September 24, 2001
Mr. Chairman, Mr. Vice-Chairman, members of the Committee, thank you for the opportunity to testify at this hearing on the momentous question of improving our nation's defenses against terrorism in a manner consistent with our fundamental Constitutional liberties.
The Center for Democracy and Technology is a non-profit, public interest organization dedicated to promoting civil liberties and democratic values for the new digital communications media. Our core goals include enhancing privacy protections and preserving the open architecture of the Internet. Among other activities, CDT coordinates the Digital Privacy and Security Working Group (DPSWG), a forum for more than 50 computer, communications, and public interest organizations, companies and associations working on information privacy and security issues.
CDT joins the nation in grief and anger over the devastating loss of life resulting from the September 11 terrorist hijackings and attacks against the World Trade Center and the Pentagon. Like many, our relatively small staff had friends and acquaintances killed in those heinous acts. We fervently support the efforts of our government to hold accountable those who direct and support such atrocities.
It is clear that improvements need to be made in America's counter-terrorism procedures, and it appears there are many things that can be done without harming civil liberties. But we know from history that measures hastily undertaken in times of peril particularly measures that weaken controls on government exercise of coercive or intrusive powers -- often infringe civil liberties without enhancing security. In the current climate, it is all the more important to act deliberately and ensure that our response is balanced and properly targeted. If we give up the constitutional freedoms fundamental to our democratic way of life, then the terrorists will have won.
In that regard, Mr. Chairman, we commend you and the Committee for holding this hearing, and taking the time to consider the legislative proposals put forth by the Administration and those you have developed. Only through the hearing process can you and the American public understand what is being proposed, how it would change current law, and whether the changes are responsive to any deficiencies that the September 11 attack may have revealed. Just as President Bush and his military advisers are taking their time in planning their response, to ensure that they hit the terrorist targets with a minimum of collateral damage, so it is incumbent upon this Congress to avoid collateral damage to the Constitution.
My testimony will focus on the electronic surveillance provisions in both Chairman Graham's "Intelligence to Prevent Terrorism Act" and the Administration's proposed "Anti-Terrorism Act of 2001." My colleague Kate Martin will focus on several other provisions in the bills that need clarification. Many provisions of the Chairman's bill appear narrowly and appropriately crafted to carefully provide desired intelligence capabilities; however I will also highlight at least one provision of the bill - Section 201 - that may have broad implications for the Internet.
As you well know, this Committeeand the current legal structure of the intelligence communitywere established after Watergate both to improve intelligence and to ensure that the rights of Americans were not eroded by the vast and sometimes vague intelligence authorities that had previously existed. The legal and oversight system for intelligence sprang not just from a concern about civil liberties, but also from a concern about improving the efficacy of intelligence gathering. As such, the Committee mission demands a careful vetting of any new proposed intelligence authorities and we applaud the committee for holding these public hearings to do so.
A number of the provisions of both the Chairman's bill and the Attorney General's bill would change provision of the Foreign Intelligence Surveillance Act of 1978 (FISA). As the Committee is also well aware, FISA gave extensive authority to the intelligence community. Under it the FBI and CIA have considerable capability to conduct electronic surveillance without the high standards (such as a showing of probable cause of criminal conduct, notice, and eventual adversarial scrutiny) demanded under our domestic criminal law for wiretapping. In exchange for these significantly lowered standards allowing much greater intelligence surveillance, FISA demanded a clear separation - a wall - between electronic surveillance conducted for intelligence purposes and electronic surveillance conducted for criminal law purposes. FISA was based on a clear understanding that it would not become an back door for use of foreign intelligence surveillance in domestic criminal investigations. FISA information that was incidentally collected regarding criminal matters could be shared across this wall but the purpose of a FISA surveillance had to be intelligence. This was intended to avoid a major erosion of our constitutional rights through the lower standards of FISA surveillance.
As we read the Chairman's bill, we applaud what appears to be the committee's intent to maintain that distinction between intelligence authorities and domestic law enforcement provisions. We are particularly pleased to see that the Chairman's bill does not appear to intended a rewriting of the FISA authorities. As described below, however, we believe that the Attorney General's bill does not reflect this deeper understanding and would eviscerate the FISA principles, allowing foreign intelligence surveillance standards to be used in criminal investigations. (See, e.g., Administration Bill, Sections 151-157) Thus, while we have concerns about some specific provisions, we believe the Chairman's bill is far more narrowly crafted, and more appropriately targeted to the situation at hand.
First and foremost, we note with approval Section 204's attempt to make it clear that the FBI could conduct both a Title III criminal wiretap and a FISA wiretap, intercepting the same communications for different purposes. If done properly, this is a more direct and appropriate approach to allow criminal investigations and intelligence investigations to go forward side-by-side. We need to explore with the committee the specific language of the section, but if it tracks the intent expressed in the section-by-section analysis, we believe it is an appropriate approach.
Section 202, regarding the duration of certain FISA surveillance authorities, raises some concerns. FISA electronic surveillances of persons are already granted for periods three times longer than Title III surveillances. Under 202, the duration of surveillance before any judicial oversight would be extended from 90 days to one year. In the case of physical searches, the period would be extended from 45 days to one year. Courts have only turned down one FISA application in the 22-year history of the statute's use. Judicial review, after 45 or 90 days, hardly seems overly burdensome; if surveillance should continue a judge will surely - given the history of discretion in these matters - renew the order. The risk of this provision is that unproductive surveillance could continue for long periods of time without any judicial oversight.
