Images de page
PDF
ePub

• None of the FBI field offices has yet documented an instance where a lawful intercept was frustrated as a result of advances in digital technology. (CPSR v. FBI, 92-2117, D.D.C.)

As early as 1992, the FBI anticipated that private communications firms would strongly oppose the legislative proposal.

The plan to make the network easier to wiretap was code-named "Operation Root Canal"

The FBI also classified certain portions of the 1992 GAO assessment of the Digital Telephony proposal, thus keeping relevant information about the potential problems with the proposal from the public.

Assessment

The Clipper proposal resulted from the National Security Agency's desire to develop surveillance standards for US communications networks. Clipper was not developed by the agency charged with developing technical standards, nor do network user support the standard.

The Digital Telephony proposal is based on the suspect premise that new technologies have hindered the ability of law enforcement to conduct criminal investigations. In fact, new technologies have clearly expanded the ability of law enforcement to monitor individuals, to gather personal data, and to obtain transactional records generated by telephone communications.

The real challenge facing the Judiciary Committees is to narrow the scope, not expand, of the permissible seizure of personal information generated by advanced communications networks. In particular:

1) Amendments to the ECPA should narrow the use of subpoenas to obtain telephone toll records. The increasing use of subpoenas combined with the growth of digital networks has increased dramatically the amount of information available to law enforcement that does not require a judicial warrant. This trend runs contrary to the spirit of the federal wiretap statute and should be reversed.

2) Amendments to the ECPA should require annual reporting requirements that detail the number of requests for telephone toll records, telephone lines covered, and records obtained. Similar reporting requirements currently exist for wiretap and pen register warrants.

3) A privacy agency should be established within the federal government. Such an agency could help ensure that proposals such as the Digital Telephony proposal are not put forward without a proper review by an agency competent to evaluate the implications of such a plan.

Though some have described encryption as a form of "societal paranoia," there can be no doubt that encryption is the single most important technology for the protection of communications privacy. Not only does encryption provide for the confidential transmission of electronic communications, it also permits the authentication of business documents, and provides the basis for new forms of private communications. Policies that restrict the development of encryption or expand the ability of law enforcement to gather personal data will reduce privacy protection and diminish the value of communication networks in the United States.

We appreciate your consideration of our views. We would be pleased to provide to you or your staffs whatever additional information you request.

[blocks in formation]

Hon. PATRICK J. LEAHY,

Subcommittee on Technology and the Law,

U.S. Senate, Washington, DC.

Hon. DON EDWARDS,

DISTRICT ATTORNEY'S OFFICE,
Philadelphia, PA, March 28, 1994.

Subcommittee on Civil and Constitutional Rights,

U.S. House, Washington, DC.

DEAR SENATOR LEAHY AND CONGRESSMAN EDWARDS: In response to the NDAA memorandum from Jim Polley inquiring about law enforcement's concern as it relates to digital telephony, I offer the following:

In the Fall of 1991, this office was involved in an investigation which involved the extensive use of cellular telephones by the targets. One of the features being offered by the cellular industry is called "Follow Me Roaming". This feature allows a cellular telephone, operating out of its home switch to have all incoming calls automatically forwarded to it no matter where in the country it is operating. If a court authorized intercept is being conducted on this particular instrument, it would appear to be inactive to us but could still be making and receiving calls. This occurs because once "Follow Me Roaming" is activated, the cellular system, which our equipment is attached to, treats the call in a different fashion and routes the calls through a data link instead of through a normal voice channel. Due to the fact that "Follow Me Roaming" is activated and de-activated on a daily basis, the target instrument is assigned a temporary telephone number which changes daily. Even the target does not know what this number is. Any person involved in a criminal activity who is aware of this technology would know that, except on possibly a federal level, with the expenditure of great resources and a great amount of cooperation from the various cellular companies, this telephone cannot be intercepted. An example of how this could be used, without the target roaming around the country is as follows:

1) I travel to Washington, DC and, through a contact or my own resources, I have a cellular telephone activated, through the local carrier with a 202 area code.

2) I return to Philadelphia and activate "Follow Me Roaming."

3) Any outgoing calls made by me on this telephone would be going through the Philadelphia carrier and then into a land line. They would never even hit my home switch in Washington.

