Maintaining operational separation between law enforcement agents and communication networks is an important privacy safeguard. 6. Privacy considerations essential to development of new technology One of the requirements that telecommunications carriers must meet to be in compliance with the Act is that the wiretap access methods adopted must protect the privacy and security of each user's communication. If this requirement is not met, anyone may petition the FCC to have the wiretap access service be modified so that network security is maintained. This requirement, just like those designed to serve law enforcement's needs, must be carefully implemented and monitored so that, the technology used to conduct wiretaps cannot also jeopardize the security of the network as a whole. If network-wide security problems arise because of wiretapping standards, then the standards should be overturned. B. DIGITAL TELEPHONY REQUIREMENTS NARROWED AND PUBLIC PROCESS BROADENED In addition to the privacy protections added to this bill, we also note that the surveillance requirements are not as far-reaching as the original FBI version. A number of procedural safeguards are added which seek to minimize the threatens to privacy, security, and innovation. Though the underlying premise of the Act is still cause for concern, these new limitations deserve attention: 1. Narrow scope The bill explicitly excludes Internet providers, email systems, BBS's, and other online services. Unlike the bills previously proposed by the FBI, this bill is limited to local and long distance telephone companies, cellular and PCS providers, and other common carriers. 2. Open process with public right of intervention The public will have access to information about the implementation of the Act, including open access to all standards adopted in compliance with the Act, the details of how much wiretap capacity the government demands, and a detailed accounting of all federal money paid to carriers for modifications to their networks. Privacy groups, industry interests, and anyone else has a statutory right under this bill to challenge implementation steps taken by law enforcement if they threaten privacy or impede technology advancement. 3. Technical requirements standards developed by industry instead of the Attorney General All surveillance requirements are to be implemented according to standards developed by industry groups. The government is specifically precluded from forcing any particular technical standard, and all requirements are qualified by notions of economic and technical reasonableness. 4. Right to deploy untappable services Unlike the original FBI proposal, this bill recognizes that there may be services which are untappable, even with Herculean effort to accommodate surveillance needs. We understand that the bill intends to allow untappable services to be deployed if redesign is not economically or technically feasible. These provisions, however, should be clarified. C. PROVISIONS THAT REQUIRE FURTHER AMENDMENT BEFORE FINAL PASSAGE EFF plans to work on the following issues in the bill as the legislative process continues: 1. Strengthened public process In the first four years of the bill's implementation, most of the requests that law enforcement makes to carriers are required to be recorded in the public record. However, additional demands for compliance after that time are only required to be made by written notice to the carrier. All compliance requirements, whether initial requests or subsequent modification, must be recorded in the Federal Register, to allow for public scrutiny. 2. Linkage of cost to compliance requirements-the FBI gets what it pays for and no more The bill authorizes, but does not appropriate, $500 million to be spent by the government in reimbursing telecommunications carriers for bringing their networks into compliance with the bill. The FBI maintains that this is enough money to cover all reasonable expenses. The industry, however, has consistently maintained that the costs are five to ten times higher. Given the FBI's confidence in their cost estimate, we believe that telecommunications carriers should only be required to comply to the extent that they have been reimbursed. The bill as introduced wisely includes detailed reporting requirements for all reimbursements to carriers for retrofits during the first four years. Not only is this fiscally responsible, but also it allows those concerned about privacy and civil liberties to monitor the deployment of surveillance technology. From a civil-liberties perspective, this is a crucial safeguard. However, after four years, reimbursement will be limited to costs incurred for adding capacity only, not including surveillance capability in new services. This defeats the purpose of providing public scrutiny of the government's surveillance expenditures. We are concerned that failure to limit the bill's requirements to actual reimbursements will cause deployment of unnecessary surveillance capability around the country that would be a threat to privacy and civil liberties. 3. Ensure right to deploy untappable services The enforcement provisions of the bill suggest, but do not state explicitly, that services which are untappable may be deployed. The bill should be state directly that if it is technically and economically unreasonable to make a service tappable, then it may be deployed, without interference by a court. 4. Clarify definition of call identifying information The definition of call identifying information in the bill is too broad. Whether intentionally or not, the term now covers network signaling information of networks which are beyond the scope of the bill. As drafted the definition would appear to require telecommunications carriers to deliver not only the signaling information generated by their own services, but also the signaling information generated by information services and electronic communication services that travel over the facilities of the telecommunication carrier. In many cases this may be technically impractical. Moreover, it is contrary to the policy adopted by the bill to maintain a narrow scope. 