H.R. 3482, "The Cyber Security Enhancement Act of 2001"

Testimony of Alan Davidson
Associate Director
Center for Democracy and Technology

before the
Subcommittee on Crime of the Committee on Judiciary
U.S. House of Representatives

February 12, 2002

Mr. Chairman and Subcommittee Members, thank you for calling this hearing and giving CDT the opportunity to testify on H.R. 3482, the "Cyber Security Enhancement Act of 2001."

I am Alan Davidson, Associate Director of the Center for Democracy and Technology, a public interest non-profit group based here in Washington. CDT works to promote civil liberties and human rights on the Internet. Since its creation in 1994, CDT has been heavily involved in the policy debates concerning privacy, computer security, and government surveillance online. As Staff Counsel I have led CDT's project on encryption policy and done substantial research on computer security and privacy based on my own training as a computer scientist. CDT also coordinates the Digital Privacy and Security Working Group, a collaboration of over 40 leading Internet companies and public interest organizations pursuing issues of privacy and security online.

Our nation is at a point where revolutionary changes in communications and computer technology have created new concerns about public safety, security, and privacy online. In the aftermath of September 11, cybersecurity is a serious problem that demands a real response from government. At the same time, such responses must be respectful of the protections for personal privacy and from overly broad governmental authority, enshrined in our Constitution and electronic surveillance laws.

If we are forced to give up essential liberties fundamental to our American way of life than our country will truly have lost something important.

With this need to protect both security and Constitutional privacy principles, CDT offers the following comments on H.R. 4382:

First, CDT commends this committee for holding this hearing, and for the relatively measured approach taken in HR 3482. We agree that computer crime and security is a serious problem that requires serious government response. In the USA PATRIOT Act, passed this fall, substantial changes were made to the computer crime and government surveillance statutes that raised serious privacy concerns and are to this date still not fully understood. In contrast and with one notable exception ­ the emergency disclosures provision of Section 102 ­ H.R. 4382 takes a more modest approach to these laws that does not raise the same types of privacy concerns.

Second, the emergency disclosure provision of Section 102, as drafted, is overly broad and would eviscerate important privacy protections in current law.

Current law protects the privacy of electronic communications by prohibiting service providers from revealing those communications to anyone without proper lawful orders. Emergency disclosure provisions exist in the current law based on a reasonable idea ­ ISPs who reasonably believe there is an imminent threat of death or serious injury should be able to reveal communications to law enforcement agencies on an emergency basis even without judicial oversight.

Sec. 102 would substantially expand this ability to reveal private communications without any judicial authority or oversight.

In practice, however, we have heard reports from large and small providers, universities, and libraries, that the emergency disclosure is being used in a different way. Providers are often approached by government agents and asked to voluntarily disclose communications or other subscriber information for investigations that the government claims involve a danger to life and limb. Providers are then faced with a Hobbesian choice ­ either turn over sensitive private communications of subscribers without any court order, or say no to a government request. Of course many comply with the requests. Small providers have few legal resources to evaluate such requests. Others receive requests from the same agents they may seek help from the next day regarding hacking attacks or other problems. Without proper restrictions, such "voluntary disclosure" provisions risk becoming a major loophole.

Current law, passed just four months ago, confines these extraordinary disclosures to law enforcement agents in limited circumstances. As drafted, Sec. 102 would threaten the privacy of communication by substantially broadening these disclosures:

• It allows these disclosures to any governmental entity, not just law enforcement agents. That could include literally thousands of federal, state, and local employees ­ perhaps even foreign government officials.
• It no longer requires imminent danger for disclosure. It would allow these extraordinary disclosures when there is some danger, which might be far in the future and far more hypothetical.
• It no longer requires a reasonable belief that there is a danger on the part of the ISP. Section 102 would allow these sensitive disclosures if there is any good faith belief ­ even if unreasonable­of danger.

Thus as drafted, Sec. 102 would allow many more disclosures of sensitive communications without any court oversight or notice to subscribers. It would allow these disclosures to (and based on requests from) potentially hundreds of thousands of government employees, ranging from local canine control officials to schoolteachers to Agriculture Department cotton inspectors to foreign government officials.

We urge the committee to carefully rethink this expansion. We understand the argument that in some narrow circumstances disclosures to some entities - such as the Center for Disease Control - might be warranted. As supported in current law, in cases of imminent threats of death or serious injury, law enforcement agencies - trained to deal with such situations and cognizant of legal strictures­ should be the first contact point for concerned citizens. We also urge the committee to maintain the requirements of a reasonable belief in imminent danger.

