« PrécédentContinuer »
user Dan Brown (EFF's system administrator]). A simple correlation of the timestamps on the transactions between the two computers will reveal that Dan Brown retrieved the file 'digitel.faq'.
1. Dan Brown Logs Onto <eff.org>
By examining the logs of the computer eff.org, we can determine when a specific individual logged onto and off of the network. This record is displayed below:
Because the user 'brown' is linked to Dan Brown through a unique personal password, this record indicates that Dan Brown was logged onto <eff.org> on Friday July 29 between 12:59 and 13:03.
II. Dan Brown Executes a File Transfer (ftp)
By examining the logs which record the programs run by users on <eff.org>, and noting the times at which those programs were run, we can determine when Dan Brown executed a file retrieval program (ftp). This record is displayed below (printed on July 29 at 13:15):
Note that the start and end times correspond to the period of time Dan was
We now turn our analysis to the records of the computer containing EFF's online file archives (the computer named <ftp.eff.org>). Again, a simple check of timestamps reveals that a user from <eff.org> made a connection using the file transfer program (ftp). These records are displayed below:
04 Jul 29 13:00:21 ftp.eff.org in.ftpd (5458): connect from firstname.lastname@example.org 12 Jul 29 13:01:20 ftp.eff.org ftpd (5458]: FTP session closed Note the direct correlation between the times indicated above and the times indicated on the previous two logs. This log shows that the file transfer program run by Dan Brown was exe uted on the computer <ftp.eff.org>, indicating that Dan Brown retrieved a file om EFF's online file archive.
IV. Logs from the File Archive Name the File Transferred to Dan Brown
One final check of the logs from EFF's online archive show which file Dan transferred to his own computer. We already know that Dan was logged onto the network between 12:59:03 and 13:03:14. We also know that he ran the file transfer program between 13:00:21 and 13:01:20. This has been confirmed by iogs from two separate computers. By examining one additional log on the computer containing EFF's online file archive (<ftp.eff.org>), we can see which particular file Dan retrieved. This log is displayed below:
Fri Jul 29 13:01:18 1994 1
This log shows that the file 'digitel.faq' was retrieved at 13:01:18 by a user logged onto the computer <eff.org>. Note that the exact time of the file retrieval corresponds to the time that Dan Brown was running the file retrieval program (as indicated on the logs described previously).
We have seen that Dan Brown was running the file retrieval program between 13:00:21 and 13:01:20. This is confirmed on the logs from both the computer Dan was logged onto (<eff.org>) as well as the computer containing the online file archive (<ftp.eff.org>). Because the logs also show that the only user running the file transfer program at that time was Dan Brown, we have now confirmed that Dan Brown retrieved the file 'digitel.faq'. FTP Logs Reveal the Actions of an Individual User and the Contents of those Transactions
Detailed transactional information from online information services enables anyone with access to these records to reconstruct a detailed picture of a user's actions. In this case, the logs show which document the user accessed. Because all users on the Internet and other online services are linked to their electronic identities by a unique password, transactional records which reveal the electronic identity of a user correspond directly with that individual. The electronic identity <brown @eff.org> is always Dan Brown. In the case of this example, transactional records reveal that Dan retrieved the file 'digitel.faq' from the online archives of the Electronic Frontier Foundation.
Transactions similar to the one illustrated here occur millions of times each day on computer networks throughout the United States. Furthermore, because computer logs record each and every transaction, it is not difficult to track the actions of any individual using an online service simply by examining such logs.
This type of detailed transactional information is not unique to Internet ftp sessions. It is captured in similar forms on computers throughout the online service world. Every time a user logs on to an online service, sends electronic mail, retrieves a file, or joins a discussion group, detailed information is collected in the normal course of completing these transactions. And, since virtually all users of online services are personally linked to their electronic identities by a unique password, all of these transactional records point directly to the actions of individual people.
PODESTA ASSOCIATES, INC.,
Washington, DC, May 29, 1991. Hon. DON EDWARDS, Subcommittee on Civil and Constitutional Rights, House Office Building, Washington, DC.
DEAR CONGRESSMAN EDWARDS: Enclosed please find a copy of the Final Report of the Privacy and Technology Task Force. The task force was appointed by Senator Patrick Leahy, Chairman of the Senate Subcommittee on Technology and the Law, and consisted of 15 members representing a wide array of business, consumer and privacy interests and experience. The task force was charged with examining new technologies and determining the adequacy and effectiveness of the protections found in current federal law (most notably in the Electronic Communications/Privacy Act).
