Testimony of James X. Dempsey
Senior Staff Counsel
Center for Democracy and Technology
before the
Senate Judiciary Committee
May 25, 2000
Chairman Hatch, we thank you and Senator Leahy for the opportunity to testify today on the important issue of Internet security and privacy. We congratulate both of you, and Senator Schumer, for your leadership and foresight in beginning to grapple with these difficult issues, both from the law enforcement perspective and from the consumer privacy perspective. S. 2448 and the other introduced bills have served to launch an important dialogue. Consensus has not been achieved yet, and we share with you today some of our concerns about various proposals that are being put forth, but CDT is committed to working with you, Mr. Chairman, and other members of this Committee, to develop narrowly focused and properly balanced legislation.
The Center for Democracy and Technology is a non-profit, public interest organization dedicated to promoting civil liberties and democratic values on the Internet. Our core goals include ensuring that the Constitution's protections extend to the Internet and other digital information technologies, and that public policies and technical solutions provide individuals with control over their personal information online. CDT also coordinates the Digital Privacy and Security Working Group (DPSWG), a forum for more than 50 computer, communications, and public interest organizations, companies and associations working on information privacy and security issues.
Our main points today are three-fold:
A starting point in resolving this apparent dilemma is to recognize that the Internet is a uniquely decentralized, user-controlled medium. Hacking, unauthorized access to computers, denial of service attacks, and the theft, alteration or destruction of data are all already federal crimes, and appropriately so. But Internet security is not a problem primarily within the control of the federal government. Particularly, it is not a problem to be solved through the criminal justice system. Internet security is primarily a matter most effectively addressed by the private sector, which has built this amazing medium in such a short time without government interference. It is clear that the private sector is stepping up its security efforts, with an effectiveness that the government could never match, given the rapid pace of technology change and the decentralized nature of the medium. The tools for warning, diagnosing, preventing and even investigating infrastructure attacks through computer networks are uniquely in the hands of the private sector. In these ways, Internet crime is quite different from other forms of crime. While the potential for the government to help is limited, the risk of government doing harm through design mandates or further intrusions on privacy is very high.
Second, while the Justice Department frequently complains that digital technologies pose new challenges to law enforcement, it is clear, if you look at the Justice Department's record, that the digital revolution has been a boon to government surveillance and collection of information. In testimony on February 16, 2000 before the Senate appropriations subcommittee, FBI Director Freeh outlined the Bureau's success in many computer crime cases. Online surveillance and tracking led to the arrest of the Phonemasters who stole calling card numbers; the Solar Sunrise culprits, several of whom were located in Israel; an intruder on NASA computers, who was arrested and convicted in Canada; the thieves who manipulated Citibank's computers and who were arrested with cooperation of Russian authorities; Julio Cesar Ardita, who was tracked electronically to Argentina; and the creator of the Melissa virus, among others. Computer files are a rich source of stored evidence: in a single investigation last year, the FBI seized enough computer data to nearly fill the Library of Congress twice. Electronic surveillance is going up, not down, in the face of new technologies. The FBI estimates that over the next decade, given planned improvements in the digital collection and analysis of communications, the number of wiretaps will increase 300 per cent. Last year, the largest rate of increase in government intercepts under Title III involved newer electronic technologies, such as email, fax and wireless devices. Online service providers, Internet portals and Web sites are facing a deluge of government subpoenas for records about online activities of their customers. Everywhere we go on the Internet we leave digital fingerprints, which can be tracked by marketers and government agencies alike. The FBI in its budget request for FY 2001 seeks additional funds to "data mine" these public and private sources of digital information for their intelligence value.
Considering the broad sweep of the digital revolution, it is apparent that the major problem now is not that technology is outpacing government's ability to investigate crime, but, to the contrary, that changes in communications and computer technology have outpaced the privacy protections in our laws. Technology is making ever-increasing amounts of information available to government under minimal standards falling far short of Fourth Amendment protections.