5. Review of minimization requirements in view of commingled communications The bill implicitly contemplates that law enforcement, in some cases, will intercept large bundles of communications, some of which are from subscribers who are not subject of wiretap orders. For example, when tapping a single individual whose calls are handled by a PBX, law enforcement may sweep in calls of other individuals as well. Currently the Constitution and Title III requires "minimization" procedures in all wiretaps, to minimize the intrusion on the privacy of conversations not covered by a court's wiretap order. In the world of 1968, when the original Wiretap Act was passed, most subscribers telecommunications facilities carried single conversations on single lines. But today, many conversations are co-mingled on one broadband communications facility. In order to ensure that constitutionally-mandated minimization is maintained, the bill should recognize that stronger minimization procedures may be required. D. CONCLUSION In closing, I would like to thank both subcommittees, as well as others who have worked so hard on this legislation. The Electronic Frontier Foundation looks forward to working with all of you as the bill moves through the legislative process. Chairman PATRICK LEAHY, Subcommittee on Law and Technology, Chairman DON EDWARDS, Subcommittee on Civil and Constitutional Rights, DEAR CHAIRMEN LEAHY AND EDWARDS, All of us in the Digital Privacy and Security Working Group wish to thank you and your staffs for the extraordinary leadership that you have shown in the process of crafting Digital Telephony legislation. Over the last few months, the bill has been transformed from a proposal that was wholly one-sided to one that is considerably more reasonable. However, one of the most significant outstanding issues is the calculation of the overall costs that will be incurred in complying with the bill, and the appropriate policy for determining who should pay for this compliance. Among the major improvements of the Leahy/Edwards bill over the original Bush Administration proposals is that the federal government has taken responsibility to pay for at least the initial retrofit costs incurred in complying with the requirements of the Act. However, the magnitude of these costs remains a source of significant dispute. • No reliable costs estimates-FBI estimates are too low and based on faulty assumptions The legislation as introduced authorizes $500 million over a four year period to pay for redesign of services that the FBI believes are currently causing problems. Yet Director Freeh himself testified before your joint hearing in March that costs could run to $1.5 billion. Industry estimates put compliance costs at $2 billion to $3 billion dollars. While we are awaiting the report from the General Accounting Office on the cost issue, we already have further reason to doubt the FBI's cost estimates. For example, we know that the FBI estimates fail to account for new competitors that are already entering the local telecommunications market in competition with the local exchange carriers. Cable companies, for example, are already deploying technology which will allow them to offer local telephone services as a complete replacement for the service now provided by the local telephone companies. Yet, the FBI has failed to account for the costs that these new firms may incur under the Act as proposed. We hope that you will use the hearing process now beginning to explore on the public record the true costs of the FBI's proposal. That current costs estimates diverge by factor of at least six causes us great concern. • Failure to cover "out year" costs assumes static technology and will stifle Innovation and competition The structure of the current bill presumes that capability compliance costs will be de minimis after the first four years of retrofits are completed. We disagree with this presumption. Four to six years may or may not be enough time to modify current telecommunication services to meet law enforcement needs. Yet new services are being deployed every day in the telecommunications market. In some cases, accomplishing surveillance needs may be relatively simple during the design process. But in other cases, substantial effort and expense will be required. If the bill is enacted with its current cost treatment, it will certainly discourage the deployment of new communications services once reimbursement is no longer available. The four-year cap on reimbursement also ignores the fact that many new competitors are planning to enter the telecommunications market. No matter how this legislation is ultimately written, the technology needed to comply will be packaged by telecommunications equipment manufacturers as individual features. Each feature carries a cost to the manufacturer and a price to the telecommunications carriers that purchase them. New entrants into the communications marketplace would have to purchase these features. If they enter after the four-year reimbursement period expires, then they would have to bear the cost on their own, despite the fact that the incumbents in the market may have been reimbursed for that same cost by the federal government. As such, the current reimbursement structure runs counter to the overall United States communications policy, which seeks to promote competition in the local telecommunications market. • Privacy and civil liberties will be victim without firm spending cap The Leahy/Edwards bill as introduced wisely includes detailed reporting requirements for all reimbursements to carriers for retrofits during the first four years. Not only is this fiscally