information in a surreptitious way and there is no practical check on the FBI's discretion.
In its second proposal about pen registers and trap and trace devices, the Administration suggested that judges and magistrates be given greater authority to review requests for pen registers and trap devices. Under current law, the judiciary must simply rubber stamp such requests if law enforcement certifies that they are sought as part of ongoing criminal investigation. This is a potentially useful change, although it will only be meaningful if the standard for issuing an order is itself meaningful. Mr. Podesta did not address the question of what standard should apply.
We would suggest that the judiciary must be given the authority to make an independent judgement that these orders are based on reasonable cause to believe that the target of the order has or is about to commit a crime. Under the Administration's proposal, a judge would issue a pen register or a trap and trace order upon finding that the information to be obtained is likely ''relevant'' to an ongoing investigation. However, the Attorney General Guidelines on General Crimes, Racketeering Enterprise and Domestic Security/Terrorism Investigations do not permit the FBI to open an investigation in the first place unless there is a reasonable indication of criminality. If the judge is truly to have a meaningful role, the judge should ask not merely whether information is ''relevant'' to an ongoing investigation, but whether there is a reasonable indication of criminality in the first place.
Of equal importance, in no event should law enforcement be allowed to use trap and trace orders served on ISPs to obtain data which reveals the content of the communication.
Page 123 PREV PAGE TOP OF DOC
In sum, ECPA should be amended:
1. to require that trap and trace/pen register orders should only be issued on the basis of an independent finding by a judicial officer that there is reasonable cause to believe that the target of the order has or is about to commit a crime;
2. to provide that consumers receive notice whenever the government obtains information about their Internet transactions;
3. to require specific statistical reports for pen register/trap orders for Internet communications, similar to the reports required under Title III, and
4. explicitly provide that Internet queries, e-mail subject lines, URL's of sites visited and other information which provides more than the equivalent of a dialed number, such an IP number are content, which cannot be disclosed without a probable cause order.
Congress should not even consider allowing nationwide pen register or trap and trace orders until those reforms are enacted and tested in the real world.
Finally, Mr. Podesta discussed the issue of the interception of electronic communications made using a cable modem. He suggested that such communications be subject to interception under the same circumstances as applies to the wiretapping of telephones or the real time interception of e-mail.
Page 124 PREV PAGE TOP OF DOC
The Cable Act provides that law enforcement may only get access to subscriber records under a process that involves prior notice to the subject. Title III and ECPA do not provide prior notice or an opportunity to contest for the target of the wiretap. In other words, the Cable Act, assuming that it rather than ECPA governs the interception of electronic communications by law enforcement, provides the subscriber with more protection. This is a proposed roll back of rights that Congress should reject. If Congress acts on this proposal to harmonize the standards, it would do well to harmonize them at the more protective level.
ECPA does need to be strengthened as we have suggested. The standards for interception of all e-mail and other electronic communications, including stored communications, need to be brought up to at least the standards of Title III. Far more exacting scrutiny needs to be made of requests for pen register and trap and trace orders. The trap and trace law needs to be clarified so that such orders served on ISPs do not de facto authorize the surveillance of content.
Perhaps even more pressing is the need for the Congress to send a clear message about systems like Carnivore. The Congress should amend ECPA to clarify its intent to ensure that under no circumstances may law enforcement require an Internet Service Provider to provide the Government with access to subscriber communications that do not involve the target of an order.
APPENDIX I
THE LESSONS TO BE LEARNED FROM THE IMPLEMENTATION OF THE COMMUNICATIONS ASSITANCE TO LAW ENFORCEMENT ACT
Page 125 PREV PAGE TOP OF DOC
In 1994, the Congress passed the Communications Assistance to Law Enforcement Act (CALEA). It required that the new generation of digital telephone networks be built to be surveillance-ready. At the time, law enforcement and the FBI, in particular, argued that it was necessary to preserve their existing capacity to engage in electronic communication surveillance and assured the Congress that they were only seeking to preserve the status quo and were not seeking any additional power or capacity.
The legislative history of CALEA makes clear that the Act was intended ''to balance three key policies: (1) to preserve a narrowly focused capability for law enforcement agencies to carry out properly authorized intercepts; (2) to protect privacy in the face of increasingly powerful and personally revealing technologies; and (3) to avoid impeding the development of new communications services and technologies.'' H.R. Rep. No. 103–827, 103d Cong., 2d Sess., pt. 1, at 13 (1994).
Based on the legislative history, it is fair to say that the FBI made a bargain with the Congress that they would not use the implementation process to require telephone service providers to build in new surveillance capabilities and that it would respect the privacy of Americans.
The FBI did not keep its end of the bargain. The CALEA implementation process, which was supposed to involve only the setting of technical standards by the industry, has been highly contentious. The FBI has consistently sought greater capacity and surveillance features that did not exist in 1994. In some cases, they have sought capabilities that they specifically promised the Congress they would not seek.
Page 126 PREV PAGE TOP OF DOC
Many important issues are now before the Federal Circuit Court of Appeal for the District of Columbia, where the telephone industry and the privacy community have united to contest the FBI's overreaching.
The material below details four important examples of FBI overreaching.
1. The Demand for Cellular Telephone Location Tracking
A prime example of the FBI's broken promises involves the use of cellular telephones as location tracking devices. Cellular networks have the capability of identifying the physical location of a caller, within a reasonably small range. The Congress recognized that this raised difficult Constitutional and privacy issues and sought the assurance of the FBI that CALEA would not to be used to force the cellular providers to provide law enforcement with location information.
Director Freeh willingly gave that assurance. He testified as follows:
''[Call setup information] does not include any information which might disclose the general location of a mobile facility or service, beyond that associated with the area code or exchange of the facility or service. There is no intent whatsoever, with reference to this term, to acquire anything that could properly be called 'tracking' information.'' Joint Hearings on H.R. 4922 and S. 2375, 103d Cong. 29 (1994). (Emphasis added).
Despite that on-the-record promise to the Congress, the FBI has fought tooth and nail to include complete location tracking information in the CALEA requirements and we have now been forced to take the issue to the courts.
Page 127 PREV PAGE TOP OF DOC
2. Accessing the Content of Voice Over the Internet With Only a Pen Register or Trap and Trace Order
Another important example from the CALEA implementation process—one that foreshadowed many of the issues relating to Carnivore—involves the issue of telephone calls made using the Internet protocol (IP) and the issue of packet switching. In this instance, the FBI has sought to turn the existing wiretap laws on their head and demand delivery of the content of a call, even when they only have a pen register or trap and trace order for call identifying or addressing information.
Traditional telephone calls are made using a single dedicated circuit. The content of the call and call identifying information, e.g. the number dialed, can be easily separated. The telephone companies can easily deliver the content and call identifying information separately.
So for example, when law enforcement only has a pen register or trap and trace order entitling it to ''dialed numbers,'' the provider can give that information to law enforcement without disclosing any of the content of the call. Call content, of course, requires a Title III order.
Title III itself is based on the 4th Amendment requirement of a warrant issued by a court based on a showing of probable cause of criminal activity. Such warrants are issued on a relatively high standard.
Page 128 PREV PAGE TOP OF DOC
In contrast to traditional voice telephony, communications made over the Internet are split into ''packets'', which may travel a separate path and then are reassembled at the end of their journey. Even with voice calls made using the Internet protocol (''voice over IP''), the packets contain both addressing information and content. As a practical matter, the provider cannot separate the content from the addressing information.
The FBI's solution to this problem has been to insist that they be provided with the entire set of packets, even when they only have a pen register or trap and trace order. Once again they ask us to trust them—in this case to only examine the addressing information and to discard the content. That issue is now before the Court of Appeals and we have every confidence that the Court will not allow the FBI to get content without a Constitutionally mandated Title III order.
3. Demanding Excessive Capacity
Since law enforcement surveillance activity obviously varies from region to region, CALEA requires the FBI to issue notice of its capacity requirements for each geographic area, so that carriers know how much capacity to install. In October 1995, the FBI issued its first proposed capacity notice. On its face, it seemed to require companies in major cities to install a surveillance capacity that would allow simultaneous monitoring of up to 1% of customer lines in service. This proposal was roundly criticized as excessive and the FBI withdrew it.
In January 1997, the FBI issued a second notice, using a new methodology based on past activity. However, this second notice was also deficient in three ways:
Page 129 PREV PAGE TOP OF DOC
The FBI exaggerated law enforcement's past experience. The Bureau collected data, consisting of combined federal, state and local law enforcement surveillance activity for each county or service area nationwide, between 1993 and 1995. From this data, the FBI determined the 24-hour peak of surveillance activity for each switch, over the course of the 26 month survey period. From switch to switch, these peaks did not occur on the same day, but the FBI added them together to obtain a hypothetical county-wide ''peak,'' which the notice requires companies to meet as if the surveillances occurred all on the same day.
The second notice and some of the FBI's informal comments about it have seemed to imply that each and every carrier serving a particular area would have to install capacity sufficient to meet the total surveillance needs for that region, even if the carrier only served a portion of the customers in the area. Even broader interpretations of the notice, which the FBI has been forced to informally disavow would require carriers to install in each switch a capacity sufficient to meet the requirements projected for an entire county or multi-county service area. Under either of these interpretations, the requirements of the second notice would require industry to install capacity unrelated to historical surveillance activity, costing taxpayers many millions of dollars in unnecessary reimbursement.
The second notice draws no distinction between the capacity required to intercept call content and the capacity required to access dialed number information, even though CALEA requires a distinction between interceptions of call content and interceptions of call-identifying information through pen registers or trap and trace devices. The FBI indicates that 90% of all surveillances involve access only to dialed number information, not call content. The distinction is important for privacy because the capacity to intercept call content is more intrusive (and may be more expensive) than the capacity to intercept call-identifying information. Congress wanted companies to use technology that limited the amount of information provided to law enforcement under pen register and trap and trace authority. The second notice ignores that intent.
Page 130 PREV PAGE TOP OF DOC
Demanding Access to Digits Dialed After a Call is Connected
Callers using current telephone technology such as voice mail often enter additional touch-tone digits after having ''dialed'' to make the connection to the original called party. For example, many people access banking information by phone using their touch tone key pad. The FBI has been insisting that carriers provide to a law enforcement agency with only a pen register order not only the original call-identifying digits but also all non-call-identifying digits subsequently entered. This requirement is unlawful because it violates CALEA's instructions and violates Title III. It sacrifices privacy to expand law enforcement authority by requiring easy access to so-called ''post-cut-through dialed digits'' without regard to whether the digits are part of a call's contents.
Conclusion
The CALEA implementation process has been dominated by the FBI's pattern of making claims that go beyond the boundaries of the law and their exploitation of new technology to garner more communications information under lesser standards.
Indeed, the whole history of the CALEA implementation process demonstrates why we should not be so quick to accept the FBI's assurances that it will strictly adhere to the Constitution and the relevant statutes. The FBI has demonstrated that it has very expansive notions of what it is entitled to intercept and when it is entitled to those intercepts. The decisions made by the FBI and its Carnivore box are for all, and intents and purposes are secret and beyond review. Carnivore gives the FBI far too much discretion and creates far too great a risk that they will burst through the envelope of the 4th Amendment and the Congressionally imposed restraints.
Page 131 PREV PAGE TOP OF DOC
Mr. CANADY. Mr. Davidson.
STATEMENT OF ALAN DAVIDSON, STAFF COUNSEL, THE CENTER FOR DEMOCRACY AND TECHNOLOGY
Mr. DAVIDSON. Mr. Chairman, I would like to thank the committee for holding this hearing, and commend you for your continued thoughtful exploration of the fourth amendment in cyberspace, a very important issue today.
CDT is a civil liberties group and we are concerned about Carnivore for at least two reasons: first, because Carnivore itself as it is implemented is very problematic; and second, because Carnivore raises broader issues about the need for greater privacy protections in our increasingly outdated statutory and constitutional framework that governs our surveillance and privacy laws.
Just to start with first the questions about Carnivore, I think the threshold question for Carnivore is that Carnivore has access to much more information than it is legally entitled to collect. How do we know that we can trust Carnivore? How do we know what kind of leash has been put on Carnivore?
I would like to, with the committee's indulgence, try to give the committee a sense of a little bit about what we are talking about with packets here. I have a couple of slides that I would like to put up quickly. Let me just give a couple of disclaimers. These are captures of actual real packets and for those who did not bring their opera glasses, they should be in your packets. For the folks in the audience, these are the last three pages in my testimony. These are examples of real packets that have been captured from CDT's network with a very crude tool. It is a tool that may not look like anything that Carnivore looks like, but I thought it would be helpful to the committee to at least get a sense of what we are talking about that it looks like and how hard it is to do some of the things that Carnivore says it is doing and how hard it is to trust Carnivore.
Page 132 PREV PAGE TOP OF DOC
To start with, this first packet is a sample e-mail message, actually a real e-mail message that I sent to Paul Taylor, subcommittee counsel, on Friday, and was captured off of our network. What is interesting, this is what never happens to a packet; it kind of breaks it up into different pieces that can be understood. There are really sort of two chunks to this information. The first chunk is the stuff at the top which a lot of people call the header information, which contains a lot of the addressing information and the description of the packet. The second half of it is what I call the data part or the payload of the packet, and that includes the data, the text, the content, if you will, of what we are talking about.
In the context of this message, there is actually a very simple answer. If we are talking about a pen register, we want to know the tos and froms, the origins and destinations, the numbers, if we are going to extrapolate pen registers on to the Internet. There is actually a very simple answer at the top here about where this packet is coming from and where it is going to. The first address, which is the yellow address, 207226 which happens to translate into the computer as CDT, which I was using, and the destination address which is in red there, the 216 address which happens to be CDT's mail server. That, if you just took it on its face, would be the very simple header information, the numbers of the address that it is coming from and the address that it is going to.
When we are hearing about Carnivore, actually Carnivore is trying to do something a little more subtle, trying to get more information. The problem is this is kind of difficult on the Internet, because origin and destination is very context-dependent, it depends on where are you on the network and what level of the protocol, what you are trying to do, where you are looking within the packet. So in this case, it is an e-mail message and you can see the content of the e-mail message includes the line, To Paul Taylor from Alan Davidson. That is the to-and-from information that the FBI is seeking to get.
Page 133 PREV PAGE TOP OF DOC
So what Carnivore really needs to do is dig into the content of this packet, analyze it, and ferret out this to-and-from information, which is what the FBI says that they want to get. I raise that just because to think that this is a simple thing, to think that this is just information that is sitting on top that you can just pull off, it is a very subtle thing, it is a very difficult thing and requires a lot of analysis.
Let us just skip real quick to the second example. This is an example of Chairman Canady's Website. A similar situation. There is a to-and-from IP address at the top, but to actually get a look at what site I am visiting, what is the destination of this traffic, you have to look into the content of the packet; in this case www.house.gov is the server, the host, and Canady p74 is the actual page that I was looking at at the time.
Now, it is reassuring that the FBI says that they are not interested, that Carnivore right now does not actually seek out URLs, the Websites that people are visiting. But if one is going to extrapolate this notion of numbers dialed into something that lets you get the origin and destination of Internet communications, it seems reasonable that this is the next thing they are going to look for, and that becomes even more problematic. If we can go to the third slide very quickly—and I know I am running out of time.
This is a copy of a Web packet, this is a Web search that we did, a look at Barnes&Noble.com's Website. I did a search for a book, this happened to be a book on prostate cancer, if for no other reason, of personal interest, someone in my family, and I just wanted to show you what the URL looks like for this. If the FBI continues its extrapolation and said we just want to capture the URL, not again the source and destination IP address at the top, but the URL of the Website destination that I am visiting, they get a lot of information. They get this host in purple which is shop.barnes&Noble.com, they also get the page that I am looking at, which is a book search that is for prostate and cancer. You could imagine, this could be—I could be looking for all sorts of things. I could be looking for sites about religious topics or political topics or social topics, and all of this gets listed in this pen register for the Internet.
Page 134 PREV PAGE TOP OF DOC
So I realize I have gone over my time already here, but I think the point that I would like to try to make is that some of these things, these rules that we have come up with like pen registers, we came up with in an old context, the telephone context, for example. The idea that digits dialed was something that wasn't as sensitive was what drove Congress to create this extremely low standard for access.
I think Congressman Nadler was really on to something when he questioned what the standards are. There is a very big difference between a relevant standard and a probable cause standard in the pen register context. I think there is a greater—so when we talk about Carnivore, we have a lot of concerns about how it is being used.
I would just summarize to say we are concerned about the fact that it needs to be opened up for the world to see. There needs to be a open-source methodology used here so that we know exactly which pieces of the packet Carnivore is looking at and how it is doing its searches.
Second of all, we think that there ought to be a bit more control in the hands of the ISP. They are the best people in the position to do this balancing test.
Finally, I think all of this points to the need for Congress to revisit some of these basic protections. The question of whether or not the pen register should be applied to the Internet is just the tip of the iceberg. The home has exploded, there is all sorts of information that used to be kept in a desk drawer that is now being kept out on the network. The law does not protect that information well. We need to revisit this.
Page 135 PREV PAGE TOP OF DOC
The White House has taken a good first step. We are looking forward to working with everybody. That step doesn't quite go far enough, but we really want to work with folks to try to improve the privacy protections here. Thank you very much for your indulgence.
[The prepared statement of Mr. Davidson follows:]
PREPARED STATEMENT OF ALAN DAVIDSON, STAFF COUNSEL, THE CENTER FOR DEMOCRACY AND TECHNOLOGY
SUMMARY
Mr. Chairman and Subcommittee Members, thank you for calling this hearing and giving CDT the opportunity to testify on the FBI's ''Carnivore'' initiative and its implications for the Fourth Amendment. Carnivore is the latest in a series of wake-up calls about the future of personal privacy online. The deployment of Carnivore itself creates new threats to the privacy and security of Internet communications. More fundamentally, Carnivore raises broad issues about the need for greater privacy protections in the outdated statutory and constitutional framework that today governs surveillance and privacy online.
Among the specific points I would like to make about Carnivore:
Carnivore has access to much more information than it is legally entitled to collect. Yet there is little understanding of how monitoring is limited, and little chance for oversight. Such a situation is ripe for mistake or misuse. As a start, Carnivore should embrace an open source model allowing public scrutiny of its operations and design.
Page 136 PREV PAGE TOP OF DOC
ISPs should control their own networks. Installing a closed Carnivore system outside of Internet Service Provider (ISP) control introduces new risks. And ISPs are in the best position to respond to law enforcement request while protecting user privacy.
Carnivore's application of pen registers to the Internet raises privacy concerns. Pen registers are much more revealing on the Internet than on a telephone. Their use online should be limited, and the low legal standard authorizing their use should be raised.
More broadly, Carnivore shows how our traditional conceptions of wiretapping and the Fourth Amendment, developed in an era of central-switch telephone networks, do not neatly translate onto the packetized, decentralized Internet. For example, ''wiretapping'' the Internet may provide government with access to vast streams of information, requiring greater oversight and protection. Pen register orders applied to the Internet reveal far more than the ''numbers dialed'' they once provided for telephones.
In the future, access to a person's electronic data will likely provide a more complete window into their actions, relationships, and thoughts than any previous form of surveillance. The Internet is exploding the home. Sensitive papers and possessions once kept in a desk drawer are now finding their way out onto network servers, where they lack the Fourth Amendment protections given to items at home.
Our electronic surveillance laws, last reworked in 1986, are rapidly falling behind this changing world. Revisions to those laws are needed to provide heightened protections and staunch the growing erosion of personal privacy in the digital age. At the same time, the desire to translate every current offline surveillance capability into the online world—regardless of consequences—should not be allowed to create a new technical surveillance architecture with huge privacy and security risks.
Page 137 PREV PAGE TOP OF DOC
The Center for Democracy and Technology is a non-profit, public interest organization dedicated to promoting civil liberties and democratic values on the Internet. Our core goals include ensuring that the Constitution's protections extend to the Internet and other new media. CDT also coordinates the Digital Privacy and Security Working Group (DPSWG), a forum for more than 50 computer, communications, and public interest organizations, companies, and associations working on information privacy and security issue.
1. CONTEXT: PRIVACY AND SURVEILLANCE ONLINE
The Internet is at once a new communications medium and a new locus for social organization on a global basis. Because of its decentralized, open, and interactive nature, the Internet holds out unprecedented promise to promote expression, spur economic opportunity, and reinvigorate civic discourse. Individuals and groups can create new communities for discussion and debate, grassroots activism and social organization, artistic expression and consumer protection. The Internet has become a necessity in most workplaces and a fixture in most schools and libraries. According to a December 1999 Harris poll, 56% of American adults are online, 6 times higher than 4 years ago.
Every day, Americans use the Internet to access and transfer vast amounts of private data. Financial statements, medical records, and information about children—once kept securely in a home or office—now travel through the network. Electronic mail, online publishing and shopping habits, business transactions and Web surfing profiles can reveal detailed blueprints of people's lives. And as more and more of our lives are conducted online and more and more personal information is transmitted and stored electronically, the result has been a massive increase in the amount of sensitive data available to government investigators.
Page 138 PREV PAGE TOP OF DOC
While the Justice Department frequently emphasizes the ways in which digital technologies pose new challenges to law enforcement, the fact is that the digital revolution has been a boon to government surveillance and information collection as well. The FBI estimates that over the next decade, given planned improvements in the digital collection and analysis of communications, the number of wiretaps will increase 300 percent. Computer files are a rich source of evidence: In a single case last year, the FBI seized enough computer evidence to nearly fill the Library of Congress twice. As most people sense with growing unease, everywhere we go on the Internet we leave digital fingerprints, which can be tracked by marketers and government agencies alike. The FBI in its budget request for FY 2001 seeks additional funds to ''data mine'' these public and private sources of digital information for their intelligence value.
So while the changing electronic landscape has made some of law enforcement's traditional functions more difficult, it has also provided tremendous new opportunities for data collection. It is in this context that the FBI's Carnivore initiative must be viewed.
2. PRIVACY CONCERNS RAISED BY ''CARNIVORE''
Recent press reports, along with testimony before this Subcommittee in April, have revealed the existence of the new FBI wiretapping device known as ''Carnivore.'' Not much is known about this device, which appears to have been developed with little or no public oversight. What is known raises serious questions about the application of electronic surveillance laws and the Fourth Amendment on the Internet.