Nonetheless, the Justice Department is seeking further expansions in its surveillance authorities. But surely, before enacting any enhancements to government power, we should ensure that current laws adequately protect privacy. For example, the government wants to extend the pen register statute to the Internet and create a "roving" pen register authority. Yet, the current standard for pen registers imposes no effective control on the government, reducing judges to mere rubber-stamps. And pen register as applied to Internet communications are even more revealing. In this and other cases, we must tighten the standards for government surveillance and access to information, thus restoring a balance between government surveillance and personal privacy and building user trust and confidence in these economically vital new media. CDT is prepared to work with the Committee and the Justice Department to flesh out the needed privacy enhancements and to convene our DPSWG working group as a forum for building consensus.
Background: Fourth Amendment Privacy Principles
To understand how far current privacy protections diverge from the principles of the Constitution, we should start with the protections accorded by the Fourth Amendment. If the government wants access to your papers or effects in your home or office, it has to meet a high standard:
The Supreme Court held in 1967 that wiretapping is a search and seizure and that telephone conversations are entitled to protection under the Fourth Amendment. Katz v. United States, 389 U.S. 347 (1967), Berger v. New York, 388 U.S. 41 (1967). Congress responded by adopting Title III of the Omnibus Crime Control and Safe Streets Act of 1968, requiring a court order based on a finding of probable cause to intercept wire or oral (i.e., face-to-face) communications. 18 U.S.C. §2510 et seq. However, Congress did not require the contemporaneous notice normally accorded at the time of a search and seizure. This was a fateful decision, but, the government argued, to give contemporaneous notice would defeat the effectiveness of the surveillance technique. In part to make up for the absence of notice, and recognizing the other uniquely intrusive aspects of wiretapping, Congress added to Title III requirements that go beyond the protections of the Fourth Amendment. These additional protections included: permitting the use of wiretaps only for investigations of a short list of very serious crimes; requiring high-level Justice Department approval before court authorization can be sought; requiring law enforcement agencies to exhaust other, less intrusive techniques before turning to eavesdropping; directing them to minimize the interception of innocent conversations; providing for periodic judicial oversight of the progress of a wiretap; establishing a statutory suppression rule; and requiring detailed annual reports to be published on the number and nature of wiretaps. [ 1 ]
After it ruled that there was an expectation of privacy in communications, the Supreme Court took a step that had serious adverse consequences for privacy: It held that personal information given to a third party loses its Fourth Amendment protection. This rule was stated first in a case involving bank records, United States v. Miller, 425 U.S. 435 (1976), but it is wide-ranging and now serves as the basis for government access to all of the records that together constitute a profile of our lives, both online and offline: credit, medical, purchasing, travel, car rental, etc. In the absence of a specific statute, these records are available to law enforcement for the asking and can be compelled with a mere subpoena issued without meaningful judicial control.
In 1979, a third piece of the privacy scheme was put in place when the Supreme Court held that there is no constitutionally-protected privacy interest in the numbers one dials to initiate a telephone call -- data collected under a device known as a "pen register." Smith v. Maryland, 442 U.S. 735, 742 (1979). While the Court was careful to limit the scope of its decision, and emphasized subsequently that pen registers collect only a very narrow range of information, the view has grown up that transactional data concerning communications is not constitutionally protected. Yet, in an increasingly connected world, a recording of every telephone number dialed and the source of every call received can provide a very complete picture -- a profile -- of a person's associations, habits, contacts, interests and activities. (Extending this to email and other electronic communications can, as we explain below, be even more revealing.)
In 1986, as cellular telephones service became available and email and other computer-to-computer communications were developing, this Committee recognized that the privacy law was woefully out of date. Title III anachronistically protected only wire and voice communications: it did not clearly cover wireless phone conversations or email. In response, under the leadership of Senator Leahy, Congress adopted the Electronic Communications Privacy Act of 1986 (ECPA). ECPA did several things: it made it clear that wireless voice communications were covered to the same degree as wireline voice communications. It extended some, but not all, of Title III's privacy protections to electronic communications intercepted in real-time.