While task force members disagreed—at times, strongly-on many issues, we reached consensus on many others. I believe the report raises a number of issues which may be of interest to you, and makes recommendations where possible, presenting alternate viewpoints where consensus was not reached. We delved into many complex and controversial issues facing society today: the privacy of new radio-based communications technologies, Caller ID, government wiretapping, dossier building, restrictions on the dissemination of customer proprietary network information and appropriate uses of information derived from phone calls to 800 and 900 numbers. I hope you find the report useful. Sincerely,
JOHN D. PODESTA,
CHAIR, Privacy and Technology Task Force.
FINAL REPORT OF THE PRIVACY AND TECHNOLOGY TASK FORCE SUBMITTED TO
SENATOR PATRICK J. LEAHY
In August 1990, Senator Patrick Leahy chaired a hearing of the Senate Judiciary Subcommittee on Technology and the Law. The hearing focused on Caller I.D. technology and the Electronic Communications Privacy Act (ECPA). At that hearing, Chairman Leahy became convinced that developments in the area of communications technology required a review of ECPA to ensure that the privacy protections within the statute had not been outdated by new technology. Senator Leahy was interested in an array of perspectives, so a task force was assembled with experts from a wide variety of fields: technology, business, consumer advocacy, the law, and civil liberties. (A list of members is provided in the appendix.) While the group was diverse, it was not constructed for, nor did it hold itself out as, representing every interest or view.
The task force was charged by Senator Leahy with examining current developments in communications technology and how they relate to the legal framework for protecting communications privacy. This examination was to focus on the extent to which the law in general, and ECPA, specifically, protects, or fails adequately to protect, personal and corporate communications privacy.
The task force studied a variety of newer communication media: cellular phones, personal communications networks, the newer generation of cordless phones, wireless modems, wireless local area networks (LAN's), and electronic mail and messaging. The task force also debated newer technological innovations with a focus on digital transmission of information and out of band communication signalling which is capable of carrying Calling Party Number with a privacy indicator. The task force also considered whether special privacy concerns were raised by the increased service offerings of Caller I.D. and 800 and 900 numbers. The task force examined the extent to which these technologies were regulated by the federal government, either through ECPA or the Communications Act of 1934 and whether they were regulated by state authorities. The task force discussions usually centered on the appropriate balance between privacy rights of one or both of the parties to the communication and the rights of the called party or a third party to employ devices which capture either the substance of a communication or detailed transactional information about the fact of the communication or the parties to it. The task force also discussed the extent to which the government had a right to monitor communications or obtain information about the communicants, by request, by subpoena, or by warrant.
As a starting point, the task force agreed that traditional privacy principles, embodied in the Constitution, must guide public policy with respect to communications privacy and the new technologies. Few social and commercial relationships remain unaffected by the introduction of new technologies_such as cellular and cordless phones, electronic mail, bulletin boards, and pagers. Traditional barriers of distance, time, and location are disappearing as our society comes to take these advanced forms of communication for granted. As new technologies become available, a tension is often created between existing societal values and expectations, and the commercial opportunities and outlets for personal expression created by these advances.
The task force agreed that peoples expectations of privacy should not be measured against what is technically possible. People care deeply about their privacy, and cherish the ability to control personal information. Even if they have done nothing wrong, or have nothing to hide, most people are offended if they are denied the ability to keep certain personal information confidential. Crucial to one's sense of self is the right to maintain some decision-making power over what information to divulge, to whom, and for what purpose. The uses of new technologies are always threatening to overtake current law, leaving society without a new set of laws and social mores to limit and define the extent to which new devices can be used to know all we can about each other, often without regard to each other's wish to keep information private.
National polls document a growing public demand for privacy protection. A Trends and Forecasts survey released in May 1989 found that seven out of ten consumers feel that personal privacy is very important to them, with many expressing the fear that their privacy is in jeopardy. Half of the people believe new laws are needed to protect their privacy. A May 1990 Harris study concluded: “Particularly striking is the pervasiveness of support for tough new ground rules governing computers and other information technology. Americans are not willing to endure abuse or misuse of information, and they overwhelmingly support action to do something about it."
After examining a wide array of technologies, and considering the privacy implications of them all,
there were significant points of agreement among task force members. However, the task force did not reach consensus on every question. The goal of this report is to set out points of agreement, to describe areas of controversy, and to recommend areas in need of further examination by the Subcommittee. Emerging communications technologies and the extent of protection by the electronic
communications privacy act of 1986 In 1984, Congress undertook to update the 1968 Wiretap Act to extend coverage to new forms of telecommunications. The effort culminated in the passage in 1986 of the Electronic Communications Privacy Act (ECPA). The 1968 Wiretap Act generally limited its protections to voice communications carried on a common carrier network. The 1986 Act expanded protection to voice and nonvoice electronic communications, whether carried on common carrier or through a private network. Title I of ECPA 1) protects wire (voice) or electronic communications, while in transmission, from illegal interception by unauthorized third parties, 2) creates standards and procedures for court authorized electronic surveillance, and 3) regulates when electronic communications firms may release the contents of communications during the transmission process. Title II of ECPA provides legal protection of the privacy of stored electronic communications, from both outside intruders and unauthorized government officials. By helping to ensure the confidentiality of electronic communications, ECPA encourages the development and use of new technologies.