Page 139 PREV PAGE TOP OF DOC
Carnivore reportedly serves at least two functions. Installed on the network of an ISP, it monitors communications on the network and records messages sent or received by a targeted user. This is presumably designed to respond to an electronic ''wiretap'' order served on an ISP. Because of the intrusive nature of wiretaps, a high legal standard must be met for their issuance, requiring a showing of probable cause and strict judicial oversight.
Carnivore can reportedly also provide the origin and destination of all communications to and from a particular ISP customer. This is presumably designed to satisfy what law enforcement claims is the Internet equivalent of ''pen register'' and ''trap and trace'' orders, which in the telephone context provide digits dialed and incoming phone numbers. (Note that there are fundamental questions about whether and how pen register and trap and trace orders apply in the Internet context, addressed below.) Since the digits dialed in a phone call are less revealing than the contents of communication, pen registers and trap and trace orders have traditionally been authorized under a significantly lower legal standard. Each year the government executes many more pen registers than wiretaps.
Both the ''Internet wire tap'' and ''Internet pen register'' functions of Carnivore raise important privacy and security concerns.
A. Carnivore Has Access to More Data Than it is Legally Entitled to Collect
According to published accounts, Carnivore operates by monitoring all traffic on the network link where it is installed. In theory, Carnivore examines traffic and only stores data appropriate to the order under which it operates—i.e., data relating to the target of an order, or even narrower information pertaining to pen register or trap and trace orders.
Page 140 PREV PAGE TOP OF DOC
Does Carnivore only reveal the information that is legally entitled under a particular wiretap or pen register order? Since Carnivore operates openly on a network link, it has the potential to capture the traffic of customers who are not the subjects of an order. It also has the potential to capture the content of communications even when a pen register order would limit collection to addressing information.
Isolating network traffic can be technically difficult, and it is not at all clear how the Carnivore device operates. For example, Internet Protocol (IP) addresses may be used to identify the communications of a target. But in many systems such addresses are dynamically allocated and changed over time, making it quite possible to either miss communications or monitor the wrong user. Moreover, identifying the source or destination of an email message or a web site query might require a detailed examination of the contents of a data packet. It is not clear that such an analysis is permitted under a narrow pen register order.
Such a system—with easy access to unauthorized data and no current potential for oversight—creates tremendous potential for misuse. Without a detailed understanding of Carnivore's operations, it is easy to believe Carnivore could be exceeding the legal authority of a particular order—quite possibly by mistake or error.
The technical community has developed a method to improve trust in complex systems: open source review. Review of the source code and design specifications by a community of experts might reveal mistakes, bugs, or security holes unknown to the FBI. Such mistakes are quite common in the design of complex technical systems. More importantly, open source review of Carnivore's hardware, software, and technical design is essential to improving public understanding of what Carnivore does and does not do. And it is essential to ensuring that Carnivore does not exceed its legal authority.
Page 141 PREV PAGE TOP OF DOC
Some will likely argue that revealing source code will compromise the effectiveness of Carnivore. If true, one must question the general security and usefulness of a system that can be so easily circumvented by anyone with knowledge of its operation.
B. Carnivore is not Controlled by ISPs
Even with open review of Carnivore's system, installation of a ''black box'' out of an ISPs control creates new privacy and security risks.
Is Carnivore itself a secure system? Can it be compromised? Does it provide secure audit trails, and is it tamper resistant? Without a fuller understanding of how Carnivore works, it is difficult to answer these questions. But the risks are high: If Carnivore, an eavesdropping device with access to a vast stream of traffic independent of any ISP control, were itself somehow compromised, the damage could be tremendous.
Even with a more complete understanding of its operations, the parameters for how Carnivore is used once installed are likely to be extremely important. Such parameters could control who the targets are, how they are identified, and what information is collected about them. With Carnivore ISPs appear to have no control over how the system operates. Such a system again provides no checks on its use, and is an invitation for misuse or mistake.
ISPs themselves are in the best position to comply with lawful orders for electronic surveillance. ISPs have a dual duty, to both produce information for law enforcement and to protect the privacy of their customers by only revealing such information where required by lawful order. Moreover, ISPs are in the best position to understand their own networks and the most effective ways of complying with lawful orders. They are also in the best position to understand potential implications or threats from installation of a Carnivore device.
Page 142 PREV PAGE TOP OF DOC
C. Pen Registers do not Translate Neatly Onto the Internet
Carnivore's apparent attempt to extend ''pen registers'' and ''trap and trace'' orders for telephone surveillance into the Internet is not a simple matter. Capturing Internet origin and destination addresses instead of ''numbers dialed'' could create a much more intrusive form of surveillance that is not clearly supported by law, and is not justified given the current low standard for authorization.
The Electronic Communications Privacy Act of 1986 (ECPA) adopted the pen register and trap and trace statute, 18 USC §3121 et seq., governing real-time interception of ''the numbers dialed or otherwise transmitted on a telephone line.'' (A pen register collects the ''electronic or other impulses'' that identify ''the numbers dialed'' for outgoing calls and a trap and trace device collects ''the originating number'' for incoming calls. While the functions provided by these devices are different, for simplicity I refer mainly to pen register orders; analogous arguments hold for trap and trace orders.) To obtain such an order, the government need merely certify that ''the information likely to be obtained is relevant to an ongoing criminal investigation.'' 18 USC §3122–23.
Extending the use of pen registers in new telephone devices and services—such as pagers, or numbers dialed after a call is completed—has been the subject of great debate.(see footnote 1) But Carnivore is indicative of a whole new and problematic expansion of the pen register to the Internet.
Page 143 PREV PAGE TOP OF DOC
The origin and destination of a particular Internet message are not easily defined. In the packet-switched Internet, the literal ''destination'' of an intercepted message is often an end-point of the link on which it is observed. Origin or destination depends on what layer of the Internet protocol stack one looks at. For a single email packet, the destination could be viewed as the header Ethernet address it is being sent to on a local network; the IP address of an ISPs mail server (also in the packet header); the To: line of an email message buried within the packet's body; or even other routing information within the email message (''Give this message to Harry,'' or instructions for a remailer). Finding the addressee of an email or the name of a web site being visited—if that is what law enforcement is seeking—will often require analysis of the content of packets, not just the header information.
For example, attached in Example 1 is a sample IP packet captured from CDT's network on its way to our ISP. The packet is an email message from me to Paul Taylor, a member of the Committee staff. The header of the message shows the IP addresses of the packet's origin (a computer at CDT) and destination (our ISP's mail server, which will next send the packet to the House mail server). To find out whom the email inside the packet is addressed to, one would need to read and analyze the contents of the packet. Example 2 shows a similar example for a visit to Chairman Canady's web page; finding the ''destination'' Uniform Resource Locator, or URL (the web site address, like http://www.cdt.org/), would require looking in the body of the packet. We have no idea if this is what Carnivore is doing, but to the extent that law enforcement seeks origin and destination addresses that are more than link IP addresses they will be forced to analyze the contents of packets.
Origin and destination on the Internet are also much more revealing pieces of information than ''numbers dialed.'' In the case of someone visiting a website, the URL can disclose specific pages visited, books browsed, or items purchased. And as people move more of their lives online, a list of emails sent or web sites visited can provide a very detailed dossier of activities—all available without the heightened protections of a wiretap or even a standard Fourth Amendment warrant.
Page 144 PREV PAGE TOP OF DOC
For example, attached in Example 3 is a sample IP packet showing a search for a book on the Barnes and Noble web site. Again, the IP address information is available in the header and finding the URL requires a search through the body of the message. In this case, the URL includes revealing information about what books the user is looking at—here, books on prostate cancer. Taken together, a collection of such ''destination'' information could generate a revealing dossier of a person's interests and activities.
All of this raises Fourth Amendment questions for pen registers online. Courts have found that consumers have no ''expectation of privacy'' in the digits they dial on a telephone.(see footnote 2) It may very well be that, given the revealing nature of Internet transactional information, users do have a reasonable expectation of privacy in the URLs of web sites they visit and the email addresses of those with whom they communicate.
At the very least, Congress should raise the standards for use of pen registers in the Internet context. Under the current standards, a judge ''shall'' approve any request signed by a prosecutor certifying that ''the information likely to be obtained is relevant to an ongoing criminal investigation.'' 18 USC §3122–23. This is low standard of proof, similar to that for a subpoena, and judges are given little discretion in the granting of orders. Investigators have broad leeway to seek orders without, for example, any indication that the targets have been involved in criminal wrongdoing themselves, and without the probable cause required for searches under Fourth Amendment standards.
A large number of pen registers are executed each year with little public oversight. Unlike wiretaps, there are no national reporting requirements on the use of pen registers. The Justice Department reports on its own use, but this does not include numerous federal, state and local uses. Congress should extend the wiretap reporting requirements to pen registers.
Page 145 PREV PAGE TOP OF DOC
3. REINVIGORATING THE FOURTH AMENDMENT IN CYBERSPACE
Electronic privacy and surveillance are today governed by a complex statutory and constitutional framework that has slowly eroded in the face of technological change. (For a complete review of this framework and its evolution, please see CDT's Testimony before the Subcommittee in April 2000.) Remarkably, ECPA was the last significant update to the privacy standards of the electronic surveillance laws. Astonishing and unanticipated changes have occurred since then, including——
the development of the Internet and the World Wide Web as mass media;
the convergence of voice, data, video, and fax over wire, cable and wireless systems;
the proliferation of service providers in a decentralized, competitive communications market;
the movement of information out of people's homes or offices and onto networks controlled by third parties; and
the increasing power of hand-held computers and other mobile devices that access the Internet and data stored on networks.
These changes have left gaps and ambiguities in the surveillance law framework. Most fundamentally, as a result of these changes personal data is moving out of the desk drawer and off of the desktop computer and out onto the Internet. More and more, this means that information is being held and communicated in configurations where it is in the hands of third parties and not afforded the full protections of the Fourth Amendment under current doctrine. The government argues that this is a choice people make—you can keep the data in your own home and you can stay off the Internet if you care about privacy. But in a world where the Internet is increasingly essential for access to commerce, community, and government services, personal privacy should not be the price of living online. Rather, it is necessary to adopt legislative protections that map Fourth Amendment principles onto the new technology.
Page 146 PREV PAGE TOP OF DOC
To update the privacy laws, Congress could start with the following issues:
Increase the standard for pen registers.
Define and limit what personal information is disclosed to the government under a pen register or trap and trace order served on Internet service providers.
Add electronic communications to the Title III exclusionary rule in 18 USC §2515 and add a similar rule to the section 2703 authority. This would prohibit the government from using improperly obtained information about electronic communications.
Require notice and an opportunity to object when civil subpoenas seek personal information about Internet usage.
Improve the notice requirement under ECPA to ensure that consumers receive notice whenever the government obtains information about their Internet transactions.
Require statistical reports for §2703 disclosures, similar to those required by Title III.
Make it clear that Internet queries are content, which cannot be disclosed without consent or a probable cause order.
Page 147 PREV PAGE TOP OF DOC
Provide enhanced protection for information on networks: probable cause for seizure without prior notice, and a meaningful opportunity to object for subpoena access.
The recent White House announcement(see footnote 3) on privacy and surveillance helpfully adopts many of these proposals. Extension of the wiretapping exclusionary protections to electronic interceptions is a particularly welcome step. Increasing the standard for pen registers is an improvement, but will not be sufficient if such orders are applied broadly (i.e., include URLs) to the Internet. On the other hand, expansion of the Computer Fraud and Abuse Act is an unwelcome criminalization of an unnecessarily broad range of activities online. And the proposal fails to tackle with the need for heightened protections for private data held in the hands of third parties. CDT is prepared to work with Congress and the Justice Department to continue to flesh out the needed privacy enhancements, and to convene DPSWG as a forum for discussion and consensus building on these issues.
4. CONCLUSION
The Carnivore system demands greater public oversight and attention. More broadly, it speaks to the need for modernization of our surveillance laws and greater privacy protections to counteract the real threats to privacy online.
Protecting national security and public safety in this new digital age is a major challenge and priority for our country. On balance, however, we believe that the new sources of data and new tools available will prove to be a boon to government surveillance and law enforcement. These new technologies are likely to make law enforcement's job harder in some ways. And it appears likely that some of the traditional methods of surveillance and information gathering will have to change in this new medium.
Page 148 PREV PAGE TOP OF DOC
Carnivore demonstrates a real danger: The attempt to literally translate all current surveillance capabilities directly onto the Internet may not be possible or desirable in all cases, or may require new privacy protections. The demand that every current offline capability be directly implemented online should not become an excuse for creating a massive technical architecture for surveillance that, given the nature of the Internet, could be far more invasive than anything we have seen to date.
This data packet was collected from CDT's network while a computer on the network sent an e-mail message from me to Paul Taylor, a member of the committee staff.
The header of the packet includes the source and destination IP addresses (line 3). In this case the source 207.226.3.43 is a computer at CDT and the destination 216.32.69.186.25 is our ISPs mail server (which will receive the packet and send it to the House mail server based on its content.) The header of the packet also contains local Ethernet source and destination information.
This packet is an example of how the ''payload'' or contents of the packet would have to be analyzed in order to retrieve the address of the email recipient. The e-mail's addressing information is contained in this data section (line 10), which also contains the subject of the message and the actual message text.
This data packet was collected from CDT's network while a computer on the network was viewing a page on Chairman Canady's web site.
Page 149 PREV PAGE TOP OF DOC
The header of the packet includes the source and destination IP addresses (line 3). In this case the source 207.226.3.43 is a computer at CDT and the destination 143.231.86.196 is a House of Representative web server. The header of the packet also contains local Ethernet source and destination information.
This packet is an example of how the ''payload'' or contents of the packet would have to be analyzed in order to retrieve the web address being viewed. In this case URL of the item being viewed, an image on Chairman Canady's web site, is shown in the contents of the packet at lines 12 and 7—www.house.gov/canady/p74.jpg.
This data packet was collected from CDT's network a computer on CDT's network was searching for a book on the Barnes & Noble web site relating to ''prostate cancer.''
The header of the packet includes the source and destination IP addresses (line 3). In this case the source 207.226.3.43 is a computer at CDT and the destination 208.158.245.141 is a web server affiliated with Barnes & Noble.com. The header of the packet also contains local Ethernet source and destination information.
The information about the specific web page that the CDT computer viewed is contained in the packet's data section. The URL shown here:
http://shop.barnesandnoble.com/booksearch/results.asp?WRD=prostate+cancer&userid=4MOT3F70ED
Page 150 PREV PAGE TOP OF DOC
also provides information about what books are being viewed—in this case, books about prostate cancer.
STATEMENT OF TOM PERRINE, PRINCIPAL INVESTIGATOR, PACIFIC INSTITUTE FOR COMPUTER SECURITY
Mr. PERRINE. Mr. Chairman and members of the subcommittee, thank you for inviting me to testify on the subject of Carnivore and the fourth amendment.
I believe that the current debate over the FBI's new digital wiretap tool, commonly known as Carnivore, is really about the risks in attempting to simply translate the policies, law and practices of telephone wiretaps to the digital realm of the Internet.As today's testimony has shown over and over again that these differing interpretations of old law as applied to the Internet may be leading to problems.
The debate should not be about this specific program. The real issue is how the government is attempting to extend its lawful access to the Internet. In the process of applying old laws to the new media, the privacy of citizens may be eroded in ways not intended or permitted under current wiretap laws.
In my years in computer security, I have always been an advocate of personal privacy, unrestricted access to strong encryption, and less government oversight and intervention in the lives of law-abiding citizens. Due to my work at the Supercomputer Center, I also understand the need of law enforcement to be able to enter subtraffic. We spend an awful lot of time detecting, analyzing, and tracing computer intrusions; but this is about balance. The needs of law enforcement and privacy are not mutually exclusive. There can be a balance between them.
Page 151 PREV PAGE TOP OF DOC
Earlier this year, while I was visiting the FBI to discuss critical infrastructure vulnerabilities, I was invited to see Carnivore, although we didn't know it by that name. In technical terms, Carnivore is a high-speed packet ''sniffer'' with very aggressive filtering capabilities. It does examine all of the data packets passing through a network and filters out the data that does not meet its filtering criteria. This is very similar to tools that are already available in private hands. Every network administrator uses a packet sniffer in diagnosing problems. Carnivore has new functions in the way that it can aggressively filter and perhaps the speed of the networks that it can monitor.
Carnivore does not appear to be a monitoring infrastructure, and someone did use the word ''echelon,'' capable of real-time monitoring of large numbers of phone calls. It does appear on its face to be a tool specifically designed to meet the rigid requirements of a title III wiretap order or pen register order.
Recent news stories have compared Carnivore to a ''trunk-side'' wiretap, which is a monitoring system that allows monitoring all communications running through a phone office just to find calls related to a suspect. Congress rejected the use of trunk-side wiretaps more than 30 years ago because they mix communications of the innocent with those of suspects.
This is an interesting comparison that may be flawed. Carnivore does, at a fundamental level, intercept and examine all Internet traffic, but it only does that in order to select or reject data based on its filtering rules.
The question comes down to at what point has an examination and the privacy violation actually occurred? Does the examination and the privacy violation occur if a program compares the intercepted data with its filter and then rejects the data? Or does the examination not truly occur until the data is seen by a human being or is stored for later processing? This also comes into play, trying to use an analogy of the old telephonic system to the Internet.
Page 152 PREV PAGE TOP OF DOC
We have talked a lot today about pen registers, which the purpose is to acquire the phone numbers used, and we have also heard testimony that that is functionally equivalent to the to-and-from e-mail addresses. Are they the same? Actually, I think not.
But Carnivore is just a tool, and its capabilities must be considered in the context of how it could be used. Carnivore, with no filters, appears to be capable of gathering all of the information passing through the network that it monitors.
There is nothing to stop a person from using Carnivore technically, using Carnivore to monitor all of the network traffic passing through an Internet Service Provider if they had the capacity. There is no way for anyone to know the configuration of a filters in a the Carnivore system at the time that it is installed or the true capabilities of Carnivore without examining the source code of the system during the installation and the filters during the monitoring process.
The ACLU and others have called for publication of the source code of the Carnivore system, and their arguments are compelling. However, a one-time publication to reveal the source code, even by an independent verification validation organization, would provide only a snapshot of Carnivore's capabilities, with no assurances that the Carnivore program actually installed on an ISP was built from the sources that were reviewed. Carnivore is also under constant development, so the source code snapshot that was reviewed will be out of date within a few weeks. So unless we are planning on having an ongoing independent verification validation process, we will never know that what was installed was actually what was reviewed. There is no source code review that would indicate the filters that were installed in Carnivore had a given ISP on a given case.
Page 153 PREV PAGE TOP OF DOC
So, in conclusion, Carnivore does appear to be both a trunk-side wiretap and an attempt to bring limited wiretap capabilities to the Internet. It does have long-term implications for privacy that must be carefully considered. Old laws often break down when applied to the Internet. I think we have seen this today. Applying these old laws may unintentionally erode constitutional protections in unintended ways. So law enforcement may need appropriate legal access to Internet communications under limited circumstances, but this access must be properly controlled and monitored to ensure that constitutional safeguards are maintained. Thank you.
Mr. CANADY. Thank you.
[The prepared statement of Mr. Perrine follows:]
PREPARED STATEMENT OF TOM PERRINE, PRINCIPAL INVESTIGATOR, PACIFIC INSTITUTE FOR COMPUTER SECURITY
Mr. Chairman, and Members of the Subcommittee. Thank you for inviting me to testify on this important subject.
From the beginning of my career in computer security, I have always been an advocate of personal privacy, unrestricted personal access to strong encryption, and less government oversight and intervention in the lives of law-abiding citizens. In the course of my career I have also designed and developed computer systems to protect classified government information, deployed nation-wide security systems to protect privacy and intellectual property and consulted on computer security to educational institutions, the Department of Defense and public and private organizations. Due to my work in detecting and analyzing computer intrusions, I also understand and support legitimate law enforcement access to Internet traffic.
Page 154 PREV PAGE TOP OF DOC
INTRODUCTION
I believe that this current debate over the FBI's new digital wiretap tool, commonly known as ''Carnivore'', is really about the risks in naively attempting to simply translate the policies, law and practices of telephone wiretaps into the digital realm of the Internet. The Internet is fundamentally different from the telephone system. As we attempt to provide access to Internet traffic for the legitimate purposes of law enforcement, we must be exceptionally careful to avoid extending the scope and depth of current wiretap and surveillance access in new and unintended ways.
However, in order to get to the heart of the matter, it is necessary to describe the Carnivore system and describe its abilities to monitor the Internet. Additionally, I will describe how the Internet is different from the telephone system, and illuminate some problem areas that may open the door to extending the government's ability to monitor citizens in unintended and intrusive directions.
PRIVACY AND SECURITY AT THE SAN DIEGO SUPERCOMPUTER CENTER
In my current duties, I wear two hats, one as a protector of privacy and the other as a security researcher.
As the security officer for the San Diego Supercomputer Center (SDSC) my primary and overriding mission is to protect the privacy and intellectual property of the users of the Center. SDSC is a national laboratory for computational science and engineering. With about 6000 users, several hundred computers and five supercomputers, including he world's 9th fastest supercomputer (Blue Horizon), with Terabytes of data and numerous high-speed network connections and we are under constant attack by would-be computer intruders. SDSC's users are performing basic research in fields as wide-ranging as astro-physics, engineering, life sciences, ecology and medicine. Premature publication, destruction, modification or theft of their data could have implications ranging from academic embarrassment through the theft of intellectual property worth millions (or possibly even billions) of dollars.
Page 155 PREV PAGE TOP OF DOC
As a security researcher and the Principal Investigator of the Pacific Institute for Computer Security (PICS), I am constantly working to determine future threats to the computers attached to the public Internet, as well as threats to the actual Internet infrastructure itself. Researchers at PICS have in the past discovered software flaws in popular operating systems as well as vulnerabilities in the basic protocols of the Internet. I provided testimony on this topic to the President's Commission on Critical Infrastructure Protection.