ECPA also set standards for access to stored email and other electronic communications and transactional records (subscriber identifying information, logs, toll records). 18 USC § 2701 et seq. And it adopted the pen register and trap and trace statute, 18 USC § 3121 et seq., governing real-time interception of "the numbers dialed or otherwise transmitted on a telephone line." (A pen register collects the "electronic or other impulses" that identify "the numbers dialed" for outgoing calls and a trap and trace device collects "the originating number" for incoming calls.) To obtain such an order, the government need merely certify that "the information likely to be obtained is relevant to an ongoing criminal investigation." 18 USC §§ 3122-23. (There is no constitutional or statutory threshold for opening a criminal investigation.) The law states that the judge "shall" approve any request signed by a prosecutor.
ECPA did not, however, extend full Title III protections to email sitting on the server of an ISP. Instead, it set up a two-tiered rule: email in "electronic storage" with a service provider for 180 days or less may be obtained only pursuant to a search warrant, which requires a finding of probable cause, but the additional protections of Title III -- limited number of crimes, high level approval, judicial supervision -- do not apply. Email in storage for more than 180 days and data stored on a "remote computing service" may be obtained with a warrant or a mere subpoena. In no case is the user entitled to contemporaneous notice. The email portions of ECPA also do not include a statutory suppression rule for government violations and do not require annual reports of how often and under what government access, which are critical for public or congressional oversight.
Mapping the Fourth Amendment onto Cyberspace
Remarkably, ECPA was the last significant update to the privacy standards of the electronic surveillance laws. Astonishing and unanticipated changes have occurred since 1986:
It is clear that the surveillance laws' privacy protections are too weak:
The importance of these questions is heightened by the fact that transactional or addressing data for electronic communications like email and Web browsing can be much more revealing than telephone numbers dialed. First, email addresses are more personally revealing than phone numbers because email addresses are unique to individual users. Furthermore, if the pen register authority applies to URLs or the names of files transmitted under a file transfer protocol, then the addressing information can actually convey the substance or purport of a communication. For example, a search for "heart disease" information through a search engine creates a URL that indicates exactly what content a Web surfer is exploring.
Outlining the Necessary Privacy Enhancements
To update the privacy laws, Congress should start with the following issues:
Comments on S. 2448
S. 2448 represents an effort to address a range of Internet privacy and security concerns without creating an unwieldy bill. We appreciate the Chairman's decision to stay away from some contentious issues, particularly the Justice Department's request for "roving" pen registers for the Internet, and we hope you will work to keep the bill from being weighted down with other proposals that would expand government surveillance power without adequate privacy standards.
In many ways, we have a robust computer crime law. The Computer Fraud and Abuse Act was originally passed in 1984 and was amended in 1986, 1994 and 1996. It protects a broad range of computers and is quite comprehensive. By its terms, it clearly covers the recent "love bug" virus, the Melissa virus and the denial of service attacks in February, even those that were created and launched from overseas.
The main effect of S. 2448's criminal provisions would be to extend federal jurisdiction over minor computer abuses not previously thought serious enough to merit federal resources. Currently, federal jurisdiction exists for some computer crimes only if they result in at least $5,000 of aggregate damage or cause especially significant damage, such as any impairment of medical records, or pose a threat to public safety. Any virus affecting more than a few computers easily meets the $5,000 threshold. S. 2448 would eliminate even this low threshold.
Specifically, the bill would make it a felony to send any transmission intending to cause damage or to intentionally access a computer and recklessly cause damage, punishable for up to 3 years in prison, even if the damage caused is negligible. In addition, the bill would make it a misdemeanor to intentionally access any computer and cause damage, even unintentional damage, again regardless of the extent of such damage.