ECPA has served as the foundation for legal protection of the privacy of electronic communications. However, five years after ECPA was enacted, a new array of technologies, which were only on the drawing board in 1986, are in the process of being deployed. These new technologies have highlighted the need for a review of the 1986 Act. Specifically, the task force perceived four trends which are challenging the existing statutory scheme for communications privacy: 1) There are a number of new radio-based communications technologies that are in the process of being deployed, that facilitate voice, data, and broadband communications, but that do not fall clearly within the protections afforded by ECPA; 2) There is a movement away from analog to digital transmission, digital being more easily protected at a lower cost; 3) Signalling System 7 which is in the process of being deployed by many of the nation's telephone companies, employs out-of-band signaling, and thereby creates both an opportunity for new services and enhanced concerns about the privacy of transactional information; and, finally, 4) customer premises equipment (CPE) can now perform a wider variety of functions which can be used to enhance or defeat privacy protections.
In analyzing these trends, the task force focused on the proper balance between the promise of these new technologies and the privacy rights of those who use elec
tronic communications equipment. The report will summarize the task force's conclusions, concerns and points of controversy in five major areas:
I) New Radio-Based Communications Technology and whether the content of communications carried on these technologies is or should be protected by federal law.
II) Out-of-Band Signaling and new service offerings and the related privacy risks from disclosure of transactional information (especially the calling party's number).
III) 800 and 900 Numbers and the appropriate use of customer information obtained by businesses employing these technologies.
IV) Electronic Mail and concerns about the privacy of electronic messages carried on private networks.
Government Monitoring and the special concerns raised by the government's action, where it has obtained a valid warrant, to segregate and monitor specific communications.
I. NEW RADIO-BASED COMMUNICATIONS TECHNOLOGY The Electronic Communications Privacy Act updated the 1968 Wiretap Act to deal with two major trends that were sweeping the telecommunications industry. First, ECPA broadened coverage from voice only to other forms of communication, including data and video. Second, ECPA expanded coverage from communications common carriers to all electronic communications whether or not carried by a regulated com
The new law failed to anticipate fully the expansion of the number and kinds of private communications that can and will be carried by "wireless” systems where some or all of the communication is carried by radio link. While the drafters of ECPA considered and drew distinctions between "cordless” and “cellular" phone technologies, the full range of potential service offerings was not well understood at the time.
The anticipated increase in the provision of such radio-based services and networks could dramatically change the current make-up of this country's telecommunications infrastructure and provide telecommunications consumers with added efficiency, cost-savings, and mobility. Radio-based communications may well displace many communications now carried on “wire” systems currently protected by federal law. Such communications will not fall neatly into the distinctions drawn by ECPA.
ECPA makes a key distinction between communications that are "readily accessible to the general public and those that are not.
Communications that are not readily accessible to the general public are protected, i.e., it is illegal to intentionally intercept such communications and any electronic surveillance carried out by government officials must be in compliance with ECPA, which generally requires court authorization, high-level administrative review and procedural safeguards.
Communications that are readily accessible to the general public” are not protected, i.e., it is not illegal to intercept the communication and government officials can monitor and use as evidence the content of the communication without first obtaining a warrant.
With regard to radio-based technologies, ECPA sets out a definition in the negative, i.e., it defines specific communications that are not readily accessible to the general public. Section 2510 (16) states: "readily accessible to the general public" means, with respect to a radio communication, that such communication is notA) scrambled or encrypted; B) transmitted using modulation techniques whose essential parameters have been withheld from the public with the intention of preserving the privacy of such communication; C) carried on a subcarrier or other signal subsidiary to a radio transmission; D) transmitted over a communication system provided by a common carrier, unless the communication is a tone only paging system communication; or E) transmitted on frequencies allocated under part 25, subpart D, E, or F of part 74, or part 94 of the Rules of the Federal Communications Commission, unless, in the case of a communication transmitted on a frequency allocated under part 74 that is not exclusively allocated to broadcast auxiliary services, the communication is a two-way voice communication by radio * * *
In addition to drawing the above distinctions between communications which are not readily accessible to the general public, ECPA exempts from its coverage "the radio portion of a cordless telephone that is transmitted between the cordless telephone handset and the base unit.” 18 U.S.C. Section 2510(1) and (12)
The drafters of ECPA relied on distinctions between communications technologies which, in 1986, made it difficult to intentionally target and monitor specific communications (where a reasonable expectation of privacy could be said to exist) and