The San Diego Supercomputer Center, the Pacific Institute for Computer Security and other security activities are sponsored in large part by U. S. Government activities. These include the National Science Foundation, the National Institutes of Health, the Department of Defense, the Institute for Defense Analyses, the National Security Agency and the FBI. PICS' involvement with the FBI has been limited to a small amount of technical assistance for the San Diego office. PICS and other SDSC staff have provided expert testimony in cases involving child pornography and computer intrusions.
It was as a PICS researcher, discussing critical infrastructure vulnerabilities with the FBI, that I became aware of and was afforded a chance to see the hardware and software product known as ''Carnivore''. The date was June 20th of this year, and the location was the FBI's Engineering Research Facility (ERF) in Quantico.
There are several important issues at play here, and the capabilities and purpose of Carnivore may be the least important. All of my observations concerning Carnivore itself must be considered in the context of my very limited access to Carnivore. I can only testify about what I was told and what I observed concerning Carnivore over a very short period of time.
Page 156 PREV PAGE TOP OF DOC
WHAT IS CARNIVORE?
First of all, what is Carnivore? In technical terms, Carnivore is a high-speed packet ''sniffer'' with aggressive filtering capabilities. It examines all the data packets passing through a network, and filters out data that does not meet its filtering criteria. In layman's terms, Carnivore is a digital wiretap capable of discarding all information that is not to or from or concerning the subject of the wiretap order.
In fact, other than its fancy, easy to use graphical user interface, and its ability to monitor high-capacity networks, Carnivore is not very different from the various packet sniffer programs available to network managers, system administrators, home computer users and so-called ''hackers''.
By analogy, if the network is the cellular phone system, packet sniffers are radio scanners, capturing or listening to all data that goes by in the air or on the wire. Also by analogy, Carnivore is a ''smarter'' scanner, capable of detecting and recording only those phone calls to or from a specific person, or containing certain key words, and not listening to all the other users of the cellular system.
Carnivore's major technical novelty is its apparent aggressive intent to avoid capturing data concerning those that are not the subjects of a wiretap order. It is functionally very similar to software written by Dr. Andrew Gross (of the Kevin Mitnick case) while he was the Principal Investigator of PICS in 1997.
Page 157 PREV PAGE TOP OF DOC
Physically, Carnivore is a personal computer with a network interface, and ZIP or Jaz removable disk drive, running a version of the Microsoft Windows operating system, with the Carnivore software loaded. In order to use Carnivore, it must be physically attached to the network to be monitored. The Carnivore software has a Graphical User Interface (GUI) which presents the user with an easy-to-use way to describe the filters that are to be used in accepting (and recording) or rejecting network data seen by the system. The user interface was designed to be used by a less-technical user, such as an FBI Special Agent in the field. The version of Carnivore I saw, as it was described to me had few provisions for remote access to the gathered data, but did have the capability to be monitored itself from a remote site via telephone. As described to me, this was so that the technical support staff at the ERF could assist with technical problems, and so the assigned Special Agent could determine when the removable media needed to be changed. This remote access method would also allow a remote user to change the filtering criteria from a remote site via a telephone call.
As described to me, all gathered data was written to a ZIP or JAZ removable disk drive, and the data would be physically collected by a Special Agent visiting the site. There are issues involving the collection, storage, custody, and admissibility of digital evidence. I believe that this physical collection of the evidence is a conscious effort to move this ''digital'' evidence into the realm of physical evidence, which is well understood by and more comfortable to the legal system. Although the system is capable of transmitting some gathered data via the telephone connection, this is impractical given the relative bandwidth of the telephone and the high-speed networks being monitored.
WHAT IS CARNIVORE NOT?
Page 158 PREV PAGE TOP OF DOC
Carnivore does not appear (on its face) to be an ECHELON-like ''monitoring infrastructure'', capable of real-time monitoring of millions of phone calls and network connections. Based on my limited examination of Carnivore, and technical discussions with its developers, it appears to be a tool specifically designed to meet the rigid requirements of a Title III wiretap order. Such an order is supposed to be a narrowly drawn and rigidly interpreted permission from a judge to monitor the electronic activities of a specific person or persons.
Quite frankly, Carnivore appears to be the best available technology to try to implement the limited permissions to monitor granted by a judge. The device is capable of filtering out information concerning those not subject to the wiretap order.
However, Carnivore is just a tool, and its capabilities must be considered in the context of how it could be used, the potential for intentional and unintentional abuse, and the critical need to consider the privacy and constitutional rights of citizens.
PRIVACY IS ''EXTRINSIC'' TO TECHNOLOGY
Carnivore is just a tool. It is a tool that appears to be designed to be able to allow the FBI to balance the rights of citizens against the permission to monitor granted by a judge in a wiretap order. However, it is how the tool is used that will actually determine whether or not the privacy of innocent and uninvolved people will be violated.
Carnivore has the ability to filter out all ''un-allowed'' information, but like any network sniffer, the actual data collected or rejected is a matter of the configuration of the device. It is obvious that there is nothing to stop a person from using Carnivore (or any other packet sniffing tool) to gather all the network information they can store.
Page 159 PREV PAGE TOP OF DOC
The fundamental issue really boils down to:
How do we balance the government's legitimate need to monitor suspects in ongoing criminal investigations without trampling the rights of other citizens who happen to share the Internet with them?
Carnivore appears to be an attempt to strike such a balance. However, it still may open too many possibilities for abuse, error and other unintended consequences.
Any technology, once created, can be abused. Automobiles enabled bank robbers in fleeing across state lines; and pagers, cellular and portable telephones enable the illegal drug dealer. Packet sniffers are one tool of the ''hacker'', but are also needed by the network manager. These are all ''dual-use'' technologies, having both legitimate and non-legitimate uses. It is the use that determines intent and effect; the technology just enables the capabilities.
Of course, the ultimate concern of citizens should be the possibility of ''mass monitoring'' of all the users at an Internet Service Provider (ISP), a company, a University, or a state or a country. The technology already exists, it is simply a matter of time and money to deploy this technology on the scale required to achieve the goal.
THE INTERNET IS DIFFERENT
The Internet is fundamentally different from the original analog telephone system. This is important to understand, because almost all of our legislation, legal precedent and practice in monitoring the Internet are derived from the old analog telephone system.
Page 160 PREV PAGE TOP OF DOC
The telephone system is a collection of tightly integrated systems, operated by various companies, sharing a common switching technology. Without this underlying common technology, the various parts of the system would be unable to communicate with each other in order to provide a telephone connection between the callers. In the telephone world, a wiretap order is often implemented the telephone service provider. In this case, the law enforcement agency delivering a directive to the operators of the subject's telephone service provider, and the service provider performs whatever action is needed to provide access to the subject's telephone calls. The calls are typically voice, not too frequent, and listened to in ''real time'' by people, in addition to any recordings that may be made. All of these factors provide a ''gating'' function that limits the scale and scope of any surveillance activities. It is simply infeasible for the government to implement wide-scale monitoring of large numbers of people, due to the need for cooperation from the telephone service providers and the labor-intensive nature of the surveillance. This is likely a major reason that the National Security Agency and other government agencies have long sponsored basic research in speech recognition.
However, the Internet is fundamentally different, and with Carnivore and other systems, the monitoring activity is different as well. It is apparent that the digital nature of the Internet allows a wider net to be cast, at a lower cost than in the telephone world. The Internet is a digital medium, and most of its data remains text-based. These two attributes combine to make it very easy to use computers to process large amounts of collected data. Textual data is much easier and cheaper to process than voice telephone, for example. Also, the government installs Carnivore with little or no participation from the Internet Service Provider (ISP). The ISP has no way of knowing what data is being gathered or who the target of the wiretap may be. As previously mentioned, the filtering done by Carnivore can be changed remotely, without the knowledge of the ISP, as well.
Page 161 PREV PAGE TOP OF DOC
All of these factors combine to provide a capability that is broader and more scalable than in the analog telephone world, for which most of the wiretap statutes were written.
It is important to ensure that any digital wiretap capability and law does not allow what Dr. Steve Bellovin of AT&T calls ''scaling up to oppression''. It should remain relatively expensive for the government to monitor its citizens, so that this capability will be reserved for those exceptional cases that warrant electronic surveillance and discourage casting a wide net that will gather in information about unintended bystanders.
Any digital wiretap systems and law must provide the same protections, checks and balances that exist in the telephone world. It is not obvious that this is currently the case. It seems likely that the ''law of unintended consequences'' applies and that current digital wiretap capabilities and legal constraints do not provide the same protections as in the telephonic environment.
CONTROL, OVERSIGHT AND ACCOUNTABILITY
If a ''dual-use'' technology, such as Carnivore and other network monitoring tools exists, the only way to protect against mis-use is to find ways to discourage, or punish abuse. This is explicitly embodied in current wiretap law, where there are consequences ranging from inadmissibility of evidence up to criminal prosecution for an improperly performed wiretap. But in order to impose these consequences, the improper activities must be discovered. Also, by the nature of a telephonic wiretap, the scope of the wiretap is limited to a small number of telephones and the people who use them. With a digital wiretap, such as Carnivore, only the FBI knows who is the subject of the wiretap, and whether or not data concerning other people is actually being gathered.
Page 162 PREV PAGE TOP OF DOC
It would be trivial for the FBI to monitor ten or a hundred or a thousand (or more) people with a single Carnivore system, using a wiretap order which only authorized monitoring of a single subject. Essentially there is no way for any outside entity to know the configuration of the filters in a Carnivore system, or the true capabilities of the Carnivore system without examining the source code of the system during installation and during the monitoring itself.
CARNIVORE AND OPEN SOURCE
The ACLU and others have called for publication of or access to the source code of the Carnivore system. While interesting, this is unfortunately insufficient to determine the true capabilities of a particular Carnivore system as installed for any given wiretap order. A function of a Carnivore system is determined both by the program and the filter configuration active at any moment in time.
A one-time publication or review of the source code would provide only a ''snapshot'' of Carnivore's capabilities, and it might be difficult to prove that the Carnivore program installed at an ISP was actually built from the sources reviewed. Since Carnivore is under constant development, the snapshot reviewed would be out-of-date within a few weeks. A review of the source code would not indicate the filters installed in a Carnivore system at any given time.
In the computer security and cryptography communities, no claims are accepted until programs or algorithms have undergone public scrutiny and peer review. Typically, security-relevant software then remains in the public purview, with many contributors making incremental improvements and continuing the review process. For our computers, and those at any site truly concerned with security, Open Source security tools are compiled from publicly available, peer-reviewed source code. These programs are widely trusted because it is believed that this public scrutiny would find and publicize most flaws and any ''secret'' functions. This affords a high level of confidence that these programs perform their stated functions properly, and not perform any inappropriate functions.
Page 163 PREV PAGE TOP OF DOC
It may be that to provide this level of confidence, that the source code for Carnivore might need to become publicly available, and that ISPs be permitted to acquire, examine, compile and configure the Open Source Carnivore software. Interestingly, this is more analogous to the current telephonic wiretap (installed by the telephone service provider), than the current use of Carnivore.
CONCLUSION
The issue of Carnivore is not really about technology. It is really about the attempts of the government to extend its lawful and appropriate access to electronic communications into the digital Internet realm. It seems that in the process of applying laws, policies and procedures into the digital realm, that the privacy of citizens has been eroded in ways not intended or permitted under the original wiretap legislation, current practice or Supreme Court decisions.
The FBI will always have to live with the legacy of the Hoover era, just as the Congress will have to constantly compare itself with the McCarthy hearings, and the Executive Branch must always remember Watergate. These and other incidents from our country's history have contributed to an unfortunate general distrust of our public institutions when they concern themselves with the rights of our citizens.
I continue to have the utmost regard for the Special Agents it has been my good fortune to meet and work with. I understand and support their need for legal and proper access to the electronic communications of those subject to investigation for serious crimes. The challenge will be to provide the intended monitoring abilities that are reasonable and proper in the digital area.
Page 164 PREV PAGE TOP OF DOC
Ladies and Gentlemen of the Subcommittee, thank you for your attention in the matter, and for the opportunity to provide this testimony.
Mr. CANADY. Thank you.
Mr. Corn-Revere.
STATEMENT OF ROBERT CORN-REVERE, ATTORNEY, HOGAN & HARTSON
Mr. CORN-REVERE. Chairman Canady and members of the committee, thank you for inviting me back to testify on this important topic. Rather than paraphrase my written submission in 5 minutes or so, I will dispense with that and just try to address some of the points about Carnivore that were discussed in the testimony of the government witnesses. I will touch on two or three points related to what, in my experience, represent Carnivore in its natural habitat.
One of the first points that was made is that Carnivore is used in only very limited ways; that it is used only when an Internet Service Provider either cannot or will not comply with a court order. In fact, Mr. Painter testified that in the one challenge that he is aware of, that incoming e-mail addresses, but not outgoing e-mail addresses, were received, which required the government to move forward with the installation of Carnivore. That is not quite what happened in that case.
Page 165 PREV PAGE TOP OF DOC
In the case in which I was involved, the ISP did try to comply with the lawful court order, the pen register and trap and trace order. It is simply taken as a given that ISPs are obligated, under the terms of the Electronic Communications Privacy Act, to comply with lawful court orders to provide information, but at the same time, they are required to protect the privacy of their subscribers.
In this case, the solution that the ISP put in place did get all of the outgoing, or excuse me, all of the incoming e-mail addresses, and it did supply a smaller number of outgoing e-mail addresses to the government. The government was dissatisfied with that, saying that there must have been more outgoing e-mail addresses. We tried to explain that there are any number of reasons why there may be fewer outgoing e-mails than incoming e-mails. For example, the target of the investigation might have used a Web-based e-mail service to send e-mails rather than using his own resident program. Nonetheless, the U.S. Marshals were dissatisfied with that solution and informed the ISP that they were coming to install Carnivore within 2 days. That ultimatum prompted the court action that led to the magistrate's order.
I believe Mr. Painter testified that since that time, the ISP has provided excellent cooperation. In fact, the ISP has done in subsequent cases what it did in that initial case: It provided and offered to provide ways to comply with orders that it received in ways short of installing Carnivore. And since that time, Carnivore has not been reinstalled on its system.
Secondly, in response to a question from the chairman, one of the government witnesses suggested that it was the ISP in its implementation, and not the Carnivore program itself, that caused a crash and disrupted the ISP's system. In fact, our experience was that Carnivore was incompatible with the system, requiring the ISP to make adjustments, which led to a number of problems that ultimately led to Carnivore being taken out. The next day the order for its installation expired.
Page 166 PREV PAGE TOP OF DOC
Let me say just one other thing about that order. In fact, there was a magistrate's order, which is still under seal, that did require the installation of Carnivore. We tried to work out the terms of that order to include safeguards to make sure that no more information could be collected than necessary. However, the magistrate said in that order was that he would welcome a decision on the legality of Carnivore, under the existing legal scheme, by a reviewing court. We haven't had that kind of legal review yet, and I don't know of a pending case in which that may occur.
Next, the government witness talked about the number of safeguards that exist to make sure that use of Carnivore does not lead to excessive violations of subscriber privacy. For example, Dr. Kerr testified that the filter will ensure that Carnivore records only the information authorized by a court order, and suggested that it would be necessary to obtain the assistance of a technician, or even perhaps the assistance of the ISP, to alter the programming of Carnivore to permit a ''rogue agent'' to obtain information to which he or she is not entitled.
I am not a technician, so I cannot really address that point. But I can say that in the case that I was involved in, I was told that Carnivore would be accessible remotely by government agents, and that the configuration of Carnivore could be changed with the flip of a switch. Maybe that is correct, maybe it is incorrect; I don't know. It does suggest perhaps that the proposals for an independent review of Carnivore really are in order.
Next, we were told that we will be protected from invasions of privacy because there is an audit trail that ensures that the Carnivore filter is correctly set to correspond to what is authorized by the court order, and that the audit information will be available along with the evidence in a prosecution. But, in fact, that safeguard exists only if there is a prosecution, and such safeguards primarily exist for title III interception orders, not for trap and trace orders. There is no requirement to notify the target of surveillance in a trap-and-trace situation that that surveillance took place, so there is no way to ensure accountability in that circumstance.
Page 167 PREV PAGE TOP OF DOC
As I mentioned in my April 6 testimony before this subcommittee, surveillance was undertaken briefly using Carnivore pursuant to a trap-and-trace authorization in the case I described. As many people have noted here today, such an order is available only with a certification of ''relevance'' by a law enforcement authority. There is no requirement to show probable cause to obtain a trap and trace order.
I believe Congressman Bachus asked whether or not Carnivore has been used to investigate violations of any other laws, such as antitrust laws or consumer protection laws or anything else. The response was given that Carnivore can only be used to investigate specified Federal felonies as set out in title III. As a matter of fact, such limits only apply to title III intercept orders. The government is not limited in the use of Carnivore, when it is used to implement a trap-and-trace order, to the felonies that are specified in title III. All that has to be shown is a certification that the prosecutor or the law enforcement agent involved believes that Carnivore would obtain information expected to be ''relevant'' to an ongoing criminal investigation.
The rest of what I have to say is really just paraphrasing my written testimony. I will just leave it at that and will be happy to answer your questions.
[The prepared statement of Mr. Corn-Revere follows:]
PREPARED STATEMENT OF ROBERT CORN-REVERE, ATTORNEY, HOGAN & HARTSON
Two weeks ago the WALL STREET JOURNAL reported that the FBI is using a new technology that it calls ''Carnivore'' to conduct electronic surveillance on Internet communication. Neil King Jr. and Ted Bridis, FBI's Wiretaps to Scan E-Mail Spark Concern, WALL STREET JOURNAL, July 11, 2000 at A3. That initial story prompted a wave of news coverage and reopened a national debate on the uneasy relationship between electronic surveillance and the Fourth Amendment. But that newspaper article was not the beginning of the story. Last April, in testimony before this Committee, I described a case in which an Internet Service Provider (''ISP'') that I represent challenged an order to install a ''trap and trace'' device, where the government sought to implement the order using Carnivore. Subsequent press reports have identified the ISP as EarthLink. A copy of my April 6 testimony is attached to today's statement.
Page 168 PREV PAGE TOP OF DOC
Briefly, our objection to the proposed installation of Carnivore was as follows: We were concerned that Carnivore would have the ability to see content and header information for email messages sent or received by the ISP, and that installation of the device would far exceed the very limited surveillance authority provided by a trap and trace order. We believed it would enable the government to acquire more information than the law permits, not just about the person who was the target of the investigation, but potentially about a large number of other subscribers who had nothing at all to do with the investigation.
Our concerns were heightened by the fact that trap and trace orders may be issued in ex parte proceedings by magistrates based on a far lesser threshold showing than is required for other forms of electronic surveillance. The Electronic Communications Privacy Act (''ECPA'')(see footnote 4) provides that a court ''shall enter an ex parte order authorizing the installation and use of a pen register or trap and trace device'' where a law enforcement officer certifies that the ''information likely to be obtained is relevant to an ongoing criminal investigation.'' 18 U.S.C. §3123(a). By contrast, an order to intercept the content of electronic communications requires a showing of probable cause that the target has committed a specified felony. 18 U.S.C. §2516, 2518. The request for such an order must state with particularity information regarding the facts relied upon by the applicant, the crime at issue, the individuals suspected of committing the offense, and the type of communications to be intercepted.
The minimal showing required for pen registers or trap and trace devices compared to that required for interception orders reflects the limitations of that technology. The Supreme Court previously has found that individuals do not have a reasonable expectation of privacy in the information that could be gathered by such means, noting that ''pen registers do not acquire the contents of communications.'' Smith v. Maryland, 442 U.S. 735, 742 (1979). The Court has emphasized that ''[n]either the purport of any communication between the caller and the recipient of the call, their identities, nor whether the call was even completed is disclosed by pen registers.'' United States v. New York Tel. Co., 434 U.S. 159, 167 (1977). Such limitations do not apply to technologies such as Carnivore.
Page 169 PREV PAGE TOP OF DOC
For that reason—and because existing law is far from clear on the use of pen registers or trap and trace devices in the Internet context—we sought further guidance from the magistrate. The government's position was that we need not worry if the technology they use is capable of wholesale surveillance on ISP subscribers to the extent the order under which they operate imposes limits on the information they may acquire. In this regard, the dispute we faced involving this trap and trace order touches on fundamental issues that underlie U.S. law governing electronic surveillance.
As I explained in greater detail in my April 6 testimony to this Committee, the law governing electronic surveillance has evolved over time to extend privacy protections for individuals to ensure that technological developments do not undermine our basic rights. This was the driving force behind the passage of ECPA in 1986. While the purpose of ECPA was to maintain a balance between the privacy of citizens and the needs of law enforcement,(see footnote 5) much of the impetus for the law was a determination by Congress that electronic communications lacked sufficient safeguards against governmental and third-party interception.(see footnote 6) Congress found that the law had not kept pace with the development of new electronic technologies, and that ''the use of sophisticated technologies for surveillance purposes . . . presents dangers to society.''(see footnote 7) The Office of Technology Assessment found that the use of advanced technology for surveillance could infringe upon First, Fourth and Fifth Amendment protections, as well as the statutory safeguards of Title III and other laws.(see footnote 8) It concluded that ''[o]ver time, the cumulative effect of widespread surveillance for law enforcement, intelligence, and other investigatory purposes could change the climate and fabric of society in fundamental ways.''(see footnote 9)
Page 170 PREV PAGE TOP OF DOC
Such findings were foremost in the minds of ECPA's drafters. As the Senate Report on ECPA noted, ''[w]hen the Framers of the Constitution acted to guard against the arbitrary use of government power to maintain surveillance over citizens, there were limited methods of intrusion into the 'houses, papers, and effects' protected by the fourth amendment.''(see footnote 10) It added that ''development of new methods of communication and devices for surveillance has expanded dramatically the opportunities for such intrusions.''(see footnote 11) After pointing to ''tremendous advances in telecommunications and computer technologies'' as well as surveillance techniques, the Report stated that ''[e]lectronic hardware making it possible for overzealous law enforcement agencies, industrial spies and private parties to intercept the personal or proprietary communications of others'' required changes in Title III.(see footnote 12) The Report concluded that ''the law must advance with the technology to ensure the continued vitality of the fourth amendment. Privacy cannot be left to depend solely on physical protection, or it will gradually erode as technology advances. Congress must act to protect the privacy of our citizens. If we do not, we will promote the gradual erosion of this precious right.''(see footnote 13)
One argument being made today is that advances in technology are threatening the ability of law enforcement authorities to conduct surveillance for the protection of public safety and national security. While I agree with the overall premise that Congress should examine and, where necessary, update the law of electronic surveillance, I would urge a more cautious approach when it comes to expanding surveillance capabilities. In many ways, changes in technology have expanded the ability to conduct electronic surveillance—as the news about Carnivore attests.