Perhaps unintentionally, these changes would federalize a range of de minimis intrusions on another's computer:
The elimination of any thresholds is particularly questionable in light of sections of S. 2448 that would amend the forfeiture law in ways that could result in seizure by the government of the house in which sat a computer used in hacking and expand wiretap authority by making all computer crimes a predicate for wiretaps.
Another part of S. 2448 permits the US Attorney General to provide computer crime evidence to foreign law enforcement authorities "without regard to whether the conduct investigated violates any Federal computer crime law." It is unclear whether this expands the Justice Department's investigative authority to investigate lawful conduct in the US at the request of foreign governments.
On the consumer privacy side, S. 2448 has other provisions that would bring about some improvements in privacy, although there are some problems with the bill.
Justice Department Proposals
Our greatest concern, however, is with Justice Department and other proposals for expansions in government surveillance or data access authority. One area of serious concern is Sen. Schumer's bill S. 2092, which, in its current form, extends pen register authority over the Internet in broad and ill-defined ways. S. 2092 also would give every federal pen register and trap and trace order nationwide effect, without limit and without requiring the government to make a showing of need, creating a sort of "roving pen register." We have shared our privacy concerns with Sen. Schumer, along with our specific recommendations for improvements, and we hope that a more balanced bill could be agreed upon. We have prepared for Sen. Schumer and interested parties a detailed memo, which I would request be made a part of the record of this hearing.
S. 2092 focuses on pen registers, which collect the numbers dialed on outgoing calls, and trap and trace devices, which collect the phone numbers identifying incoming calls. These surveillance devices have long been used by law enforcement in the plain old telephone world. Because they are not supposed to identify the parties to a communication nor whether the communication was even completed, the standard for approval of a pen register is very low: the law provides that a judge "shall" approve any request by the government that claims the information sought is "relevant" to an investigation. This really says that the court must rubber stamp any government request.
The pen register and trap and trace statute only applies to the numbers dialed or otherwise transmitted on the telephone line to which the device is attached. S. 2092 would extend the pen register and trap and trace authority to all Internet traffic. It does so with very broad terminology, stating that the pen register can collect "dialing, routing, addressing or signaling information," without further definition. It needs to be made clear that pen registers do not sweep in search queries or URLs that identify specific documents viewed online or include personal information.
It is time to give the pen register statute real privacy teeth, requring the government to actually justify its requests to a judge's satisfaction. Also, if nationwide service is to be available, it should be on the basis of a specific showing of need, and should be limited both by time and other parameters.
Conclusion
We do not need a new Fourth Amendment for cyberspace. The one we have is good enough. But we need to recognize that people are conducting more and more of their lives online. They are storing increasing amounts of sensitive data on networks. They are using technology that can paint a full profile of their personal lives. The pricetag for this technology should not include a loss of privacy. It should not be the end of the privacy debate to say that technological change takes information outside the protection of the Fourth Amendment as interpreted by the courts 25 years ago. Nor is it adequate to say that individuals are voluntarily surrendering their privacy by using new computer and communications technologies. What we need is to translate the Fourth Amendment's vision of limited government power and strong protections for personal privacy to the global, decentralized, networked environment of the Internet. This should be the Committee's first task.
[ 1 ] Over time, though, many of these additional protections have been substantially watered down. The list of crimes has been expanded, from the initial 26 to nearly 100 today and more are added every Congress. Minimization is rarely enforced by the courts. The exhaustion requirement has been weakened. Evidence is rarely excluded for violations of the statute. Almost every year, the number of wiretaps goes up - 12% in 1998 alone. Judicial denials are rare - only 3 in the last 10 years. The average duration of wiretaps has doubled since 1988. So even in the world of plain old telephone service we have seen an erosion of privacy protections. The fragility of these standards is even more disconcerting when paired with the FBI's "Digital Storm" plans for digital collection, voice recognition and key word searching, which will reduce if not eliminate the practical constraints that have up to now limited the volume of information that the government can intercept.