We are confident that if other disclosures are needed they can be carefully crafted, and we look forward to working with the Committee as well as experts in industry and other interested parties to find a more balanced approach.

In addition, we strongly encourage this Committee to add accountability mechanisms for this extraordinary power. Congress should consider requiring notice to the subscriber, after the fact (and deferrable based on a judicial order), as a means of providing subscribers with some way of knowing that their communications have been disclosed. And at a bare minimum Congress should mandate a reporting requirement for these emergency disclosures to federal law enforcement, to give Congress some method of evaluating their use.

Third, we urge the Committee to continue its work to balance powerful surveillance authorities with appropriate privacy protections.

An essential element of security in cyberspace is trust. If Internet users cannot trust that their most sensitive personal and business communications will be private, than we cannot realize the promise of the Internet as a communications medium.

Powerful new surveillance authorities require powerful oversight and accountability. In addition, the digital age is making more personal information available than ever before, also increasing the need for a legislative framework that protects personal information from inappropriate surveillance.

The USA Patriot Act passed this fall provides substantial new government capabilities to conduct surveillance on Americans and to combat terrorism and cyber crime. H.R. 4382 also provides additional and powerful new resources and tools. But in both cases there are virtually no new measures for oversight and accountability, or any protections for all the sensitive personal information increasingly available in the digital and wireless age. (We note that this committee's own admirable efforts to strike a greater balance in the PATRIOT Act were largely ignored.)

We urge this committee to adopt a more comprehensive approach to cybersecurity that recognizes the urgent need for additional privacy protections. The Congress could start by taking up the helpful changes to surveillance law developed and passed by the House Judiciary Committee in the last Congress, under H.R. 5018, including:

• Heightened protections for access to wireless location information, requiring a judge to find probable cause to believe that a crime has been or is being committed. Today tens of millions of Americans are carrying (or driving) mobile devices that could be used to create a detailed dossier of their movements over time - with little clarity over how that information could be accessed and without an appropriate legal standard for doing so.
• An increased standard for use of expanded pen registers and trap and trace capabilities, requiring a judge to at least find that specific and particularly facts reasonably indicate criminal activity and that the information to be collected is relevant to the investigation of such conduct.
• Addition of electronic communications to the Title III exclusionary rule in 18 USC §2515 and add a similar rule to the section 2703 authority. This would prohibit the use in any court or administrative proceeding of email or other Internet communications intercepted or seized in violation of the privacy standards in the law.
• Require statistical reports for §2703 disclosures, similar to those required by Title III.
• Require high-level Justice Department approval for applications to intercept electronic communications, as is currently required for interceptions of wire and oral communications.

In addition, other issues - some of broader scope - need to be addressed:

• Improve the notice requirement under ECPA to ensure that consumers receive notice whenever the government obtains information about their Internet transactions.
• Provide enhanced protection for personal information on networks: probable cause for seizure without prior notice, and a meaningful opportunity to object for subpoena access.
• Require notice and an opportunity to object when civil subpoenas seek personal information about Internet usage.

The bills put before this Committee last Congress were efforts towards a modest improvement in privacy protections without in any way denying the government any investigative tools. They should serve as a starting point, and we hope that you will consider including them to address the privacy concerns of many Americans and the imbalance that exists in today's electronic surveillance laws.

In conclusion, we urge to Subcommittee to

• Substantially narrow the new emergency disclosure provisions of Section 102. If retained, they should greatly limit the scope of governmental entities that can receive such disclosure, could provide deferred notice to the subscribers whose communications were revealed, and should absolutely require reporting to Congress on their use.
• Take a more balanced approach by including some of the privacy protections passed by this committee last Congress. Among the most urgent of these: a need for clearer protection of wireless location information, clearer definitions of what constitutes content for pen/trap orders online, and additional statistical reporting requirements.

Protecting national security and public safety in this digital age is a major challenge and priority for our country. On balance, however, we believe that new sources of data and new tools available will prove to be of great benefit to government surveillance and law enforcement. It is essential that we offer a measured response to these concerns, and urgently take up the need for additional privacy protections in the electronic surveillance laws.

Powerful new government surveillance and law enforcement capabilities demand powerful oversight, accountability, and privacy protection mechanisms. We look forward to working with the Subcommittee and other interested parties to craft an approach that protects both security and privacy online.

House Rule XI, Clause 2(g)(4) Disclosure: Neither Alan Davidson nor CDT has received any federal grant, contract, or subcontract in the current or preceding two fiscal years.