Page 171 PREV PAGE TOP OF DOC
As Congress addresses this issue, I think it is important to keep in mind that law enforcement authorities have at times overcompensated in their reactions to new technologies, and have proposed measures that would seriously have eroded privacy rights. Examples include:
The aborted ''Clipper Chip'' proposal in the early 1990s that advocated the installation of chips in computer and telecommunications equipment to provide a ''back door'' through which to conduct electronic surveillance (with proper authorization);
The continuation of stringent export controls on cryptographic software; and
Initial proposals by the FBI to redesign digital telecommunications networks.
In each of these instances, public consideration and debate led policymakers to question, and eventually to reject, many of the demands for increased surveillance capability.
The legislative history of the Communications Assistance for Law Enforcement Act (''CALEA'') is instructive in this regard. Congress enacted CALEA in 1994 as part of an effort to respond to developments in communications technology that, in some respects, had made electronic surveillance of communications by law enforcement officials more difficult than such activity had been in the past.(see footnote 14)
Prior to CALEA's adoption, the FBI did not initially seek legislation to require carriers to assist in wiretapping digital communications. Instead, it attempted to foster ''a cooperative, private alliance between law enforcement and telecommunications carriers.''(see footnote 15) In an effort code-named ''Operation Root Canal,'' the FBI embarked on what has been described as a ''secret campaign'' designed to maintain the level of wiretap access it deemed essential to fulfilling its law enforcement duties.(see footnote 16) The attempt to secure private cooperation was abandoned, however, due to changes in the telecommunications industry. Increasing competition between telecommunications carriers caused the participants to conclude that, unless universal compliance was assured, those who agreed to the FBI's requirements would be placed at a disadvantage in the marketplace.(see footnote 17)
Page 172 PREV PAGE TOP OF DOC
As a result of these developments, the FBI proposed legislation in 1992 that eventually resulted in passage of CALEA in 1994.(see footnote 18) However, the FBI's initial proposals were far broader than the law that finally was adopted. In February 1992 the FBI circulated a first draft of a digital telephony bill that proposed amending the Communications Act of 1934 to require that all ''providers of electronic communications systems and private branch exchange operators . . . provide such assistance as necessary to ensure the ability of government agencies to implement lawful orders or authorizations to intercept communications.''(see footnote 19) The proposal would have applied to ''any service which provided users thereof the ability to send or receive wire, oral, or electronic communications,'' including telecommunications carriers and computer networks of all sizes.(see footnote 20)
Objections to the breadth of the FBI's proposals led to revisions in the legislation that passed in 1994. When a final version of CALEA was presented to Congress, the legislative history made clear that ''the scope of the legislation has been greatly narrowed.'' House Report at 3498. Whereas ''[e]arlier digital telephony proposals covered all providers of electronic communications services,'' the final bill made clear that information services (including online services) ''do not have to be designed so as to comply with the capability requirements.'' Id. As finally adopted, CALEA provided that the Attorney General did not have unilateral authority to prescribe requirements, but that standards-setting would be conducted through public proceedings at the FCC.
Thus, Congress made clear that the purpose of CALEA was simply to ''preserve'' the government's existing surveillance capabilities,(see footnote 21) not to expand them.(see footnote 22) According to the House Report, CALEA was intended to set ''both a floor and a ceiling'' on the ability of law enforcement to conduct electronic surveillance.(see footnote 23) In other words, while the statute was intended to ensure that new technologies would not reduce law enforcement's existing surveillance capabilities, it also was crafted to prevent any expansion of those capabilities.(see footnote 24)
Page 173 PREV PAGE TOP OF DOC
Now, as Congress investigates the issues surrounding Carnivore and considers new legislative proposals to modify the law of electronic surveillance, I believe it should approach the task with the same healthy skepticism that it has in the past. Hearings like this one are essential to ensure that Congress has the facts it needs to evaluate current surveillance practices, and will help ensure that it does not unthinkingly ratify changes in the law that might undermine fundamental rights.
ATTACHMENT
Mr. Chairman, and Members of the Subcommittee. Thank you for inviting me to testify on this important subject.
As an Adjunct Professor at the Communications Law Institute, Columbus School of Law at the Catholic University of America I have long had an interest in the privacy implications of new communications technologies. As a practitioner, I regularly counsel Internet Service Providers (''ISPs'') and other Internet-related businesses on compliance with privacy laws, including the Electronic Communication Privacy Act (''ECPA''). In addition, I am a member of the legal team for Daniel Bernstein, a cryptographer who successfully challenged U.S. export controls on encryption software as a violation of the First Amendment. The views I express today are mine alone; I am not testifying on behalf of any client.
Introduction
I believe it is vital for Congress now to examine the Fourth Amendment implications of electronic surveillance on the Internet and the World Wide Web. As the United States Supreme Court explained in 1997, the Internet is a unique and wholly new medium of worldwide human communication.(see footnote 25) Judge Paul L. Friedman of the U.S. District Court for the District of Columbia has suggested that ''[i]t is probably safe to say that more ideas and information are shared on the Internet than in any other medium,'' and that it may be only a slight overstatement to conclude that ''the Internet represents a brave new world of free speech.''(see footnote 26) Another federal judge has suggested that the Internet ''may well be the premier technological innovation of the present age.''(see footnote 27) Increasingly, more aspects of Americans' daily lives are conducted using this new medium. And, just as ''more ideas and information are shared on the Internet than in any other medium,'' more information can be collected by means of electronic surveillance.
Page 174 PREV PAGE TOP OF DOC
The issue of privacy on the Internet has been the focus of much attention in the past few years. However, much of the concern in this regard has been directed toward the possible commercial exploitation of personal information gleaned from the Web. Where attention has been devoted to the question of government surveillance and the Internet, it often has been part of a call to update federal law in order to facilitate electronic surveillance. A recent example of such advocacy is the recent report by the President's Working Group on Unlawful Conduct on the Internet entitled THE ELECTRONIC FRONTIER: THE CHALLENGE OF UNLAWFUL CONDUCT INVOLVING THE USE OF THE INTERNET (February 2000) (''The Electronic Frontier''). Similarly, it was reported recently that the Securities and Exchange Commission is seeking to create an automated surveillance system to scour the Internet for people who violate securities laws.(see footnote 28)
In light of these developments, I suggest that more attention should be devoted to the potential impact on privacy of increased government surveillance. While I agree with the suggestion of the President's Working Group that the law should be updated to account for technological change, I think it must take into account the important Fourth Amendment values that form the foundation of our law. Any legislative reform also should examine the historic considerations that led Congress in the past to amend U.S. law governing electronic surveillance. With these thoughts in mind, I will address the Fourth Amendment and statutory background relating to electronic surveillance and I will describe a recent experience I had in trying to apply existing law governing pen registers and trap and trace devices to Internet communications.
Background: The Fourth Amendment and Federal Law
Page 175 PREV PAGE TOP OF DOC
There has long been an uneasy relationship between electronic surveillance and the Fourth Amendment to the U.S. Constitution. The Fourth Amendment prohibits unreasonable searches or seizures, including those relating to a person's papers. It provides:
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.(see footnote 29)
In Olmstead v. United States, the Supreme Court in 1928 considered whether warrantless wiretapping violated the Fourth Amendment. The Court found no constitutional violation because the surveillance was accomplished without intruding on the physical property of the defendant.(see footnote 30) By failing to acknowledge that technology permitted the government to intrude on communications in a way that previously was impossible, a five-vote majority concluded that the Fourth Amendment ''does not forbid what was done here'' because ''[t]he United States takes no such care of telegraph or telephone messages as of mailed sealed letters.''(see footnote 31)
Justice Brandeis wrote in dissent that constitutional principles were undermined to the extent the Court focused excessively on the method chosen for communication. He argued forcefully that constitutions must be interpreted with technological advancements in mind to preserve fundamental rights. In particular, Justice Brandeis wrote, constitutions must be designed ''to approach immortality'' and ''our contemplation cannot only be what has been but of what may be.''(see footnote 32) Foreshadowing the rise of a computer-based society, he warned that:
Page 176 PREV PAGE TOP OF DOC
Discovery and invention have made it possible for the Government, by means far more effective than stretching upon the rack, to obtain disclosure in court of what is whispered in the closet.
* * *
The progress of science in furnishing the Government with means of espionage is not likely to stop with wire-tapping. Ways may some day be developed by which the Government, without removing papers from secret drawers, can reproduce them in court, and by which it will be enabled to expose to a jury the most intimate occurrences of the home. Advances in the psychic and related sciences may bring means of exploring unexpressed beliefs, thoughts and emotions.
* * *
Can it be that the Constitution affords no protection against such invasions of individual security?
Justice Brandeis concluded that if the courts did not adapt to new realities, then constitutional principles would be ''converted by precedent into impotent and lifeless formulas'' and that ''[r]ights declared in words might be lost in reality.''(see footnote 33)
The Supreme Court eventually adopted Justice Brandeis' view toward wiretapping. In Katz v. United States, it declared that the Fourth Amendment ''protects people, not places'' and held that wiretapping is allowable only after a valid warrant is issued—the same as for any other search.(see footnote 34) The Court reasoned that ''[t]o read the Constitution more narrowly is to ignore the vital role that the public telephone has come to play in private communication.''(see footnote 35) The decision expressly overruled Olmstead, replacing the previous focus on the means of communication with an appreciation of the fact of communication as the source of constitutional rights. It concluded that ''[t]he Government's activities in electronically listening to and recording the petitioner's words violated the privacy upon which he justifiably relied. . . .''(see footnote 36)
Page 177 PREV PAGE TOP OF DOC
Congress subsequently incorporated the Fourth Amendment calculus of Katz into federal law. It sought to establish a balance between the interests of privacy and law enforcement in the midst of continuing developments in communications technology. Congress' first effort to achieve this balance was its enactment in 1968 of the Omnibus Crime Control and Safe Streets Act (''1968 Act'').(see footnote 37) The Act prohibited the use of electronic surveillance by private individuals. At the same time, however, the Act created a judicial process by which law enforcement officials could obtain a court's authorization to conduct such surveillance.(see footnote 38) The 1968 Act's ''dual purpose'' was to ''(1) protect[ ] the privacy of wire and oral communications and (2) delineat[e] on a uniform basis the circumstances and conditions under which the interception of wire and oral communications may be authorized.''(see footnote 39)
In the years since 1968, Congress has engaged in an ongoing balancing process. In 1970, the United States Court of Appeals for the Ninth Circuit held that the 1968 Act neither required carriers to provide the technical support needed by law enforcement to conduct authorized electronic surveillance, nor authorized the courts to compel such support.(see footnote 40) Congress responded by amending the Act to provide that any order issued by a federal court authorizing an electronic interception must, upon request of the government, direct communications service providers to provide all information, facilities, and technical assistance necessary to accomplish the interception.(see footnote 41)
Continuing technological developments again prompted Congress to take legislative action in 1986 through passage of ECPA.(see footnote 42) It was adopted to bring new communication technologies—such as wireless and electronic communications—under the umbrella of federal wiretap law.(see footnote 43) While the purpose of ECPA was to maintain a balance between the privacy of citizens and the needs of law enforcement,(see footnote 44) much of the impetus for the law was a determination by Congress that electronic communications lacked sufficient safeguards against governmental and third-party interception.(see footnote 45) Congress found that the law had not kept pace with the development of new electronic technologies, and that ''the use of sophisticated technologies for surveillance purposes . . . presents dangers to society.''(see footnote 46) The Office of Technology Assessment found that the use of advanced technology for surveillance could infringe upon First, Fourth and Fifth Amendment protections, as well as the statutory safeguards of Title III and other laws.(see footnote 47) It concluded that ''[o]ver time, the cumulative effect of widespread surveillance for law enforcement, intelligence, and other investigatory purposes could change the climate and fabric of society in fundamental ways.''(see footnote 48)
Page 178 PREV PAGE TOP OF DOC
Such findings were foremost in the minds of ECPA's drafters. As the Senate Report on ECPA noted, ''[w]hen the Framers of the Constitution acted to guard against the arbitrary use of government power to maintain surveillance over citizens, there were limited methods of intrusion into the 'houses, papers, and effects' protected by the fourth amendment.''(see footnote 49) It added that ''development of new methods of communication and devices for surveillance has expanded dramatically the opportunities for such intrusions.''(see footnote 50) After pointing to ''tremendous advances in telecommunications and computer technologies'' as well as surveillance techniques, the Report stated that ''[e]lectronic hardware making it possible for overzealous law enforcement agencies, industrial spies and private parties to intercept the personal or proprietary communications of others'' required changes in Title III.(see footnote 51) The Report concluded that ''the law must advance with the technology to ensure the continued vitality of the fourth amendment. Privacy cannot be left to depend solely on physical protection, or it will gradually erode as technology advances. Congress must act to protect the privacy of our citizens. If we do not, we will promote the gradual erosion of this precious right.''(see footnote 52)
Congress did not make this change out of devotion to some abstract principle. Rather it was well aware of a history of ''tapping and bugging [in which the government] targeted many people who might not normally appear to be appropriate targets.''(see footnote 53) Indeed, the Church Committee investigations in the 1970s revealed the FBI had used electronic surveillance to investigate Dr. Martin Luther King, Jr., Congressman Harold Cooley, dissident groups and journalists among many others.(see footnote 54) After providing detailed accounts of improper use of electronic surveillance by the FBI and other government agencies, the Church Committee noted that ''[t]echnological developments in this century have rendered most private conversations of American citizens vulnerable to interception and monitoring by government agents.''(see footnote 55) Accordingly, the Report found:
Page 179 PREV PAGE TOP OF DOC
By their very nature . . . electronic surveillance techniques also provide the means by which the Government can collect vast amounts of information, unrelated to any legitimate governmental interest, about large numbers of American citizens. Because electronic monitoring is surreptitious, it allows Government agents to eavesdrop on the conversations of individuals in unguarded moments, when they believe they are speaking in confidence. Once in operation, electronic surveillance techniques record not merely conversations about criminal, treasonable, or espionage-related activities, but all conversations about the full range of human events. Neither the most mundane nor the most personal nor the most political expressions of the speakers are immune from interception. Nor are these techniques sufficiently precise to limit the conversations overheard to those of the intended subject of the surveillance: anyone who speaks in a bugged room and anyone who talks over a tapped telephone is also overheard and recorded.
The very intrusiveness of these techniques implies the need for strict controls on their use, and the Fourth Amendment protection against unreasonable searches and seizures demands no less. Without such controls, they may be directed against entirely innocent American citizens, and the Government may use the vast range of information exposed by electronic means for partisan political and other improper purposes. Yet in the past the controls on these techniques have not been effective; improper targets have been selected and politically useful information obtained through electronic surveillance has been provided to senior administration officials.(see footnote 56)
The revelations of the Church Committee were a catalyst for positive reform. Nevertheless, recent reports indicate that there is always the potential for abuse. For example, it has been estimated that in Los Angeles alone there have been ''hundreds of secret 'handoff' taps and electronic intercepts, [and] by extrapolation, thousands of Los Angeles residents have had their telephone conversations secretly and illegally monitored by LAPD.''(see footnote 57) Given such reports it should come as no surprise that a majority of Americans are deeply skeptical of wiretapping as an investigative tool. During fifteen years of surveys conducted by the Department of Justice, the percentage of the U.S. population that approved of the use of wiretapping never exceeded 30 percent. The level of disapproval ranged from 70 to 80 percent across all demographic groups.(see footnote 58)
Page 180 PREV PAGE TOP OF DOC
Congress' most recent effort to address these issues was the enactment in 1994 of the Communications Assistance for Law Enforcement Act (''CALEA'').(see footnote 59) It again sought to ''preserve the balance sought in 1968 and 1986'' in the face of a now accelerated pace of change in telecommunications technology.(see footnote 60) Although the legislation enacted in 1968 and 1970 had made clear that telecommunications carriers were required to cooperate with law enforcement personnel in conducting electronic surveillance, CALEA is the first statute to impose upon telecommunications carriers an affirmative obligation to modify and design their equipment, facilities, and services ''to ensure that new technologies and services do not hinder law enforcement's access to the communications of a subscriber who is the subject of a court order authorizing electronic surveillance.''(see footnote 61) However, Congress also made clear that CALEA was intended only to preserve the status quo in surveillance capabilities. The law was intended to set ''both a floor and a ceiling'' on the ability of law enforcement to conduct electronic surveillance.(see footnote 62) While CALEA was intended to ensure that new technologies would not reduce law enforcement's existing surveillance capabilities, it also was carefully crafted to prevent any expansion of those capabilities.(see footnote 63)
CALEA also expanded privacy and security protection for telephone and computer communications in certain other respects.(see footnote 64) For example, Section 103(a)(4)(A) requires carriers to perform their obligations under the statute ''in a manner that protects—[ ] the privacy and security of communications and call-identifying information not authorized to be intercepted'' by law enforcement.(see footnote 65) Section 103(a)(2) prohibits the use by law enforcement of pen registers and trap and trace devices to obtain tracking or location information on a targeted subscriber, other than that which can be determined from a telephone number.(see footnote 66) Section 208 requires that law enforcement use reasonably available technology to minimize information obtained through pen registers.(see footnote 67) Section 207 enhances the protection of e-mail and other transactional data, such as transactional logs containing a person's entire on-line profile, by requiring the presentation of a court order by law enforcement officials, rather than a mere administrative subpoena, to obtain such information.(see footnote 68)
Page 181 PREV PAGE TOP OF DOC
CALEA also avoided imposing new obligations on ISPs. The legislative history specified that ''[t]he definition of telecommunications carrier does not include persons or entities to the extent they are engaged in providing information services, such as electronic mail providers, on-line services providers, such as Compuserve, Prodigy, America-On-Line or Mead Data, or Internet service providers.''(see footnote 69) This is not to suggest that Internet communications are somehow immune from electronic surveillance when appropriately authorized under ECPA. Congress made clear that CALEA did not expand or contract the ability to conduct such surveillance, and that ''law enforcement will most likely intercept communications over the Internet at the same place it intercepts other electronic communications: at the carrier that provides access to the public switched network.''(see footnote 70)
Given the vast changes in computer and communications technologies, we currently face much the same situation that existed in the mid-1980s, when Congress adopted ECPA. The law enforcement community points out that the law must be changed to preserve its mission to prevent and punish crime, while the civil liberties community warns of grave dangers to personal privacy and the Fourth Amendment. Each group may emphasize different aspects of the problem, but all agree on one fundamental issue: the law must be updated to keep up with changes in technology.
Pen Registers and Trap and Trace Devices
One aspect of the problem identified by the President's Working Group on Unlawful Conduct on the Internet involves authorizations for pen registers and trap and trace devices. Pen registers are devices used to record telephone numbers that are dialed from a telephone, and trap and trace devices are used to determine the number of origin of a telephone call. Among other things, there have been calls for clarification that authority to use such devices extends to equipment that may be installed on the data networks of Internet Service Providers and for expanded ability to authorize such surveillance across judicial districts.(see footnote 71)
Page 182 PREV PAGE TOP OF DOC
The Supreme Court has held that the information that may be obtained by pen registers or trap and trace devices is not protected by the Fourth Amendment because individuals do not have a reasonable expectation of privacy in the numbers dialed on a telephone.(see footnote 72) In reaching this conclusion, the Court stressed the limited capabilities of such devices, noting that ''pen registers do not acquire the contents of communications.''(see footnote 73) The Court has emphasized that:
[A] law enforcement official could not even determine from the use of a pen register whether a communication existed. These devices do not hear sound. They disclose only the telephone numbers that have been dialed—a means of establishing communication. Neither the purport of any communication between the caller and the recipient of the call, their identities, nor whether the call was even completed is disclosed by pen registers.(see footnote 74)
In the absence of constitutional protection for such information, federal law prescribes a regime governing pen registers or trap and trace devices. Sections 3121–3127 of ECPA establish procedures for law enforcement officials to obtain authorizations for the use of such devices. However, given the more limited information that may be acquired, the law prescribes a far lesser threshold for obtaining a pen register order than it does other forms of electronic surveillance.(see footnote 75) ECPA provides that a court ''shall enter an ex parte order authorizing the installation and use of a pen register or trap and trace device'' where a law enforcement officer certifies that the ''information likely to be obtained is relevant to an ongoing criminal investigation.''(see footnote 76)
Page 183 PREV PAGE TOP OF DOC
Law enforcement authorities have begun to get court orders for the installation of such devices at ISPs. The President's Working Group on Unlawful Conduct on the Internet has described pen registers and trap and trace devices as ''important tools in the investigation of unlawful conduct on the Internet.''(see footnote 77) While I have no reason to question this assessment, my discussions with both law enforcement officials and those in the online industries have not turned up more than a handful of accounts of ISP-directed trap and trace orders out of the thousands that are issued each year.(see footnote 78) Unfortunately, current law does not require public reporting of the number of such orders when applied to ISPs, so there is no way to determine the extent of the problem.