responsible, but also it allows those concerned about privacy and civil liberties to monitor the deployment of surveillance technology. From a civil-liberties perspective, this is a crucial safeguard. After four years however, reimbursement will be limited to costs incurred for adding capacity only, not including surveillance capability in new services. This defeats the purpose of providing public scrutiny of the government's surveillance expenditures. We are concerned that failure to limit the bill's requirements to actual reimbursements will cause deployment of unnecessary surveillance capability around the country that would be a threat to privacy and civil liberties. • Proposal Expand current bill's provisions which link compliance obligations to reimbursements In recognition of the fact that current cost estimates are inconclusive, and that the long-term cost of compliance is virtually impossible to estimate, we recommend that existing provisions in the bill that link compliance obligations to reimbursement be expanded. In the first four years, telecommunications carriers should be liable for compliance only to the extent that they have been reimbursed by law enforcement for the costs of retrofitting existing services. Such a provision would actually allow the Attorney General to allocate limited resources in the most efficient way possible and would eliminate pressure from carriers to be reimbursed for retrofits which law enforcement does not consider critical. Data supplied by the Department of Justice shows that the bulk of wiretaps occur in a very few areas of the country and only in the context of certain services. For example, in 1993 there were 225 taps on cellular phone services, but fully 50 percent of those occurred in only two states, New York and Florida. (Similar patterns exist for wireline taps.) It would make sense, then, to target appropriated money to those areas where the need for retrofitting is great. However, since all cellular and wireline networks around the country are required to comply with the bill, they may request reimbursement from the Attorney General. Linking liability to reimbursement would give law enforcement the leeway to allocate its resources in the most sensible, efficient manner possible, and eliminate the need to pay for retrofits in areas, or for services, where the costs dramatically outweigh the benefits. Following the four-year cutoff, existing telecommunications carriers as well as new entrants face substantial compliance costs, especially where new services are not easy to shape to law enforcement's requirements. Thus, there should be a mechanism for securing reimbursement. If, after four years, costs are truly de minimis, then the expenses born by the taxpayer will be minimal. If, however, costs are substantial, the burden of compliance cannot be expected to be absorbed by private companies. The same linkage between reimbursement and compliance in the first four years should be applied to capability requirements in later years. This would protect American consumers from unreasonable demands by the government to pass surveillance costs through to the public sector and avoid public scrutiny. We thank you for consideration of this matter, and look forward to working with you and your staffs toward a solution to this very important unresolved issue. Sincerely, AT&T, CELLULAR TELECOMMUNICATIONS COMPUTER & COMMUNICATIONS COMPUTER AND BUSINESS EQUIPMENT ELECTRONIC FRONTIER FOUNDATION, INSTITUTE OF ELECTRICAL AND ELECTRONICS ENGINEERS UNITED STATES ACTIVITIES, MCCAW CELLULAR COMMUNICATIONS, UNITED STATES TELEPHONE ASSOCIATION. Expanded Protection for Online Ways may some day be developed by which the Government, without removing papers from secret drawers, can reproduce them in court, and by which it will be enabled to expose to a jury the most intimate occurrences of the home.... Can it be that the Constitution affords no protection against such invasions of individual security?1 Electronic Frontier Washington, DC 20001 Phone: (202)347-5400 In the eight years since the enactment of ECPA, society's patterns of using electronic communication technology have changed dramatically. Over twenty million people now have electronic mail addresses, numerous business, nonprofit and political groups conduct work over the Internet, and "cyberspace" has become a household world. Indeed, it is now commonplace to speak about "life online." Records of all of these activities -- who sends a message to whom, where a given communications device is located, which political party one contacts for information, and which online discussion group or virtual community one associates with -- are available both in real time and in stored form as part of the transactional information generated by advanced computer and communications networks. With increasing use of telecommunications, this transactional information reveals almost as much about our private lives as would be learned if someone literally followed us around on the street, watching our every move. As the ECPA drafters recognized, "the law must advance with the technology to ensure the continued vitality of the Fourth Amendment."2 Under current law, much of this transactional information may be available to law enforcement merely by subpoena which recites that the requested information is "relevant to an ongoing investigation."3 In response to dramatic changes in the way that people use electronic communication services, ECPA should be revised to reflect the increasingly sensitive nature of network transactional information 1 Olmstead v. United States, 277 U.S. 438, 467 (1928) (Brandeis, J., dissenting) (cited in ECPA Senate Report). 2 ECPA Senate Report, p.5 3 18 USC 2703(d). As will be discussed below, the statutory distinction between contents and records is unclear, so that current scope of law enforcement access is rɔt a matter of settled law. |