Section 203, the assistance section, may also merit more careful drafting. To the extent, as indicated in the section-by-section analysis, it is only requiring additional assistance from service providers that cannot be identified in advance, we believe it is a measured response. However, we believe the language should be reviewed with staff to ensure that it is not granting new surveillance authorities.
Section 201 raises concerns and is one area where we should not legislate quickly in this complex field of electronic surveillance law. Frankly, we find the language to be very ambiguous and potentially very broad. It must undergo further discussion and more careful drafting.
As drafted, the provision would exclude from the definition of "electronic surveillance" any "instruction or signal" sent to a computer - if it was not a communication to another person, or was not for lawful information retrieval - thereby exempting such information from the reduced standards of FISA. As we read the interaction of Title III and FISA, this would allow the interception of such signals with no judicial oversight.
While apparently intended to allow interception of communications "from a hacker, located abroad" the provision also sweeps in a broad class of otherwise protected communications. It would appear to include, for example:
or any other commands one sends to one's own computer, Palm Pilot, or wireless phone. All of these sensitive communications, in which there is both a reasonable expectation of privacy and a warrant would be required for law enforcement purposes, could now be obtained under FISA and without judicial oversight.
It is also unclear how the provision could be applied in practice. In a packet-switched data interception environment like the Internet, it is difficult if not impossible to know in many cases which packets to be intercepted contain an "instruction or signal" for a computer and are not for information retrieval, and which contain information that should require a judicial order. In many, if not in most, cases it will only be possible to see whether this provision applied after the communication is intercepted, read, and analyzed. Thus, if this provision is to be used it would appear to create a license for interception of numerous communications that would ultimately be discarded after they are read and analyzed.
Section 201 would appear to create a giant hole in the FISA electronic surveillance requirements and would allow the interception of numerous personal communication without judicial oversight. It is in serious need of redrafting at the very least; if its goal is to allow interception of hackers attacking a computer, it seems better addressed by provisions that would allow target computer owners to consent to the interception of attacks on their computers.
We recommend that this section be deleted or substantially clarified.
The Administration's Anti-Terrorism Act of 2001 goes far beyond the measured response of this committee. It would expand federal government authorities, including the authorities of the intelligence agencies, to conduct electronic surveillance and otherwise collect information on US citizens. Some of the changes are quite fundamental. The bill includes numerous, complex provisions extending the surveillance laws (while raising many questions about how they will be implemented) and altering the long-standing distinction between criminal investigations and foreign intelligence investigations. Many of the changes are not related to security concerns raised by the September 11 terrorist attacks. Many are not limited to terrorism cases, but relate to criminal investigations. Some have been proposed by the Justice Department before, and some have even been rejected by Congressional committees.
In terms of the issues within the jurisdiction of this Committee, these are our top concerns:
A more detailed analysis of the Administration's bill follows below. Once again, we appreciate and commend this Committee's efforts to gather public input and to hold this hearing today. We hope the Committee will move forward with those provisions of its bill and the Administration's bill that are non-controversial and responsive to the tragic attacks of September 11, but will defer on the other more complex and divisive provisions that we have identified. We look forward to working with the Committee and staff to craft an appropriate response at this perilous moment in our country's history, and to avoid a rush to judgement on legislation that could ultimately imperil both freedom and security.
The Administration's bill has two kinds of provisions that give rise to concerns: those that would lower the standards for government surveillance and those that address the difficult question of information sharing.
In terms of collection standards, our law enforcement and intelligence agencies already have broad authority to monitor all kinds of communications, including email. Both the criminal wiretap statute and the Foreign Intelligence Surveillance Act already cover terrorism. For some time, it has been recognized that those standards need to strengthen the standards for government surveillance. We see no justification for the changes proposed in the Administration bill that weaken those standards. We are particularly opposed to changes that would eliminate the judicial review that can be the most important protection against abuse.
The Foreign Intelligence Surveillance Act allows the FBI to conduct electronic surveillance and secret physical searches in the US, including surveillance of US citizens, in international terrorism investigations. FISA also authorizes court orders for access to certain business records. As you know, the standards under FISA are much lower than the standards for criminal wiretaps, and in return, the surveillance is supposed to be focused on the collection of intelligence, not criminal evidence. The FISA court, which last year approved more than 1000 surveillance requests, has denied only one request in its 22 year history.
Distinct from the Administration's unsupportable desire to avoid judicial controls on its authority, perhaps the central and most important problem facing the Congress is the question of information sharing. For many years, this has been recognized as a very difficult question; it is one that will be especially difficult to resolve satisfactorily given the pressure-cooker atmosphere of this time. We want to work out a balanced solution. But it cannot be done by wiping away all rules and barriers. Any solution needs to preserve the fundamental proposition that the CIA and other intelligence agencies should not collect information on US citizens in the US.
As such, the Section would greatly increase access to the personal information of consumers or groups who are not agents of foreign powers. And in each case access the institutions granting access to consumer information would be prohibited from disclosing that information or records had been obtained.