Nevertheless, it is becoming increasingly clear that the ''pen register'' and ''trap and trace'' concepts as set forth in ECPA do not fit well in the online environment. Nor is it valid to assume that such devices do not raise Fourth Amendment issues given that the type of information potentially available from an ISP by a ''pen register'' greatly exceeds the type of information normally available when one is installed on a telephone line. As Congress noted when it expanded statutory protection for transactional records under Section 2703, ''in the eight years since the enactment of ECPA, society's patterns of using electronic communications technology have changed dramatically. Millions of people now have electronic mail addresses. Businesses, nonprofit organizations and political groups conduct their work over the Internet. Individuals maintain a wide range of relationships on-line.''(see footnote 79)
As a matter of legal interpretation, the current law does not clearly apply to ISPs and Internet communication. Section 3127 of ECPA defines a pen register as:
Page 184 PREV PAGE TOP OF DOC
a device which records or decodes electronic or other impulses which identify the numbers dialed or otherwise transmitted on the telephone line to which such device is attached, but such term does not include any device used by a provider or customer of a wire or electronic communication service for billing, or recording as an incident to billing, for communications services provided by such provider or any device used by a provider or customer of a wire communication service for cost accounting or other like purposes in the ordinary course of its business.(see footnote 80)
ECPA defines a trap and trace device as ''a device which captures the incoming electronic or other impulses which identify the originating number of an instrument or device from which a wire or electronic communication was transmitted.''(see footnote 81)
The legislative history of these provisions suggests that Congress intended the terms ''pen register'' and ''trap and trace device'' to refer only to devices used in connection with telephone systems. The legislative history states that:
Pen registers are devices that record the telephone numbers to which calls have been placed from a particular telephone. These capture no part of an actual telephone conversation, but merely the electronic switching signals that connect two telephones. The same holds true for trap and trace devices, which record the numbers of telephones from which calls have been placed to a particular telephone.(see footnote 82)
Page 185 PREV PAGE TOP OF DOC
Consistent with the statutory language and legislative history, reviewing courts have interpreted these provisions literally, and narrowly. For example, the Fourth Circuit refused to classify a digital display pager clone as a pen register, despite the fact that it displays phone numbers, because it does not fit the precise definition provided in the text of the statute.(see footnote 83) Similarly, Section 3123 was held inapplicable to use of digital analyzers in mobile situations to display numbers dialed from a cellular telephone.(see footnote 84) There the court noted that ''the statute should be strictly construed, and any ambiguity in its scope must be construed narrowly.''(see footnote 85)
Although the court in Digital Analyzer held that no order was needed for the interception of numbers dialed by a cellular phone, it declined the government's request for a prophylactic order and to extend the pen register provisions ''by analogy.'' In addition to the problem that the wireless interception of dialed numbers did not fit the literal terms of ECPA, the court noted that such an order ''would not ensure sufficient accountability'' where ''law enforcement officers us[e] advanced technology that might threaten privacy rights.''(see footnote 86) Among other problems, the court noted that ''calls made by others than the subjects of the investigation could be inadvertently intercepted,'' that ''all such telephones could be analyzed without any record being produced,'' and that the collection of subscriber information would be authorized ''without specific and articulable facts showing that a particular subscriber's records will be material to an ongoing criminal investigation.''(see footnote 87)
The President's Working Group on Unlawful Conduct on the Internet has recognized the dissonance between ECPA's language and current technology. It pointed out that:
Page 186 PREV PAGE TOP OF DOC
[A]dvances in telecommunications technology have made the language of the statute obsolete. The statute, for example, refers to a ''device'' that is ''attached'' to a ''telephone line,'' [18 U.S.C.] §3127(3). Telephone companies, however, no longer accomplish these functions using physical hardware attached to actual telephone lines. Moreover, the statute focuses specifically on telephone ''numbers,'' id., a concept made out-of-date by the need to trace communications over the Internet that may use other means to identify users accounts.''(see footnote 88)
Beyond pure questions of legal interpretation, the nature of information gathering using a ''pen register'' and ''trap and trace'' device is far different in the online environment compared to traditional telephone systems. It is true that information such as electronic mail is sent over the telephone lines ISPs use to connect their data networks to the telecommunications system, but these facts do not convert the facilities of Internet service providers into ''telephone lines.''(see footnote 89) A trap and trace device or pen register for Internet-based communications is installed on the data network of an ISP, not on a telephone line, and the information which may be intercepted is not limited to that transmitted over a single subscriber line.
The trap and trace provisions of ECPA clearly contemplate making a physical connection to a dedicated telephone line, which envisions a different type of network configuration than exists for Internet-based systems:
[T]he Internet is what is known as a packet-switched network. In a packet-switched network, there is no single, unbroken connection between sender and receiver. Instead, when information is sent, it is broken into small packets, sent over many different routes at the same time, and then reassembled at the receiving end. By contrast, the telephone system is a circuit-switched network. In a circuit-switched network, after a connection is made (as with a telephone call, for example), that part of the network is dedicated only to that single connection.(see footnote 90)
Page 187 PREV PAGE TOP OF DOC
The use of pen registers or trap and trace devices to intercept packetized network information raises privacy concerns of a far different magnitude than the Supreme Court contemplated in Smith v. Maryland. Such information is not the conceptual equivalent of a telephone number, as some suggest. The substance of this issue was addressed by the FCC in its rulemaking proceeding implementing CALEA. There, the Commission found that interception of packet-mode communications raises significant technical and privacy concerns because call routing information and content are both contained in the packets.(see footnote 91) Thus, interception of packetized information potentially allows the government to ''receive both call identifying information and call content under a pen register.''(see footnote 92)
New York courts have addressed the privacy implications of pen registers that may be ''converted'' to receive the contents of communications. In People v. Bialostok, for example, the New York Court of Appeals held that, under the New York electronic surveillance statute, a pen register capable of being used as a listening device required an eavesdropping warrant obtainable based on probable cause, rather than merely a judicial order obtainable based on reasonable suspicion.(see footnote 93) The court held that the facts that the device's audio function was disabled, and that no conversations were actually heard, did not remove the need for a warrant. Although Bialostok involved the interpretation of New York law, it is relevant to the constitutional principles underlying federal wiretap law.(see footnote 94)
Subsequent decisions have held that such ''convertible'' pen registers may not be considered wiretaps per se, but the nature of the technology must be carefully reviewed. In People v. Kramer, for example, the New York Court of Appeals noted that pen register technology must be scrutinized as it is used in a given investigation. The court noted that ''the appropriate judicial assessment should include not only the capacity of the device used to intercept, hear and record communication, but the manner in which it does so and its susceptibility to evasion of statutory, precedential, and even constitutional protections.''(see footnote 95)
Page 188 PREV PAGE TOP OF DOC
I believe it would be appropriate to Congress to address similar questions if it decides to amend the law so as to end the confusion regarding use of pen registers or trap and trace devices for Internet-based communications.
Mr. CANADY. Mr. Blaze.
STATEMENT OF MATT BLAZE, RESEARCH SCIENTIST
Mr. BLAZE. Thank you, Mr. Chairman. I should point out that my comments here don't necessarily represent the viewpoint of my employer. I am here, so to speak, on my lunch hour, to provide a scientific and technical perspective.
My interest in the problem of intercepting traffic on the Internet for analysis dates back to my doctoral work where I built a system to collect traffic that I would analyze as part of my dissertation work. What I discovered then and what has certainly become even more the case, as we have gone to a higher speed in more complex kinds of networks with more protocols running on top of them, is that the problem of collecting data from Internet packets, on the packet level, is a very subtle and difficult one. So my comments today address the question not of how do we insure against the possibility of malice or misdeeds on the part of law enforcement, but starting from the premise that everybody is acting with goodwill and perfectly honestly. Even still, it is difficult to be sure that the tools being used to collect information from packets in the way Carnivore does are behaving faithfully and reliably.
Page 189 PREV PAGE TOP OF DOC
In particular, there is a strong possibility that omissions of collected data or garbling of collected data could cause misleading results that could put information collected out of context, or collect data inadvertently that should be attributed to another source or destination than it may initially appear.
There is no systematic way, unfortunately—we in the computer security community learned this over and over again, these are hard-won lessons—there is no systematic way to deal with large complex systems of software, particularly when the function of the software is security-critical. Certainly, Carnivore is a security-critical function. One of the particular difficulties of managing complex secure systems is that very often they fail silently. They fail in a way that leaves the observer to believe that they are working properly, but in fact, subtle bugs mean that there are vulnerabilities or mistakes there anyway. So we have the problem of being concerned with the reliability of data collected by a complex piece of analysis software, and the problem of ensuring that something connected deep within the infrastructure of an Internet Service Provider isn't itself vulnerable to external tampering or could itself have control taken over by a malicious third party who is able to get access to it by exploiting some bug.
There are two ways that we stumble along in trying to assure ourselves that complex systems that we want to rely on are, in fact, trustworthy. One is by focused review by experts, by audits, and I certainly want to strongly advocate that the kind of focused review by independent experts that was discussed on the first panel be done. But there are limits to what a limited set of experts can ever discover. We discover again and again that even after a security audit, new information comes out about the environment in which the software may be used, or something may have been missed by the panel of experts that could only be known by widespread publication of the source code and details of the architecture of the system. The security community pretty much unanimously supports the idea that source code should be published for any system that performs a vital security critical function, and I think the Carnivore system is a very good example of this.
Page 190 PREV PAGE TOP OF DOC
Now, one of the objections raised to doing this in the case of Carnivore is that it might provide aid and comfort to the targets of investigations who might find ways to circumvent the system. I think in the case of Carnivore, the existence, the mere existence and the architectural details of the Carnivore system don't really provide much help to someone who wants to evade it. It is very much like knowing the details of how a tape recorder works. It doesn't help, you know, that there is actually a microphone that has been installed in your apartment. Instead, the important information that a criminal would be interested in are the details of whether or not Carnivore has been installed in a particular place and, of course, no one advocates publishing the details, the operational details of specific Carnivore installations.
So, in summary, I recommend that while neither focused review by independent experts nor publication of source code are panaceas and ensure against any possible problem or abuse, these are essential steps, widely recognized essential steps that certainly should be done in this case, and I hope that will happen. Thank you.
Mr. CANADY. Thank you, Mr. Blaze.
[The prepared statement of Mr. Blaze follows:]
PREPARED STATEMENT OF MATT BLAZE, RESEARCH SCIENTIST
I INTRODUCTION
Recent press reports have disclosed the existence of an FBI Internet wiretap device, known as ''Carnivore''. This is troubling for many reasons, not the least of which is that it is unclear just what the software and hardware does or how it works.
Page 191 PREV PAGE TOP OF DOC
In the U.S., there are serious legal restrictions on the use of wiretaps by police agencies. The Supreme Court has consistently held that wiretaps qualify as searches under the Fourth Amendment.
Unrestricted wiretapping is clearly unconstitutional. Wiretap warrants must specify clearly whose material may be searched. A blanket search of all traffic on the Internet for, say, ''any email messages containing the phrase 'weapons-grade plutonium' '' would clearly be prohibited.
Federal rules on police wiretapping mandate special procedures designed to comply with Fourth Amendment protections against illegal searches. Each application for a wiretap warrant must supply copious detail on why a particular wiretap is needed, what lines are to be tapped, and why. The law also mandates ''minimization'' of the interception of communications not covered by the order, and requires that intercepts be recorded in a way that protects the contents from editing or alteration. Law enforcement agencies follow elaborate procedures for handling intercepted telephone calls. ''Chains-of-evidence'' help prevent tampering. Any intercepted traffic not covered by a warrant is discarded under supervision. When wiretap evidence is introduced at a criminal trial, the defense is entitled to examine the recordings and the processes used to create them and may challenge any discrepancies found.
Internet wiretapping, however, introduces several new technical problems. Unlike tape recordings of the human voice, it is not self-evidently obvious who said (or typed) intercepted Internet traffic. Message headers can be forged to falsely identify the source or destination of traffic. Digital messages (especially electronic mail) can be modified along their routes to change meaning or eliminate contextual details. Software bugs often make it possible for a third party to relay traffic through a computer without its owner's knowledge or cooperation. This kind of malicious tampering might occur long before the traffic reaches the interception point and without any evidence that it has happened. An intercepting law enforcement agency might have no reason to believe that it had been duped.
Page 192 PREV PAGE TOP OF DOC
Even more seriously, the shared nature of Internet connections means that data packets from one user are almost immediately mixed in with those of others. Unlike the telephone system, where a single line serves a single customer and identifying a call of interest allows one to monitor the entire conversation, every Internet packet—and these are each just a very small piece of a conversation or email message—is individually addressed. That is, traffic on the Internet is much more like a series of small telegrams passing back and forth. Furthermore, the sender and recipient of these telegrams are identified only by ''IP addresses''—random-looking numbers that can change over time—instead of names or telephone numbers. Any equipment or software used to collect Internet traffic as part of a legal wiretap must be written very carefully to ensure that the traffic it collects is, in fact, precisely what was intended for collection, neither more nor less. Doing this correctly is far more difficult than it might at first seem.
II CARNIVORE AND EAVESDROPPING
According to published reports, Carnivore operates by eavesdropping on all network traffic on some link or links, examining it, and deciding what pieces are relevant, i.e., covered by the wiretap order. It is not obvious how this is done. For email, one can identify the recipients by looking at the mail transmission protocol traffic; the sender, however, cannot be identified without looking at the body of the letter, and not even then if a very modest attempt is made at concealment or forgery of the return address. A considerable amount of traffic would need to be saved and analyzed for this to work; that alone is troubling.
A more reliable mechanism is to use the IP address. But IP addresses are often dynamically assigned. The only way for an eavesdropping box to learn which IP addresses are interesting is to spy on the messages that assign IP addresses to particular users. That is, it has to learn of all users who are signed on in order to decide whose traffic is of interest. Even this is not completely reliable; if the monitoring box misses the sign-off message—and it is quite common for monitoring tools to miss some packets, especially on heavily-loaded networks—another user's traffic could very easily be picked up.
Page 193 PREV PAGE TOP OF DOC
Even omissions of traffic that should have been monitored can be serious. An innocent email reply may appear to be incriminating if exculpatory context is missing.
Carnivore's job is made especially difficult by the fact that it must be at least somewhat general-purpose in its design. It must be able to be configured to operate reliably on a variety of Internet service provider (ISP) networks, under a wide range of operational conditions. A configuration that might result in correct operation at one ISP might result in erroneous or incomplete interception at another. There may be a significant risk that some Carnivore installations do not always collect all (or only) the traffic they are supposed to. Without knowing the details of how Carnivore is configured or its internal structure, however, it is impossible to be sure of the extent of this risk.
There are partial solutions to some of the problems outlined above. The question, though, is to what extent these protections are implemented. Does the system restrict the monitored data to just some selected users? Does it have to accumulate other data in order to do this? Is the filtering done properly? Is the recorded data protected against alteration?
III OPEN SOURCE WIRETAPS
The problem of knowing what software actually does is, of course, an old one. In fact, the question arises with respect to the privacy behavior of commercial software; there have been many reports of off-the-shelf products disclosing information without the knowledge of their systems' owners. One principle that is increasingly accepted in the software community is ''open box'' software—software where the source code is open to inspection and modification by many different parties. (This concept is sometimes called ''open source''.) Among the popular open source systems are the Linux operating system and the Apache Web server. The latter is more widely used than commercial offerings from Netscape or Microsoft.
Page 194 PREV PAGE TOP OF DOC
The basic premise is simple enough: the more eyes study a piece of software, the more likely it is that bugs will be found. In this case, a major question is design correctness: was the software designed to implement the legal strictures? Other notions of correctness are important as well. For example, can this software itself be attacked? Imagine the harm that a dedicated eavesdropping box can do if subverted! Open box software is not a panacea; it is still usually possible to configure secure software in an insecure manner, for example. But careful and wide scrutiny of the source code is the essential first step in developing confidence that any system behaves as it is supposed to.
It is difficult to overstate the value of the kind of widespread review that open source can provide for security-critical systems. Even intense review by small teams of experts often misses small but serious bugs that turn out to have severe security implications. For example, it was only review by the open research community that found several protocol failures in the National Security Agency's ''Clipper'' key escrow system, in spite of internal reviews by that Agency. Indeed, creating correctly operating security systems is considered to be such a extraordinarily difficult problem that there is little shame in having errors discovered once software is released for public scrutiny; it is an expected part of the quality assurance process.
In the case of wiretapping software, this issue even has legal ramifications. In any criminal trial involving wiretap evidence, the defense is sure to question the accuracy of the intercepts. Public scrutiny can only increase confidence in correct code, and hence in the correctness and completeness of the interception.
Page 195 PREV PAGE TOP OF DOC
We are not impressed with the argument that it would be illegal to release the package under 18 USC 2512, which prohibits possession of devices whose primary purpose is surreptitious eavesdropping. Basic traffic interception tools are a common and essential part of every network administrator's toolkit. Carnivore is primarily a set of filtering tools, the possession of which is not (and should not be) illegal.
We are also unimpressed with the argument that knowledge of the toolset might make it easier for criminals to evade detection. The simplest defense against Carnivore (or any eavesdropping system) is use of strong encryption. This is perfectly legal, reasonably easy, and effective against any sort of filtering. The mere knowledge that Internet monitoring can be done at all is sufficient to induce some people to encrypt; precise knowledge of how it is actually accomplished is much less important.
In summary, we conclude that releasing the source code to Carnivore will increase confidence that legal strictures can be obeyed and that intercepted evidence is accurate and reliable, while not carrying with it any significant risks.
Mr. CANADY. Mr. Baker.
STATEMENT OF STEWART BAKER, ATTORNEY, STEPTOE & JOHNSON
Mr. BAKER. Thank you, Mr. Chairman and members of the committee. I have been on both sides of these debates and I see both sides of this one. I think in some ways, both sides are stuck in the telephone world. A lot of the witnesses and some of the questions, suggest that ISPs take responsibility for doing these intercepts themselves. Actually, I think the FBI has answered this question about right: if the ISP wants to conduct the intercept itself, then fine, the ISP should do the intercept. But if you take a small ISP and say, ''you have to do the intercept yourself,'' the ISP is going to treat the assignment like an expensive unfunded mandate. There is no reason why the ISP is going to do the intercept with more regard to privacy protection than the FBI. In fact, if the ISP conducts the intercept by itself, there is going to be less oversight. The ISP is not like the old phone company, which could just hire somebody to do wiretaps every day and add it to the rate base. The ISPs are not going to implement the same privacy protections as the phone companies, especially if they are small ISPs and don't want to play this role. And I will tell you that there are plenty that really do not want this role, in spite of the noisier ones who do.
Page 196 PREV PAGE TOP OF DOC
That said, the FBI and the Justice Department are also living in the past: we heard them say that citizens don't have an expectation of privacy when information is in the hands of a third party. In the Internet age, that is just crazy. Our entire lives are in the hands of third parties. To treat the ''to-and-from'' lines in e-mails as if they are the same as the phone numbers that we dial is also bizarre. A phone company collects the phone numbers we dial because they send us a bill with those phone numbers every month. No one, however, expects the ISP to collect our ''to-and-from'' lines, especially not the ''from'' line, since they don't use the ''from'' line to deliver our e-mails. Such information is content, and law enforcement must obtain a title III order to collect it.
So if we can't rely on ISPs to conduct the pen registers and wiretaps, if we must rely on law enforcement to conduct the operations, how can we address the issues of privacy? First, as Mr. Nadler suggested, we ought to send a notice to people when they have been subjected to this kind of intrusion. We have a system presently that protects the privacy of criminals, but not the innocent people who have been or are being investigated. If Mr. Davidson were under investigation, and were he to send an e-mail to Mr. Taylor, the next step that law enforcement officials would take would be to put a cover on all of Mr. Taylor's incoming and outgoing e-mails. This operation would be perfectly relevant to an investigation because law enforcement would want to know whether Mr. Taylor is also corresponding with other individuals that they are investigating. And so, law enforcement would have access to 60 days or 120 days of Mr. Taylor's incoming and outgoing e-mail. And he would never know it, because should he not be indicted, he would never get to see the information about him that law enforcement had collected. I believe there should be notice and only the Congress can make them happen.
Page 197 PREV PAGE TOP OF DOC
Second, there ought to be oversight. Again, the audit provisions are very protective of criminals, but not of innocent people. The criminal defense attorneys are going to get to see this, and they are going to be able to follow that audit trail. But under current law, Mr. Taylor, if his e-mail has been intercepted, isn't going to get a chance to see that audit. There needs to be somebody who will conduct an audit on behalf of the ordinary citizen. We should not rely on criminal defense attorneys to do that for us.
Last point: if Congress wants to do something about this, it will have to do it quickly because Carnivore is not the only way in which law enforcement will conduct such investigations. The Communications Assistance and Law Enforcement Act had a provision that requires communications companies to provide ''trap-and-trace'' capability. The FBI has understood this to mean that the packet data carried by carriers has to have a ''trap-and-trace'' capability.
The FCC has said, it will require such carriers to have something installed, so that carriers will be expected to posses capability of ''trap-and-trace'' by September of 2001. But though the FCC has offered a deadline, it has not offered guidelines. There are only two ways to obtain the capability of conducting a ''trap-and-trace.'' Either let the FBI install Carnivore or go out and buy something equivalent to Carnivore. I am not sure those are not the only solutions that we want carriers to have, but unless the FCC backs off of its deadline and its current mandate, these are the only options that carriers will have, and it will be too late to install substantial controls. Thank you.
Mr. CANADY. Thank you, Mr. Baker.
Last but not least, Mr. Sachs. And I apologize for not having more table for you there.
Page 198 PREV PAGE TOP OF DOC
STATEMENT OF PETER WILLIAM SACHS, ICONN, L.L.C.
Mr. SACHS. That is okay. I am going to be very brief in the interest of time.
My name is Peter Sachs. I am the president of ICONN. We are a small Internet Service Provider in New Haven, Connecticut; and I believe I am one of the small ISPs that Mr. Baker may be referring to. We do have the capability—in fact, any ISP has the capability of supplying the FBI with exactly what it wants in a more accurate, more efficient and more private manner, because we have absolutely no need to look at anybody's information except for the——
Mr. NADLER. Could the witness speak up a little more, please?
Mr. SACHS. Any ISP can do this in as little as two lines of programming code. It doesn't require any machine. It doesn't require any specialized programming skills beyond the programming skills of a normal system engineer at an Internet Service Provider.
To confirm this statement, I asked my system engineer to set up a system to monitor all of my communications; and in less than an hour he was able to see everything that was sent to me or from me on his machine in clear, legible text. So there is no need for any specialized machine or any sort of specialized knowledge to be able to do this.
Page 199 PREV PAGE TOP OF DOC
Carnivore also creates an extreme security risk for an ISP. To allow a third party to attach a computer, especially a secretive computer that is accessible from a remote location to an Internet Service Provider, is unheard of. It just provides any hacker out there with yet one other doorway into which they can enter your network and essentially destroy your network along with all of the data of all of your customers.
Carnivore also presents a performance hit for an ISP. The moment you intercept all information flowing over an ISP's network, which is what Carnivore does, it causes a bottleneck. Bottlenecks cause slowdowns. As all of you know, the Internet is slow as it is. Slowing it down even further doesn't help matters much.
Lastly, it may have a chilling effect on the information that my subscribers or any ISP subscriber sends over the Internet. If you are not going to send something because you are afraid of its content or perhaps just its destination, it raises very valid first amendment concerns.
If the ISP gathers the data for the FBI under a court order, the FBI can't possibly see anything it is not supposed to see because they are only getting what we give to them. If the FBI does the work, they at least have the ability to see anything they want. And they do, in fact, have the ability to see anything they want. The former method protects privacy, and the latter method invites abuse.
Since the ISP can provide the ISP with exactly what it wants without imposing upon the privacy rights of all the subscribers, why Carnivore? Why use the most intrusive means if the least intrusive have means are readily available?
Page 200 PREV PAGE TOP OF DOC
Thank you.
[The prepared statement of Mr. Sachs follows:]
PREPARED STATEMENT OF PETER WILLIAM SACHS, ICONN, L.L.C.
Mr. Chairman, Mr. Ranking Member, members of the Subcommittee, I am Peter Sachs, President of ICONN, LLC, a New Haven, Connecticut based Internet Service Provider (''ISP''). I am also a licensed attorney in the State of Connecticut. I wish to thank you for the opportunity to appear before you today to address this important Fourth Amendment issue as it relates to communications made via the Internet.
My knowledge of the Internet is based upon my five years experience as an owner and operator of a small ISP. We provide Internet services to both business and residential customers throughout the state of Connecticut.
One of the services that we provide is the ability to send and receive electronic mail, or ''email.'' To better understand some of the issues at hand, it will be helpful to briefly explain how email works. When an email message leaves a sender's computer, it is broken up into unintelligible pieces of data called ''packets.''
Each packet knows where it came from and how to get where it's going because each packet contains the addresses of the sender and the recipient, just like an envelope. An Internet address is known as an ''IP Address'' and every computer connected to the Internet has a unique IP Address.
Page 201 PREV PAGE TOP OF DOC
By using the Internet's version of a ''road map,'' called Domain Name Service, the packets navigate the Net and ultimately arrive safely at the recipient's ISP. Upon arrival, the packets are reassembled by mail server software into a useful form and stored in the recipient's mailbox until the recipient retrieves it. Once retrieved, it is stored, if at all, on the recipient's computer.
The Internet has become nearly as common a communication tool as the telephone. It has been estimated that this year alone, over 6 trillion email messages will pass through mail servers in the United States.
The senders of those messages expect that their words, sounds and images will remain unread, unheard and unseen, until they are delivered to the intended recipient. In other words, they have an ''expectation of privacy. ''
One way to measure the legitimacy of an expectation of privacy is to determine whether a person has taken normal precautions to maintain that privacy. The fact that all Internet users need a password to retrieve their messages is evidence of even greater than normal precautions having been taken. Thus, Internet users truly expect and believe that their email is both private and secure.
In reality, email messages are no more and no less secure than U.S. Postal Mail. Electronic mail can be opened and read by an ISP in the same way that U.S. Postal Mail can be opened and read by a Postal Carrier. Of course, both professional ethics and Federal law prohibit these types of intrusions unless a valid court order permits it.
Page 202 PREV PAGE TOP OF DOC
When such a court order is issued, law enforcement authorities may intercept a specific person's communications. The interception of private communications in the course of an investigation is proper only when there is sufficient probable cause and only if such interceptions are limited with respect to the specific person, place and evidence sought. Anything intercepted that is outside of the scope of the court order amounts to an illegal invasion of privacy.
The FBI's new eavesdropping tool, aptly named ''Carnivore,'' is taking a large bite out of the privacy rights of each and every law-abiding citizen who communicates via the Internet. At this very moment, a government controlled computer, installed under court order at some ISP somewhere in this country is busy reviewing all communications passing through that ISP, including messages from and to you, the Members of Congress.
Nearly all of those communications are outside of the scope of whatever court order was issued. Nonetheless, those communications are being reviewed, if for no other reason, than to segregate them from the messages that are within the scope of the order.
The FBI claims that Carnivore has the ''surgical'' ability to intercept only those messages that are the subject of a lawful order while ignoring the rest. This is possible only if Carnivore can detect and then monitor only the IP Address assigned to the target during a particular online session.
To do this, Carnivore would have to continually monitor all logins to find the one login it is looking for. Intercepting all logins is the functional equivalent of intercepting the telephone number of every call initiated by every customer of a particular telephone carrier. I do not believe any court would permit such an extensive search with respect to a telephone carrier, nor should it be permitted with respect to an ISP.
Page 203 PREV PAGE TOP OF DOC
To avoid operating outside the constraints of a court order, Carnivore may instead be connected to the only other point where all data passes, the exit point of the ISP. If this is the case, the only method Carnivore could possibly use to distinguish the target messages from all others is to check each message. In other words, the only way that Carnivore can ''ignore'' messages it is not permitted to view is to actually view those messages.
Of course, the secretive nature of the Carnivore system prevents me from explaining its deficiencies in precise terms. Exactly what Carnivore does remains a mystery. Therefore, many of my conclusions are based upon my knowledge of ISP operations and the FBI's claims as to what Carnivore can accomplish.
First and foremost, I believe Carnivore violates the privacy rights of every person using the services of an ISP to which it is attached. Since Carnivore intercepts all communications coming from or going to an ISP, including communications outside the scope of the court order, it amounts to an unwarranted intrusion upon privacy rights of non-targeted persons.
Reviewing all data to find some data is neither the most efficient nor the least intrusive method of electronic surveillance. This is especially true when all ISPs, including small ISPs like ICONN, can easily supply the FBI with all of the information it needs in a timely, accurate and efficient manner and, most importantly, without imposing upon the privacy rights of those who are not the subject of an investigation.
According to the FBI, Carnivore was designed and developed because ISPs are unable to discriminate between a particular person's messages and all others. In fact, any ISP can intercept any subscriber's incoming and outgoing email messages, to the exclusion of all others.
Page 204 PREV PAGE TOP OF DOC
This can be done with as little as two lines of programming code. It requires no specialized computer system and it requires no special programming skills. It is truly a trivial task.
To confirm this statement, I asked my system engineer to create a program to intercept all of my communications. In less than an hour, all of the words I sent or received via email appeared on his computer in plain, legible text.
Moreover, an ISP can easily exclude all communications that are outside of the scope of the court order without ever looking at them because an ISP can and does detect each login as part of its internal operation. Using this method, only the messages of the target are intercepted and unwarranted intrusions are avoided altogether.
Carnivore also creates security ''holes'' in an ISP's network. It takes only six keystrokes to completely and permanently destroy a UNIX-based server. Thus, one of the most important capabilities of an ISP is its ability to prevent unauthorized access to its network.
ISPs employ a variety of hardware and software based security devices to prevent unauthorized access. Permitting a third-party's computer to be attached to an ISP's network, especially one that operates in total secrecy and is accessible from a remote location is simply unheard of.
Every computer operating system contains certain exploits or ''holes'' in its security features. A computer installed by the FBI is no less ''hackable'' than any other computer. Attaching Carnivore to an ISP's network provides hackers with a new potential point of entry, and one that that the ISP cannot lock.
Page 205 PREV PAGE TOP OF DOC
Since the ISP has no access to Carnivore, it must rely upon the FBI's assurances that their computers are indeed secure. Unfortunately, such assurances are of little comfort when one considers the frequency of successful hacks into government computers. Hackers even successfully defaced the White House web site last May. If they can get into the White House, they can get into an ISP thru Carnivore.
Carnivore also negatively affects an ISP's performance. Carnivore operates by intercepting all of the data traversing an ISP's network. All of that data is examined and most is sent back out as non-target data. However, the examination process creates a ''bottleneck'' at the point of interception thereby degrading network performance. This is especially true with larger ISPs.
Any bottleneck, no matter how large, slows things down. As all of you know, the Net is often frustratingly slow as it is. Slowing it down even further for all of the ISP's customers does nothing to help in customer retention.
Of course, the law forbids the ISP from explaining the reason for the slowdown. If subscribers cancel their accounts due to poor network performance is the government prepared to reimburse the ISP for the loss?
Carnivore's use may also expose an ISP to liability under the Electronic Communications Privacy Act. The ECPA forbids an ISP from revealing certain information to the government in the absence of a valid court order. However, even when presented with a valid court order, an ISP may still be found liable if it believed the government's actions exceeded its authority and it did nothing to prevent it.
Page 206 PREV PAGE TOP OF DOC
It is certainly arguable that the interception of all data on an ISP's network is excessive, and that the ISP should not have permitted it. An ISP should not be exposed to potential liability due to the secretive actions of the FBI.
Lastly, the use of Carnivore may have a ''chilling effect'' on constitutionally protected speech on the Internet. An Internet user may be less likely to send a particular message due to either its content or simply its destination. The perceived need to self-censor one's communications raises First Amendment questions.
The use of electronic surveillance is a proper and necessary tool for law enforcement. However, it should not be used in such a way as to intrude upon the privacy rights of the many, in order to catch the few. Electronic surveillance should only be used in a manner that avoids the detection of non-target communications. Carnivore does exactly the opposite.
If the ISP gathers the data in accordance with a court order, the FBI cannot view anything more than the ISP provides to it. If the FBI gathers the data, it is able to view everything. The former method protects privacy, while the latter invites abuse.
Since ISPs can provide the FBI with all of the information it needs and in a manner that preserves privacy rights, one must ask the question, why Carnivore? Why use the most intrusive means when the least intrusive means are readily available?
Members of the Subcommittee, I respectfully urge you consider the serious threat Carnivore poses to ISPs, Internet users and to the rights guaranteed by the Fourth Amendment to Constitution of the United States of America.
Page 207 PREV PAGE TOP OF DOC
Once again I thank you for considering my views. I will be happy to answer any questions that you may have.
Mr. CANADY. I want to thank all the members of this panel for your very helpful testimony.
I just have one question related to Mr. Sachs' testimony. Mr. Sachs has testified that doing the interceptions or executing a trap and trace or a pen register order is a simple matter for any ISP. Can be done in an hour. Just a little programming, and there it is. Now, that is not consistent with what the FBI has told us their understanding is.
And let me ask, I guess maybe Mr. Blaze and Mr. Perrine would be the two who might be in the best position to give me your take on whether it is closer to what Mr. Sachs says or exactly as Mr. Sachs says or what the FBI has had to say on that. Is it as simple—I am not trying to be—single out Mr. Sachs, but that is a fundamental question for us to look at. Is it as simple in your understanding as Mr. Sachs has presented it? Or does he have a program or has special expertise that other ISPs might not have?
Mr. PERRINE. Well, I can address that from the standpoint of tracing computer intrusions and attempted intrusions. I would say probably 30 to 50 percent of the ISPs that we contact don't keep much in the way of logs. We tend to deal with a lot of the smaller ISPs. We tend to see the same ISPs, the problematical ISPs over and over again. I think it is fair to say that many ISPs could solve this problem if they were motivated to.
Page 208 PREV PAGE TOP OF DOC
But it is not a profit center. They aren't making money cleaning up or preventing computer intrusions at other facilities, and they certainly aren't going to make any money providing information to the government. They are not financially motivated to do it. Some of them have the technical capabilities, and I would have to say that there are some of them that do not.
Mr. CANADY. Mr. Blaze.
Mr. BLAZE. From a technical perspective, the answer is like most subtle technical questions, ''it depends.'' the problem with a system like Carnivore, from the point of view of complexity, is that it has to be general purpose. It has to work under a wide variety of operational conditions. And it has to work for—to collect a wide range of kinds of information depending on what the court order is asking for.
Some ISPs may already have in their network, for example, logs of information. They may have, for example, port replication capabilities on switches that allow them much more conveniently than an external tool to collect the kind of data that Carnivore or a Carnivore-like system could only collect with some trouble and with some difficulty assuring yourself that it is operating correctly. In other cases, there may not be the exact capability required.
Mr. CANADY. It depends.
Mr. PERRINE. If the equivalent of Carnivore were available in open source, that would lower the barriers to entry for the smaller and less technically capable ISPs to provide this information. And I think that that is something that is quite feasible. It is not a 6-day project; it is not a 6-year project; it is probably on the order of, I think, 3 to 9 months at the outside for the open source community to reproduce large parts of the Carnivore system. And that would make it easier for smaller ISPs to provide this information themselves.
Page 209 PREV PAGE TOP OF DOC
Mr. CANADY. Mr. Davidson.
Mr. DAVIDSON. Perhaps part of the problem in coming up with an answer is that we don't know exactly what Carnivore is doing. There seems to be a certain subtlety of analysis that the FBI is seeking, and perhaps the FBI's interpretation of what number is dialed on the telephone in terms of extrapolating it to the Internet might be different than many of us would think it would be. So it is hard to answer what the ISPs can do, what Carnivore does, until we know what Carnivore does.
Mr. CANADY. I understand that. But I also understand the FBI's problem with making the source code publicly available if there are proprietary interests there. I mean, there are other people's rights that have to be taken into account if they have used proprietary information in developing that. So I don't know how you resolve that. It may be that you just develop another product that could be used in the way that Mr. Perrine described it.
I want to conclude my time by thanking all of you for your contributions. It has been very interesting. And I would also ask that you be open to receiving questions from the committee and responding in writing if the committee sends you questions. That may help us as we complete the development of the record for the hearing. But thank you very much.
I recognize the gentleman from North Carolina, Mr. Watt.
Mr. WATT. Thank you, Mr. Chairman; and in the interest of time I will try to be very brief, too. I have got two technical questions, also.
Page 210 PREV PAGE TOP OF DOC
Mr. Perrine mentioned the possibility of doing something similar to Carnivore on an open source basis. Am I mistaken that that would create a different set of problems? Wouldn't that, in effect, make the technology available to everybody—you are not suggesting that I walk into Radio Shack and buy me a Carnivore system so I could tap into everybody's Internet.
Mr. PERRINE. Well, actually, I almost am. It turns out that Carnivore appears to be functionally similar to network sniffers that are actually shipped with commercial operating systems and free operating systems today. The special purpose or the special magic for Carnivore appears to be that it is capable of filtering out information in ways that other people haven't had an incentive to write a program to do it and also that it can monitor higher speed networks. And I believe that that is probably where a large part of the proprietary code is, is in the very high speed monitoring.
As other people have mentioned, the idea is to connect all of the large pipes down to small pipes and then monitor those. And if the ISP can do that, then they don't need the ultra-high-speed monitoring capabilities.
I think Matt has——
Mr. BLAZE. I addressed some of this in my written testimony. But the important point is that there is something sinister about the basic functionality of network sniffers. They are an essential tool used by anyone who has to administer a network such as an ISP or a local area network administrator. These tools are commonplace. They are widely available. They may not have the—they don't have the requirements for keeping the kinds of legal audit trails that a system like Carnivore would have. So the additional capabilities that something like Carnivore has don't provide additional interception capabilities but rather provide these legal assurances and chains of evidence and audit trails that open source would benefit greatly from and that wouldn't provide any great aid to bad guys.
Page 211 PREV PAGE TOP OF DOC
Mr. WATT. Mr. Baker.
Mr. BAKER. I think the FBI is right on this issue. If you publish exactly how law enforcement filters this information, then potential criminals will try to write their e-mail addresses in ways to avoid that particular filtering method. It is really not a good idea to publish this. The likelihood that the open source community will embrace Carnivore as a project is questionable. There are going to be very few benefits from doing that and a lot of costs.
Mr. WATT. Mr. Corn-Revere raised an issue that I want to not have him address because he has already acknowledged that he doesn't have the technical capacity to address it. But Mr. Blaze and Mr. Perrine and Mr. Davidson maybe Mr. Sachs, Mr. Corn-Revere raised the prospect that Carnivore could be accessible remotely. I think I understand what that means, that you could—the FBI could sit in an office somewhere else and change the program and manipulate it from some remote location. That is what you are intending, Mr. Corn-Revere?
Mr. CORN-REVERE. That is correct.
Mr. WATT. Okay. Tell us whether that is technically feasible. Since Mr. Corn-Revere doesn't know the answer to that, give me my technical experts.
Mr. PERRINE. I believe that is the case.
Mr. WATT. It can be.
Page 212 PREV PAGE TOP OF DOC
Mr. PERRINE. I had a very limited time to see it but, I believe that is true.
Mr. CANADY. Mr. Blaze.
Mr. BLAZE. I would point out that the ability and necessity to be remotely controllable and configurable is precisely what we in the security community are made very nervous by. That capability potentially, if not implemented very, very carefully, could allow an external hacker third party to gain control of the system and potentially do quite a bit of damage.
Mr. CANADY. Mr. Davidson, Mr. Sachs, if you'll address that question, I will leave everybody else alone.
Mr. SACHS. The remote accessibility is almost as bad as the invasion of privacy. Given the record of hacking of government Websites which happens almost on a weekly basis, the fact that the secure Carnivore machine is going to be out there accessible remotely means any hacker can get into a system. If they could get into the White House and hack that site, they can get into an ISP through Carnivore.
Mr. DAVIDSON. Changing the configurations remotely to the extent it is possible I think removes part of the check that we would hopefully think exists in which the ISP is in some way an intermediary of how the device is deployed. So that raises another concern.
Page 213 PREV PAGE TOP OF DOC
Mr. WATT. Thank you, Mr. Chairman.
Mr. CANADY. The gentleman from Alabama is recognized for 5 minutes.
Mr. BACHUS. Thank you.
Is there any rationale that any of you can think of why electronic mail or information traveling over the Internet should have less protection than, say, a person's telephone calls or their faxes or either of their private mail?
Mr. STEINHARDT. No. To the contrary, I think that, in fact, it should have at least a great as protection as we currently give to voice communications, for example, in title III. There is a crying need, really, for the Congress to update the Electronic Communications Privacy Act to bring it into line with the expectation of privacy that I think that Mr. Nadler suggested and that most of us have. These are, in many respects, our most communications, involves our most sensitive data and our most private thoughts. We do need to bring those into line.
If I can for just a second, the administration, I think partly in response to the Carnivore controversy, made some suggestions the other day. Mr. Podesta made some proposals. In my testimony I have gone through those proposals in detail. When you get a moment I urge you to take a look at that.
Page 214 PREV PAGE TOP OF DOC
But I want to stress this one point. Those proposals are not a solution to the Carnivore problem. Tweaking the surveillance laws, the wire-tapping laws doesn't get to the heart of the Carnivore problem, which is that it is a device that does allow the FBI to filter through, potentially to capture huge volumes of communications, most of which are completely unrelated to the target of the investigation. That is the real problem with Carnivore that the committee needs to address. Congress needs to address I think by telling the FBI clearly, if it is not already clear in the statute, that it doesn't have the authority to force a service provider to install a device like Carnivore.
Mr. BACHUS. Mr. Davidson.
Mr. DAVIDSON. In the interest of time, I would just like to say ditto and add one point, which is that e-mail is really just the tip of the iceberg. That was part of the point I was trying to make, is that the home has exploded. Things that we used to keep in our possession are now making their way out on to network. This is a trend that is only going to increase. Financial records, health records, stock portfolios, information about your kids all being stored somewhere else. Once it leaves your possession, the kind it protection it has under law is greatly diminished. I think that is really the challenge here for this Congress to think about how we deal with that.
Mr. BACHUS. I think Justice Brandeis predicted about 40 years ago that one day the government would be able to come into your home and basically determine everything you did and said, and I think maybe that day has arrived. Anyone else wish to comment on that?
Page 215 PREV PAGE TOP OF DOC
I read a question to the first panel which was that you can't go to the AT&T and say we are going to analyze all the phone calls that go through your system. I mean that is true, right? You can't do that. But isn't that what they are doing with ISP providers?
Mr. STEINHARDT. I think that is exactly what they are doing with an ISP providers. It is not so much a technical issue; it is a legal issue. I think the FBI and law enforcement accepts it could not go to a telephone provider and install a Carnivore-like device, the kind that Mr. Perrine referred to. He said that was settled 30 years ago, and I think he is quite correct. I think the legal basis for doing that to an Internet Service Provider is at least equally suspect, but it may take an act of Congress to clarify that point.
Mr. BACHUS. I think clearly the marketplace and technology has outrun the law and in doing so has overrun our legal protections that have been in the law for years.
Let me ask you this: In your experiences, what procedures are typically followed to notify customers when information from Internet Service Providers and other companies about them is subpoenaed or requested by the government? Is there any notice?
Mr. BAKER. It depends entirely on the policy of the ISP. Some ISPs have a policy of sending notice, others do not. There is no requirement one way or the other. However, it seems to me that notice is a good idea, and the government should send notice rather than ISPs.
Mr. BACHUS. It is my understanding that what they are saying is they don't have to give notice if there is a reasonable expectation that if they gave notice the communications would stop, and I think in every case where they gave notice it would be a reasonable expectation that the communications would stop.
Page 216 PREV PAGE TOP OF DOC
Mr. DAVIDSON. In some circumstances, we have delayed notice. And I think that that serves a very important purpose here, too. I think there will be circumstances where that is appropriate. At least then you know that this is happening, the chance to object to it even if it is after the fact.
Mr. CANADY. The gentleman's time has expired.
The gentleman from Michigan, Mr. Conyers, is recognized.
Mr. CONYERS. I begin by thanking the second panel because this has served as a very important corrective for what we were just told a couple hours earlier. And I am sorry to hear that we ought to move very rapidly on this matter because the clock is running down on the 106th Congress. There is not much likelihood of that. But I am hoping this will prepare us for a much deeper investigation that we are going to have to indulge in.
Let me thank specifically, though, the American Civil Liberties Union because of, in addition to this complex subject, its work on a number of other issues that come before the Judiciary Committee. And so I am glad to see them working here as well.
Is there a feeling that we should probably try to require that notice be given to those who were the objects of a trap and trace measure or is that getting a little bit too fine, cutting too fine a line in the requirements on the Department of Justice? Mr. Corn-Revere.
Page 217 PREV PAGE TOP OF DOC
Mr. CORN-REVERE. Let me just address that question in the context of the previous one. In the case of an ongoing investigation, as with a trap an trace order, the ISP is expressly prohibited from providing notice. Otherwise, if the target of the investigation knows that he or she is being investigated, then the communications will cease. So there is no notice before the fact.
I think it would be advisable at least to change the law so that anyone who has been the target of surveillance be notified after the fact, as currently is the case with respect to a title III intercept order.
Mr. DAVIDSON. Just add I actually think there are two other more important things for trap and trace and pen register, one of which is raising the standard, which is extremely low right now for access to this information. The second is defining what trap and trace and pen register mean for the Internet. As you see, there has been this wild extrapolation of numbers dialed into somehow the sort of much more meaningful, ardent investigation of Internet communications; and I think that needs to be dealt with.
Mr. CORN-REVERE. If I could just add to that. Mr. DiGregory cited the Supreme Court decisions which found that the use of pen registers without a warrant does not violate the fourth amendment because there is no reasonable expectation of privacy in that information. If you go to those Supreme Court opinions—and there are really two of them, Smith v. Maryland and the United States v. the New York Telephone Company—it is important to read what the court had in mind when it said that no privacy right was being invaded.
Page 218 PREV PAGE TOP OF DOC
For example, in New York Telephone Company, the Court said that a law enforcement official could not even determine from the use of a pen register whether a communication existed. These devices do not hear sound. They disclose only the telephone numbers that have been dialed, which simply is a means of establishing communication. Neither the purport of any communication between the caller and the recipient of the call, their identities, nor whether the call was even completed is disclosed by pen registers. Now, obviously, that is very different from the kind of information that is acquired with the interception of e-mail addresses.
Anyone who gets my e-mail address knows the identity of the party—it has my name in it. That is true of many other people's e-mail addresses as well. If you are able to get via surveillance URLs, uniform resource locators, for browsing on the Internet it is much the same as getting somebody's library record or the record of videotapes they have checked out. So the kind of information available on the Internet is completely different from what was available in the context of a pen register when the Supreme Court addressed those issues some 25 years ago.
Mr. STEINHARDT. First, Mr. Conyers, thank you for your praise for ACLU. I will accept that on behalf of the organization.
There is one other thing that Congress needs to attend to and that is the standard now for law enforcement to get access to stored records which is very low. But, as Mr. Nadler pointed out, people's expectations of privacy don't diminish by the fact that an Internet provider may have for an instant, for perhaps a little longer, been holding those stored records. We need to begin to treat those as the kinds of records which the FBI or other law enforcement agencies need probable cause in order to obtain.
Page 219 PREV PAGE TOP OF DOC
Mr. CONYERS. Well, gentlemen, I see this attempt to bring into balance the tensions between the Department of Justice and citizens' constitutional rights to be an enormous one. I see it complex, I see it changing, because there is new technology. As new technology comes out, are there any of you here that can give me any words of assurance that it may not be as big a concern as it seems to be this afternoon? We probably need a——
Mr. CANADY. The gentleman's time has expired, and the gentleman from Arkansas will be recognized.
Mr. HUTCHINSON. Thank you, Mr. Chairman.
I was absent during some of this testimony, but I want to assure everyone that I have read your testimony and have a great interest in your viewpoint on it.
I think everybody here probably was present during the previous panel's testimony, and I would like to ask a general question to Mr. Davidson and perhaps Mr. Steinhardt. Did both of you hear the testimony the previous panel?
I would like to ask your reaction. From what I gathered from the first panel's testimony, everything done by the Carnivore program is preceded by a court order. Secondly, a concern is whether there should be some independent review of the source codes; and I think that is something I had discussion with them on, you know, their willingness to submit to independent evaluation. I think there is a question of whether it should be some type of ongoing review. But I think that is an issue that is out there.
Page 220 PREV PAGE TOP OF DOC
And then I was asking questions whether they are retrieving information in the Carnivore program not for purposes of expanding what they receive but to limit it and to minimize it.
So if you could just comment on whether you disagree with any of those conclusions. Mr. Davidson.
Mr. DAVIDSON. Well, let me start by saying some of those things actually sound good. I mean, I think the idea of trying to minimize the information that is collected in the context of the Internet the surveillance is a good thing. The problem is we don't—A, we don't know—really, we don't know how well it is going to be doing that, and we have got to have a chance to look under the hood and understand this. The courts are going to need to understand it, and the defendants are going to need to understand it. The public needs to be able to have some confidence in it.
Mr. HUTCHINSON. How would you suggest doing that?
Mr. DAVIDSON. I think this notion of opening up the code is a very good one. If there needs to be a preliminary step of getting an independent panel in here, it is not the same; and it wouldn't be as good as opening it up to the public.
Personally, I think that if any system that relies on—if it could be so easily violated by somebody knowing how it works, then I don't think it can be that useful a system. If the bad guys can figure out, you know, how to evade it that easily, then, you know, how good can it be? I think that—I am not convinced yet that opening it up is a bad idea. But maybe that is what we need to get an independent group in here for.
Page 221 PREV PAGE TOP OF DOC
From a greater point of view, I think the issue it raises there is this desire on the part I think of law enforcement to be able to extrapolate every current capability like pen registers or trap and trace orders into the Internet world. The fact is, though, when you do that some of them don't translate very well. Pen registers is probably the example we have talked about the most here. We don't know what they mean in the Internet world. When we try to extrapolate them, we get a lot more information——
Mr. HUTCHINSON. You suggest a higher standard for pen registers for Internet access.
Mr. DAVIDSON. Absolutely. A higher standard and a clearer definition of what it means. I think there has got to be an understanding that some things they are going to be able to do—I mean, there are new capabilities that the FBI is getting all the time because of the sea of information that is out there. The Internet is a very good thing on some level for law enforcement. I think there is going to be have to be a recognition that maybe some of the things they can do now they will have to do differently in the future. It is not necessarily a horrible thing. There are going to be lots of new tools for law enforcement as well.
Mr. HUTCHINSON. Mr. Steinhardt.
Mr. STEINHARDT. In my mind, the testimony from the government panel raised more questions than it answered. I mean, for example, the testimony seemed to me to suggest that the only thing that Carnivore is, at least at the moment, and I think the implication was to—primarily used was the interception of e-mail. But we know from—I know from those persons who have seen some of these demonstrations, for example, members of the press who have seen some of these demonstrations of Carnivore, that it is capable of analyzing a potential intercepting far more than just e-mail. There are a whole range of Internet protocols which Carnivore is capable of filtering for. There were some allusion to those here today.
Page 222 PREV PAGE TOP OF DOC
Mr. HUTCHINSON. Can I interrupt you just for a second? The government has the capability of doing unauthorized wiretaps. They have the capability of gathering more information than they are entitled to under a court order. It is the court order that restrains the use of gathering techniques. So there is always consequences to that. Obviously, any of these can be abused, and they could gather more information, but they are limited by a court order.
Mr. STEINHARDT. Perhaps I wasn't clear, Congressman Hutchinson.
Mr. CANADY. I am sorry, the gentleman's—if you could finish in 15 seconds, because we need to conclude. The gentleman's time has expired.
Mr. STEINHARDT. The government witness, for example, suggested that they had one case that got files through the file transfer protocol. The committee didn't have an opportunity to get into that question, but I think there are serious questions about whether or not existing law permits them to get that, for example, with a trap and trace order.
Mr. CANADY. The gentleman's time has expired.
The gentleman from New York, Mr. Nadler, is recognized for 5 minutes.
Mr. NADLER. Thank you, Mr. Chairman. I have a series of questions. I hope the answers will be brief because of the time limitation.
Page 223 PREV PAGE TOP OF DOC
Someone said before that the Carnivore system is a kind of a sniffer system, that there are many others out there. So you have a lot of private sniffers. How would we—is there a danger that private sniffers can get all sorts of information violating people's privacy and how would we know that it has happened?
Mr. BLAZE. Someone who wanted to use a commonly available sniffer program to violate someone's privacy would still have the problem of getting access to the network over which that traffic flows. That is the hard part, getting the software to do the——
Mr. NADLER. That is what the FBI is asking us to mandate the ISPs to do in this case. Thank you.
Secondly, you talked about the question of remote accessibility of the FBI of the Carnivore system; and someone mentioned that you could change the configurations remotely. Do I understand correctly that what that is saying is that the FBI or, for that matter, a hacker could, by changing the configurations, could in effect change evidence and implicate somebody in some crime if they had a motivation to do that?
Mr. BLAZE. The answer to that depends on the security of the remote access system. If it is implemented in a secure manner, then the chances of that are very small. If it is implemented in an insecure manner, then the chances of that become quite grave.
Mr. NADLER. Let's assume that the police were under some—we know this has happened in the past. The police were under some great pressure to solve some heinous crime, and they figure they got their guy, and let's just give a little more evidence. Could they use the Carnivore system to, in effect, manufacture evidence?
Page 224 PREV PAGE TOP OF DOC
Mr. BLAZE. That would depend on how the audits are implemented, and that is one of the reasons that open review would be a very useful thing.
Mr. NADLER. So the answer is, yes, unless you put in safeguards to prevent it.
Mr. BLAZE. Yes. That is correct.
Mr. NADLER. So we have to make very clear of that.
Mr. Steinhardt, you suggested that—in your written testimony, you say that ECPA—whatever that was; I forget the acronym—should be amended to require that trap and trace slash pen register orders shall only be issued on a base of an independent finding by judicial officer that there is reasonable cause to believe that the target of the order has or is about to commit a crime. By reasonable cause you mean the same thing as probable cause or do you mean something different?
Mr. STEINHARDT. It is a slightly lesser standard than probable cause.
Mr. NADLER. Okay. Now you are suggesting that trap and trace and pen registers for the Internet should have this higher standard than this simply certification that it is relevant to an investigation.
Page 225 PREV PAGE TOP OF DOC
Mr. STEINHARDT. Yes. We are suggesting two things. One now is simply certification, that the judge has no discretion to turn down the request; secondly, that there ought to be a high standard. Probable cause is fine with us, but there ought to be a high standard before the court issues that order. Because, as you pointed out, this is an area where people do have a reasonable expectation of privacy and ought to.
Mr. NADLER. You are suggesting that for the Internet. You are not suggesting that for the telephones.
Mr. STEINHARDT. No, we are suggesting that for the telephone context as well.
Mr. NADLER. Because you believe, in telephone context, the expectation of privacy is more substantial than the Supreme Court seemed to think it was 25 years ago.
Mr. STEINHARDT. Yes, clearly it is, yes.
Mr. NADLER. Why do you say clearly?
Mr. STEINHARDT. I think most people would be very surprised to learn that they don't have a reasonable expectation of privacy in the numbers that they dial, the persons who call them. I think that is common sense. I think the Supreme Court decision defies common sense.
Page 226 PREV PAGE TOP OF DOC
Mr. NADLER. Mr. Baker wants to say something.
Mr. BAKER. When the Supreme Court wrote 25 years ago, it might have been true that you couldn't tell whether the call was completed, what was said and the like. But in the course of CALEA, the FBI has forced the industry to gather an enormous amount of transactional data about calls aside from content. This data can now be obtained through trap and trace orders—data about how long you talked, whether you were on call waiting, who conferenced in and when they got off. All that data would be part of a trap and trace order today.
Mr. NADLER. On telephones today, which was not the case and may, in fact—so the Supreme Court, if it were the same judges using the same reasoning, might come to a different decision today because the facts are different.
Mr. DAVIDSON. I think many of us would think that they would even in the telephone context, certainly in the Internet context. And Congress independently can certainly raise the standards for these things. Congress set the standard for this independently of the Court.
Mr. NADLER. Let me say, since my time is expiring, I appreciate this panel in particular. And I think that the Congress has to act because the history shows that police agencies cannot be afforded untrammeled discretion, and we can't always assume their good will and even their lack of mistakes in protecting people's privacy.
Mr. CANADY. The gentleman from Georgia is recognized for 5 minutes.
Page 227 PREV PAGE TOP OF DOC
Mr. BARR. Thank you, Mr. Chairman.
Mr. Sachs, is it correct to say that an Internet Service Provider, if project Carnivore is forced on them, they have no control whatsoever over that program, that device?
Mr. SACHS. That is my understanding, correct.
Mr. BARR. No supervisory capability whatsoever.
Mr. SACHS. That is my understanding, correct.
Mr. BARR. Mr. Corn-Revere, does it surprise you, as I think it—I know it did me, and I think it did Mr. Sachs, also to have the government say that—I think they said this, although they, of course, always waffle just a little bit—that in virtually every instance the only reason for those 25 instances over the last 2 years in which they used project Carnivore was simply because the ISP provider refused to or could not satisfy them that they could provide the information they wanted in the way they wanted it?
Mr. CORN-REVERE. I have no idea what the government's experience was in those other 24 instances. But in the one example in which I was involved that certainly was not the case. The ISP I represented did attempt to comply with the court order without the installation of Carnivore and, ultimately, it was given no choice.
Page 228 PREV PAGE TOP OF DOC
Mr. BARR. That is my impression, too.
If we could put back up on the board, Mr. Davidson, one of your examples, and I will come back to it in just a second.
But, Mr. Steinhardt, you are very familiar and maybe some other members of the panel are also with regard to a recent proposal by the government, by some of their colleagues up here in the House and the Senate, to amend fourth amendment law through amendments to a methamphetamine bill and the bankruptcy bill, to essentially carve out from the necessity for providing an inventory of seized items intangible information. Now so far, knock on wood, we have been successful from stopping that from moving forward. Is this the sort of data that the government would consider intangible so they would, if they came in and seized it, somehow would not be required to tell you they have taken it?
Mr. STEINHARDT. Well, the capacity of the government to make creative arguments about what the law provides in the way of investigatory tools never ceases to amaze me. So, yes, I think this is exactly the kind of information which they will make a claim is tangible, would be subject to those kinds of disclosures.
Mr. BARR. I would suspect so.
Mr. Davidson, with regard to your examples here, if I could ask you just very briefly—this may be very elementary, but I am not familiar with all the details here. Which one is this? Example 3. You went down to line 12 there. That is highlighted in, I guess, purple. Are you saying that in order for the government to get in and get that information, if that information is the target of what they are authorized to receive, or on any e-mail they have to get in there to see if it is or is not, that that means that they would also have to necessarily, in every instance, look at items 1 through 11?
Page 229 PREV PAGE TOP OF DOC
Mr. DAVIDSON. Again, I think it is difficult to know exactly how their system works. It could be quite sophisticated. There is a lot of—the answer is, I think, again, it depends. They may be able to extrapolate from certain pieces of lines 1 through 11 what lines they need to look at in order to find this information. Again, this one is in the context of a communication with a Website. But, yes, I think my general point was that they need to look at a fair amount of this packet in order to do the analysis to figure out what it is that they are entitled to.
Mr. BARR. Otherwise, there is no purpose to having Carnivore.
Mr. DAVIDSON. Exactly.
Mr. BARR. If Carnivore just sat there, fat, dumb and happy, and just waited for stuff to fall into its lap, it would never get anything. I mean, it has to go in there and look at this stuff somehow, doesn't it?
Mr. DAVIDSON. Right. I think there is a big question about whether or not that is a search in and of itself. There is a separate sort of technical question which is just to show how difficult this is and why we need to have some kind of real oversight because there is all this investigation going on.
Mr. BARR. Would everybody agree that, at this time, at least at this point, we need to probe further? We know so little about this, and the ramifications and potential for abuse are so great—and I forget who it was that said time is awasting. We need to get in here and look at this, to see exactly what it is so that we can determine to what extent we need to refashion these, you know, very outdated laws.
Page 230 PREV PAGE TOP OF DOC
Mr. DAVIDSON. I think we would ask that Carnivore not be deployed without further, you know, public oversight and information about what is going on there. At the very least, some sort of independent review panel to start.
Mr. BARR. At least maintain the status quo, the pre-Carnivore status quo.
Mr. DAVIDSON. Right.
Mr. CANADY. The gentleman's time has expired.
I want to thank all the members of this panel again and all the members of the subcommittee for your participation today. The testimony of witnesses has been very helpful to us.
The subcommittee will stand in brief recess. This hearing has concluded. The subcommittee has another hearing which will begin in 3 minutes. But we are going to recess for 3 minutes so we can switch witnesses and staff and notebooks and so on.
[Whereupon, at 4:42 p.m., the subcommittee was adjourned.]
A P P E N D I X
Material Submitted for the Hearing Record
Page 231 PREV PAGE TOP OF DOC
PREPARED STATEMENT OF HON. BOB BARR, A REPRESENTATIVE IN CONGRESS FROM THE STATE OF GEORGIA
Mr. Chairman, thank you for holding this very timely hearing on the FBI's ''Carnivore'' program, the impact of this project on the privacy rights of United States citizens is immense, as is its precedent-setting impact on the law of electronic surveillance.
This country was founded on certain fundamental premises. The Bill of Rights cemented these premises into the fabric of our society. Included in this document, was the promise that government would not intervene in personal matters such as religion, behavior, and communication. Americans valued this privacy from the start, knowing that such democratic ideals were exactly what set them apart from other nations that suffered under tyranny. Today, however, we are being robbed of these cherished promises.
''Carnivore'' is a technology that allows the FBI to conduct unsupervised, extensive surveillance of Internet communications, based only on a promise that it will scoop up, or ''harvest,'' huge qualities of emails, keeping only those to which it is entitled, and throw back into the internet stream all the others it had caught. It works like a phone tap for computers, except it is considerably broader, insofar as it is attached directly to an Internet Service Provider, or ISP, and all emails passing through that ISP are scanned, in order to locate those that are the target of the FBI probe. The FBI has been using this technology to scan e-mails for messages for at least two years.
''Carnivore'' is a severe threat to the Internet community. The project requires outside software to be attached directly to the ISP, thereby increasing the risk of virus transmission and hardware damage. It also creates the opportunity for security breaches of unknown proportions. Simply put, we do not yet fully know the capabilities of this new technology and we are not prepared for its potentially devastating consequences.
Page 232 PREV PAGE TOP OF DOC
Existing laws regarding wiretapping or ''pen registers'' and ''trap and trace'' devices, do not reflect—nor did they contemplate when enacted years ago—this new technological development. ''Carnivore'' permits access to all communications that pass through the ISP, including all of the private email messages of every single person using that server. Currently, the FBI needs a court order to operate ''Carnivore'' surveillance of an individual. However, there is no mechanism or law to monitor what else comes out of the server after the FBI enters. Even if the government keeps only those messages which it has judicial authority to gather, serious questions arise as to the amount of information it gathers through ''Carnivore.'' For example, if the FBI has a court order to gather only an e-mail address and not the content per se, pursuant to a pen register or trap and trace order, the amount of electronic identifying data it considers to be only an ''address'' is far more than simply a name or number, as would be the case with a phone number.
''Carnivore'' creates the risk of a substantial margin of error. In 1998 alone, approximately 2.3 million communications were intercepted. Over 80% of these messages contained no incriminating material, and were ''innocent,'' according to government standards. As we all know, the Fourth Amendment limits and narrows searches as to avoid intruding into the privacy of innocent individuals. Shouldn't ''Carnivore'' be subject to this principle?
I believe ''Carnivore'' is unconstitutional and dangerous, and broadens existing laws designed to protect privacy in a telephone age far beyond their intent, in a new internet age. I urge my colleagues to recognize the seriousness and urgency of this issue, and support legislation to control this technology and protect the privacy of Americans. I look forward to hearing from all of our witnesses today. Thank you.
Page 233 PREV PAGE TOP OF DOC
PREPARED STATEMENT OF HON. JOHN CONYERS, JR., A REPRESENTATIVE IN CONGRESS FROM THE STATE OF MICHIGAN
In recent years, with the growth of the Internet, the FBI has encountered an increasing number of criminal investigations in which criminal subjects have used the Internet to communicate with each other or their victims. Because the FBI believes many Internet Service Providers lack the ability to discriminate between communications in order to isolate the specific types of information that may be authorized to be gathered under a court order, the FBI has designed and developed a program called ''Carnivore'' which enables the FBI to isolate, intercept and collect communications that are the subject of lawful orders.
The first news of Carnivore came in April during testimony before the Subcommittee on the Constitution by attorney Robert Corn-Revere, who represented an Internet Service Provider that tried to resist attaching the Carnivore program to its network.
It has also been reported that one of the nation's largest Internet Service Providers—EarthLink, Inc.—has refused to install Carnivore on its network because attaching the program in the past caused its remote access servers to crash, eliminating service to customers. Other ISP's have stated publicly that they would challenge an order to attach Carnivore to their networks. While these industry officials have expressed willingness to cooperate with law enforcement to comply with legitimate court orders, they are concerned about the effects attaching Carnivore to their networks will have on the security of their infrastructure and the privacy of their customers.
Page 234 PREV PAGE TOP OF DOC
At a press conference on July 12, Attorney General Reno stated that she does not want Carnivore ''to be a tool that is, in any way, a cause of concern for privacy interests.'' Today's hearing provides federal law enforcement the opportunity to address those privacy concerns.
More broadly, Carnivore raises the question as to whether existing statutes protecting citizens from ''unreasonable searches and seizures'' under the Fourth Amendment appropriately balance the concerns of law enforcement and privacy. Law enforcement is concerned that the information needed to keep the public safe remains available. Individual citizens are concerned that a sufficient degree of privacy and the integrity of personal information be maintained in an age of modern communications and information storage where information that may have traditionally been kept in a file cabinet at home is now electronically stored by a third party in cyberspace. The hearing today will address this balance of interests.
As we consider the use of Carnivore, it is important that our deliberations be based on facts and not on unsupported suspicions and irrational fears. At the same time we should be sensitive to any potential for abuse of the Carnivore system. Even a system designed with the best of intentions to legally carry out essential law enforcement functions may be a cause for concern if its use is not properly monitored.
I look forward to hearing from all of our witnesses today.
Page 235 PREV PAGE TOP OF DOC
| U.S. Department of Justice, |
| Federal Bureau of Investigation, |
| Washington, DC, July 19, 2000. |
Hon. CHARLES T. CANADY, Chairman,
Subcommittee on the Constitution,
Committee on the Judiciary,
House of Representatives, Washington, DC.
DEAR MR. CHAIRMAN: We very much appreciate the opportunity to appear before the Constitution Subcommittee on Monday to discuss ''Carnivore.'' The public testimony, we believe, will be very helpful in our efforts to explain what Carnivore is and, equally important, what it is not.
In that regard, USA Today asked us to provide a brief 350 word explanation for use on the editorial page. While a full statement obviously will be provided to the Subcommittee, we would like to share with you the text of what was provided to the newspaper. In a very concise fashion, it encapsulates our explanation of what the system does electronically to ensure strict compliance with the court orders that instruct us precisely what can and cannot be intercepted. I also have enclosed a graphic that you may find helpful.
As the brief summary points out, Carnivore is used only when Internet Service Providers are unable on their own to restrict interceptions within the narrow confines of the controlling court order. In addition, no interception can occur unless the FBI or other law enforcement agency can demonstrate to a judge's satisfaction that the strict statutory requirements have been met, e.g., that there is probable cause that a crime is being or has been committed, that the intercepted e-malls will be in furtherance or about that crime, and that the interceptions are necessary to collect evidence of that crime. That is why its use has been very limited, predominately to intercept e-mails in terrorism cases.
Page 236 PREV PAGE TOP OF DOC
I hope you find this helpful. Again, we look forward to testifying and, in the interim, if you have any questions, please do not hesitate to ask. We would be pleased to brief on any aspect of this system.
Sincerely yours,
| John E. Collingwood, Assistant Director, |
| Office of Public and Congressional Affairs. |
U.S. DEPARTMENT OF JUSTICE, FEDERAL BUREAU OF INVESTIGATION
First, lets get the facts straight. The FBI and all other law enforcement agencies can only intercept e-mails pursuant to a court order signed by a judge who is satisfied that the government has demonstrated probable cause that a serious crime is being or has been committed, the e-mails will be about that crime and the interception is necessary to obtain evidence about the crime. To conduct an intercept beyond that is a federal crime subject to severe criminal and civil sanctions. The entire process requires continual reporting to a court and, of course, ultimately is subject to vigorous challenge by defense attorneys.
What does ''carnivore'' do? In the simplest terms, it ensures that only the exact communications authorized by the court to be intercepted are what is intercepted. So, for example, if a court authorizes only the interception of e-mail from a particular drug dealer to another drug dealer, this system captures only that e-mail to the exclusion of all other computer communications regardless of who sends them and where they are going. Nothing else is monitored or collected, and everything collected is supervised by the court. It would be a federal crime to do otherwise.
Page 237 PREV PAGE TOP OF DOC
When is carnivore used? It is used only when an Internet service provider cannot, on its own, effect the interceptions consistent with a narrow court order. Accordingly, it has been used very few times, predominately to intercept e-mails in terrorism cases and, again, subject to the supervision of a court.
In 1968, Congress spelled out strict requirements for the interception of communications. Carnivore simply ensures that law enforcement complies precisely with those requirements as technology advances. We understand why certain segments oppose this court ordered technique. But since 1968, because of this law, many lives have been saved and thousands of drug dealers, terrorists, child predators and spies are in jail.
The Chairman of PSINet laid out the appropriate challenge. He does not want to see carnivore on his network unless we can prove it sifts out only the traffic from the target of a court order. That, of course, is precisely what carnivore does, electronically protecting the privacy of those not subject to the court order.
67305a.eps
PREPARED STATEMENT OF DEBORAH S. PIERCE, STAFF ATTORNEY, ELECTRONIC FRONTIER FOUNDATION
The Electronic Frontier Foundation (EFF) would like to submit comments to be included for the record regarding the Fourth Amendment and the issues raised by the FBI's Carnivore system.
Page 238 PREV PAGE TOP OF DOC
EFF is a leading global nonprofit organization linking technical architectures with legal frameworks to support the rights of individuals in an open society. Founded in 1990, EFF actively encourages and challenges industry and government to support free expression, privacy, and openness in the information society. EFF is a member-supported organization and maintains one of the most-linked-to Web sites in the world.
We wish to focus our comments on two specific issues. First, the use of pen registers as applied to traditional land-line telephone systems are not analogous to packet analyzers, such as Carnivore, that am used on the Internet. Second, we will touch on some of the harmful societal effects that will most certainly be wrought should the Carnivore system be implemented in the manner that the FBI wishes.
The use of packet analyzers on the Internet captures much more information from an individual than does the use of pen registers and trap and trace devices used on traditional land-line telephone systems.
Pen registers are devices used to record telephone numbers that are dialed from a telephone, whereas trap and trace devices are used to determine where a telephone call originated, Information gathered in this manner is strictly limited to only those phone numbers that are made either to or from the target's telephone number. No other personal information is harvested from the target of the investigation. The contents of the message and the routing or addressing information are independent of each other. Law enforcement cannot rely on pen registers or trap and trace warrants to got at the content of the calls.
Page 239 PREV PAGE TOP OF DOC
In reality, pen registers or trap and trace devices do not exist where the Internet is concerned, because the contents of the manages and the sender/receiver information are not kept separate. Because of this, the potential for law enforcement to over-collect information exists, and it is almost a certainty that law enforcement will receive more information from individuals than is authorized by a traditional pen register or trap and trace warrant. There are several ways that this can happen.
When a person makes a telephone call on a traditional telephone system, a discrete and continuous segment of the telephone system is dedicated to that call, which is handled sequentially. The system first accepts the call routing information (dialed number, number and accounting information of the phone used to make the call, etc.), secondly establishes a connection, and only then opens the line to the content side of the call. The routing information remains wholly separate and severable from the call content, allowing law enforcement easy access to the one but not to the other. The Internet, however is a packet-switched network, meaning that when information is sent over the Net, it is broken into small packets, routed pieccmeal over the Net and then reassembled at its final destination. Routing information, as well as content, are both contained in each individual packet, potentially giving law enforcement access to content as well as location routing information.
The Carnivore system appears to exacerbate the over collection of personal information by collecting more information than it is legally entitled to collect under traditional pen register and trap and trace laws.
The Carnivore system has received a lot of press recently, but the FBI has not been forthcoming about how the Carnivore system actually works. Civil liberties groups have often been quoted as noting that Carnivore is a ''black box'' leaving us to guess at its inner workings.
Page 240 PREV PAGE TOP OF DOC
We have been able to discover that Carnivore is a packet-sniffer, able to gather pen register and trap and trace information by sniffing each packet as it is routed along. It then filters out unwanted email and other communications information from those of the target. This process is problematic for two very important reasons.
First, traditional wiretaps, pen registers and trap and trace devices, are attached to specific telephone lines; law enforcement will only obtain the telephone numbers associated with the target's phone. With Carnivore in place, law enforcement has the potential ability to sift through all of the traffic going through a particular Internet Service Provider's (ISP) network. This far exceeds the scope of any wiretap laws we currently have in place.
Second, analogizing pen register information from a traditional land-line phone system to the Internet is incorrect. The Carnivore system likely can capture content as well as numbers, E-mail addresses for example are personal to an individual rather than to a particular household. We don't know for sure, but it is possible that Carnivore has access to the subject line information of email messages. Subject lines are content. For example, ''leaving work at 5pm today—meet me at the bus stop'', contains a lot of information about travel plans of a target on a particular day. Carnivore can also track other content information such as the URLs of web sites visited. Seeing the URLs not only give routing information but content as well. For example, someone visiting www.eff.org could presumably be interested in civil liberties issues online.
Systems like Carnivore have the potential to turn into mass surveillance systems that will harm our free and open society.
Page 241 PREV PAGE TOP OF DOC
Currently, there is little if any public oversight over the FBI's use of its Carnivore system. The FBI has not allowed the ISP to inspect the device, nor have any of the advocacy groups been allowed to examine it. In fact, the ACLU has had to resort to filing a FOIA request to try to get at the source code. Allowing the FBI to install and use a device such as this unchecked by any public oversight, threatens the openness we enjoy and expect in our society. Robert Corn-Revere, in his testimony, noted that his case is sealed. We can't even look to that for guidance.
Surveilling the Internet in this way leaves law enforcement with the potential to lower an individuals expectation of privacy as they use the internet particularly if we use the majority rule in Smith v. Maryland, that an individual has no legitimate expectation of privacy in the numbers that they dial on their telephones. This is so because law enforcement has so far successfully argued that pen registers on the Internet are analogous to those used on land-line telephone systems. Since routing information on the Net contains content, an expectation of privacy could end up being lowered for an individual's reading habits on the Net. Once individuals realize that they have a lowered expectation of privacy on the Net, they may not visit particular web sites that they may otherwise have visited.
The Court in Smith v. Maryland noted law enforcement's penchant for trying to lower the bar on what is a legitimate expectation of privacy. The majority noted that:
''situations can be imagined, of course, in which Katz' two-pronged inquiry would provide an inadequate index of Fourth Amendment protection. For example, if the Government were suddenly to announce on nationwide television that all homes henceforth would be subject to warrantless entry, individuals thereafter might not in fact entertain any actual expectation of privacy regarding their homes, papers, and effects . . . In such circumstances, where an individual's subjective expectations had been ''conditioned'' by influences alien to well-recognized Fourth Amendment freedoms, those subjective expectations obviously could play no meaningful role in ascertaining what the scope of Fourth Amendment protection was. In determining whether a ''legitimate expectation of privacy'' existed in such cases, a normative inquiry would be proper.''
Page 242 PREV PAGE TOP OF DOC
In other words, law enforcement cannot ''dumb down'' society's subjective notions of what constitutes a legitimate expectation of privacy.
Conclusion
The use of pen registers as applied to traditional land-line telephone systems is fundamentally different than information that is collected using pen registers on the Internet. Allowing a system such as Carnivore to be used unchecked by law enforcement exacerbates the problem of over collection of data and has the potential to harm our open society.
(Footnote 1 return)
See, e.g., Brown v. Waddell, 50 F.3d 285, 290–91 (4th Cir. 1995) (refusing to classify a digital display pager close as a pen register).
(Footnote 2 return)
See Smith v. Maryland, 442 U.S. 735 (1979). The Court's reasoning relied in part on its understanding that ''pen registers do not acquire the contents of communications.''
(Footnote 3 return)
See Ted Bredis, Updating of Wiretap Law for E-Mail Age is Urged by the Clinton Administration, Wall St. J., July 18, 2000, at A3.
(Footnote 4 return)
Electronic Communications Privacy Act of 1986, 100 Stat. 1848, Pub. L. No. 99–508 (1986).
(Footnote 5 return)
H. Rep. 103–827 at 3492, citing and quoting House Committee on the Judiciary, Electronic Communications Privacy Act of 1986, H.R. No. 99–647, 99th Cong., 2d Sess., pt. 2, at 19 (1986).
(Footnote 6 return)
S. Rep. No. 541, 99th Cong., 2d Sess. 1 (1986), reprinted in 1986 U.S.C.C.A.N. 3555.
(Footnote 7 return)
Office of Technology Assessment, Electronic Surveillance and Civil Liberties 11 (OTA–CIT–293, October 1985).
(Footnote 8 return)
Id. at 11–12.
(Footnote 9 return)
Id. at 11.
(Footnote 10 return)
S. Rep. 99–541, 99th Cong., 2d Sess. 1–2 (Oct. 17, 1986).
(Footnote 11 return)
Id. at 2.
(Footnote 12 return)
Id. at 3.
(Footnote 13 return)
Id. at 5.
(Footnote 14 return)
See H.R. Rep. No. 827, 102d Cong., 2d Sess., pt. 1, at 13–14 (1994), reprinted in 1995 U.S.C.C.A.N. 3492–93 (''House Report'').
(Footnote 15 return)
See, e.g., Andrew R. Hull, The Digital Dilemma: Requiring Private Carrier Assistance to Reach Out and Tap Someone in the Information Age—an Analysis of the Digital Telephony Act, 37 Santa Clara L. Rev. 117, 133 (1996).
(Footnote 16 return)
Id. In 1993, the FBI released 185 pages of documents relating to Operation Root Canal in response to an FOIA lawsuit. The Bureau's request to stay the litigation for five years was denied by U.S. District Judge Charles Richey. See generally Bruce Schneier and David Banisar, The Electronic Privacy Papers 138–139, 156 (1997).
(Footnote 17 return)
Hull, supra, at 134.
(Footnote 18 return)
See, e.g., Memo from FBI Director Re: Digital Telephony—Request for Briefings by the Special Agents in Charge, March 23, 1992, reprinted in Schneier and Banisar, supra, at 166–169. (''For approximately two years, representatives from the FBI have had numerous meetings with executives and technical personnel from the major companies that provide telephone service and manufacture telephone switching equipment in an effort to find a technical solution to the digital telephony problem. No workable solution was identified. As a result, the President recently authorized the Attorney General to seek legislation that will force a technical solution.'').
(Footnote 19 return)
FBI Digital Telephony Proposal, reprinted in The Threat of Foreign Economic Espionage to U.S. Corporations, Hearings before the Subcomm. on Econ. and Commercial Law of the House Judiciary Comm., 102d Cong., 2d Sess. (1992) at 333.
(Footnote 20 return)
Id.
(Footnote 21 return)
House Report at 3489, 3492, 3497, 3498, 3502.
(Footnote 22 return)
See id. at 3497 (''The bill will not expand [the] authority'' of law enforcement agencies to conduct wiretaps pursuant to court order. ''[A]s the potential intrusiveness of technology increases, it is necessary to ensure that government surveillance authority is clearly defined and appropriately limited.''); 3498, 3502, 3503; see also 47 U.S.C. §1002(a)(4), 1002(b)(1994).
(Footnote 23 return)
House Report at 3502.
(Footnote 24 return)
See id. at 3497, 3502.
(Footnote 25 return)
Reno v. ACLU, 521 U.S. 844 (1997).
(Footnote 26 return)
Blumenthal v. Drudge, 992 F. Supp. 44, 48 n.7 (D.D.C. 1998).
(Footnote 27 return)
American Libraries Ass'n. v. Pataki, 969 F. Supp. 160, 161 (S.D.N.Y. 1997).
(Footnote 28 return)
See, e.g., Patrick Ross, SEC Faulted on Hill for Possible Online Privacy Violations, Communications Daily, April 5, 2000 at 9.
(Footnote 29 return)
U.S. Const., amend. IV
(Footnote 30 return)
Olmstead v. United States, 277 U.S. 438, 464 (1928).
(Footnote 31 return)
Id.
(Footnote 32 return)
Id. at 472–73 (Brandeis, J., dissenting).
(Footnote 33 return)
Id. at 473–74 (internal quotations omitted).
(Footnote 34 return)
389 U.S. 347, 351 (1967).
(Footnote 35 return)
Katz, 389 U.S. at 352.
(Footnote 36 return)
Id. at 353.
(Footnote 37 return)
Omnibus Crime Control and Safe Streets Act of 1968, Pub. L. No. 90–351, §801–804, 82 Stat. 197, 211–25. See H.R. Rep. No. 827, 103d Cong., 2d Sess., pt. 1, at 3492, 3493 (1994), reprinted in 1995 U.S.C.C.A.N. 3489, 3491 (''H. Rep. 103–827'').
(Footnote 38 return)
Id.
(Footnote 39 return)
Id., quoting Senate Committee on the Judiciary, Omnibus Crime Control and Safe Streets Act of 1967, S. Rep. No. 1097, 90th Cong., 2d Sess. 66 (1968).
(Footnote 40 return)
Application of the United States for Relief, 427 F.2d 639, 643–44 (9th Cir. 1970).
(Footnote 41 return)
18 U.S.C. §2518(4).
(Footnote 42 return)
Electronic Communications Privacy Act of 1986, 100 Stat. 1848, Pub. L. No. 99–508 (1986).
(Footnote 43 return)
See S. Rep. No. 541, 99th Cong., 2d Sess. 1 (1986), reprinted in 1986 U.S.C.C.A.N. 3555.
(Footnote 44 return)
H. Rep. 103–827 at 3492, citing and quoting House Committee on the Judiciary, Electronic Communications Privacy Act of 1986, H.R. No. 99–647, 99th Cong., 2d Sess., pt. 2, at 19 (1986).
(Footnote 45 return)
S. Rep. No. 541, 99th Cong., 2d Sess. 1 (1986), reprinted in 1986 U.S.C.C.A.N. 3555.
(Footnote 46 return)
Office of Technology Assessment, Electronic Surveillance and Civil Liberties 11 (OTA–CIT–293, October 1985).
(Footnote 47 return)
Id. at 11–12.
(Footnote 48 return)
Id. at 11.
(Footnote 49 return)
S. Rep. 99–541, 99th Cong., 2d Sess. 1–2 (Oct. 17, 1986).
(Footnote 50 return)
Id. at 2.
(Footnote 51 return)
Id. at 3.
(Footnote 52 return)
Id. at 5.
(Footnote 53 return)
See Electronic Surveillance and Civil Liberties, supra at 32.
(Footnote 54 return)
Id. See Senate Select Committee to Study Governmental Operations With Respect to Intelligence Activities, 94th Cong., 2d Sess. (1976) (''Church Committee Report'').
(Footnote 55 return)
Church Committee Report, Vol. III at 273.
(Footnote 56 return)
Id. at 274.
(Footnote 57 return)
See, e.g., Charles L. Lindner, Can the L.A. Criminal Justice System Work Without Trust?, LA Times (April 26, 1998) (describing fraudulent methods by which police obtain warrants and revealing that for the past thirteen years law enforcement authorities in Los Angeles have ignored the legal requirement to keep an inventory of tapped conversations as a prerequisite to continuing authorization).
(Footnote 58 return)
Bureau of Justice Statistics, Sourcebook of Criminal Justice Statistics—1992.
(Footnote 59 return)
Communications Assistance for Law Enforcement Act, Pub. L. No. 103–414, 108 Stat. 4279 (1994).
(Footnote 60 return)
H. Rep. 103–827 at 3492.
(Footnote 61 return)
Id. at 3496.
(Footnote 62 return)
Id. at 3502.
(Footnote 63 return)
Id. at 3497, 3502.
(Footnote 64 return)
Id. at 3490.
(Footnote 65 return)
47 U.S.C. §1002(a)(4)(A).
(Footnote 66 return)
Id. §1002(a)(2); H. Rep. 103–827 at 3498.
(Footnote 67 return)
8 U.S.C §2516(1); H. Rep. 103–827 at 3497.
(Footnote 68 return)
18 U.S.C. §2703; H. Rep. 103–827 at 3490.
(Footnote 69 return)
H. Rep. 103–827 at 3500.
(Footnote 70 return)
Id. at 3489, 3503–04.
(Footnote 71 return)
See, e.g., S. 2092, 106th Cong., 2d Sess., introduced February 24, 2000.
(Footnote 72 return)
Smith v. Maryland, 442 U.S. 735 (1979).
(Footnote 73 return)
Id. at 742.
(Footnote 74 return)
United States v. New York Tel. Co., 434 U.S. 159, 167 (1977).
(Footnote 75 return)
Authorization to intercept electronic communications requires a showing of probable cause that the target has committed a specified felony. 18 U.S.C. §2516, 2518. The request for such an order must state with particularity information regarding the facts relied upon by the applicant, the crime at issue, the individuals suspected of committing the offense, and the type of communications to be intercepted.
(Footnote 76 return)
18 U.S.C. §3123(a).
(Footnote 77 return)
The Electronic Frontier at 37.
(Footnote 78 return)
Pursuant to reports to Congress required by 18 U.S.C. §3126, DOJ obtains approximately 3,000 pen register orders and 2,000 trap and trace orders per year. Additionally, a total of 1,329 authorizations were issued for communications interceptions in 1998, of which 566 were requested by the Federal government. 1999 Report of the Director of the Administrative Office of the United States Courts on Applications for Orders Authorizing or Approving the Interception of Wire, Oral, or Electronic Communications, Table 2, at 14.
(Footnote 79 return)
H. Rep. 103–827 at 3497.
(Footnote 80 return)
18 U.S.C. §3127(3).
(Footnote 81 return)
18 U.S.C. §3127(4). In addition, Section 3123(b)(1)(A) requires the government to identify the person to whom the ''telephone line'' is leased, and Section 3124 requires the service provider or ''landlord, custodian or other person'' to ''install such device forthwith on the appropriate line.'' 18 U.S.C. §3124(b).
(Footnote 82 return)
S. Rep. No. 99–541 at 10, 99th Cong., 2d Sess., 1986, 1986 U.S.C.C.A.N. 3555 at 3564.
(Footnote 83 return)
Brown v. Waddell, 50 F.3d 285, 290–291 (4th Cir. 1995) (''As a matter of plain textual meaning, a digital display pager clone does not itself fit this definition—in the critical sense that it is not a device attached to a telephone line.'')
(Footnote 84 return)
See In the Matter of the Application of the United States of America for an Order Authorizing the Use of a Cellular Telephone Digital Analyzer, 885 F.Supp. 197, 199–200 (C.D.CA 1995) (''Digital Analyzer'').
(Footnote 85 return)
Id. at 200.
(Footnote 86 return)
Id. at 201.
(Footnote 87 return)
Id. at 201–202.
(Footnote 88 return)
The Electronic Frontier at 37.
(Footnote 89 return)
The Federal Communications Commission (''FCC'') has consistently ruled that ISPs are not ''telecommunications carriers,'' and that their facilities are distinct from the telephone system. Federal-State Joint Board on Universal Service, Report to Congress, 13 FCC Rcd. 11501 at 73 (1998); Implementation of the Telecommunications Act of 1996: Telecommunications Carriers' Use of Customer Proprietary Network Information and Other Customer Information, 13 FCC Rcd. 8061 (1998).
(Footnote 90 return)
Preston Gralla, How the Internet Works at 13 (1999) (emphasis in original).
(Footnote 91 return)
Communications Assistance for Law Enforcement Act, CC Docket No. 97–213, Third Report and Order, 14 FCC Rcd 16794, 16819 (1999) (''CALEA Order'').
(Footnote 92 return)
Id. at 16820.
(Footnote 93 return)
610 N.E.2d 374, 376–377 (N.Y. 1993).
(Footnote 94 return)
See People v. Mendola, 619 N.Y.S.2d 901 (N.Y. App. Div. 1994).
(Footnote 95 return)
706 N.E.2d 731, 737 (N.Y. 1998).