4) Any incoming calls made to my assigned 202 telephone number would automatically be forwarded to me in Philadelphia to the telephone number that my instrument had been temporarily assigned on that particular day. This process would be completely transparent to any intercept equipment attached to the switching office in my home area. It would appear, to anyone monitoring my telephone, that it was not in use.

company, I could do

As long as I kept my bill current with the mobile telephone company, this indefinitely.

Another problem that we have encountered with the telephone company is the installation of a trap and trace on a telephone number assigned to a pager. The position of Bell of PA is that this cannot be done by them but must be done by the paging company. I disagree with the telephone company and feel that this is an instance where their legal department does not want to get involved in a potential problem with a large customer (i.e. a paging company). The paging company is only responsible for what is being sent out over the air. Until the incoming call connects with the paging company's computerized equipment, it is handled by the local telephone company just like any other call. This means that the telephone number of the pager, just like your home telephone number, appears on a frame in a switch and is routed through the telephone equipment just like any other call. Once it hits the paging company's computer, it then becomes their responsibility. In fact, in all other states that have the Caller I.D. function, the paging companies are able to pass the incoming telephone number on to the pager. This is information that they receive from the telephone company. We have been unsuccessful in getting Bell of PA to comply with any court order to date. This is an issue that should be specifically addressed by the Digital Telephony and Communications Privacy Improvement Act of 1994 and made applicable to all telephone companies (Baby Bells, or other

wise) as well as to those companies whose business interacts with local and national phone companies.

Sincerely,

Mr. CASIMIR S. SKRZYPCZAK,

LYNNE ABRAHAM,
District Attorney.

U.S. DEPARTMENT OF JUSTICE, FEDERAL BUREAU OF INVESTIGATION, Washington DC, January 5, 1994.

President, NYNEX Science and Technologies, Inc.,
White Plains, NY.

DEAR MR. SKRZYPCZAK: Upon receipt of your November 8, 1993, letter, my staff and I conducted a careful and detailed review of the results of the industry working group, which was formed at the request of industry, in March 1992 to address the electronic surveillance requirements of our Nation's state and federal law enforcement agencies. According to senior telecommunications executives, this group was to be "the approach" to address law enforcement's concerns in this area. Although the efforts of industry have been useful to a degree, an honest and candid assessment of the results achieved to date, unfortunately, leads me to conclude that this body does not appear to be equipped or able to develop and implement the solutions that are needed to remove the current and emerging impediments which prevent or hinder law enforcement agencies in executing court orders for electronic surveillance. Although I have held out hope that the industry working group, the Alliance for Telecommunications Industry Solutions (ATIS), and the Electronic Communications Service providers Committee (ECSPC) would provide a mechanism for achieving solutions and removing the impediments, this recent assessment compels me to acknowledge that these efforts have been inadequate.

As I mentioned in my letter of September 28, 1993, at the outset, back in March 1992, we were pleased with and supportive of the committee's mission to resolve this significant threat to the public safety, national security, and effective law enforcement. To aid in the initiative, we have devoted FBI technical experts and engineers to this process, as well as funding a telecommunications consulting firm to facilitate meetings, provide subject matter expertise, and prepare written contributions. Also, as I previously mentioned, some of the industry representatives have worked hard and appear to have been sincere in their efforts to reach solutions. However, some companies have not supported these efforts and others have not contributed meaningfully to the effort. In my estimation, this is a result of the_voluntary basis and elective nature of the working group and committee approach. Particularly troubling is the fact that new service providers who are now entering the marketplace are unaware of law enforcement's requirements, and efforts by the FBI to have these requirements brought to the attention of industry standards bodies, such as the one now considering personal communications Services (PCS) systems, were not supported by industry representatives in the committee.

I believe that in order to successfully accommodate law enforcement's needs and to ensure that electronic surveillance responsibilities are discharged as new technologies emerge, a mechanism must exist that, in a certain and comprehensive fashion:

• Identifies fully law enforcement's electronic surveillance requirements to the telecommunications industry;

• Prompts the technical solutions necessary to meet the requirements of law enforcement;

• Assures timely implementation of these solutions into the telecommunications industry's existing and emerging technologies; and

• Addresses the cost issues associated with the technical solutions and their implementation.

Time has shown that the ECSPC, by itself, is not capable of achieving our goal of ensuring the ability of law enforcement to perform electronic surveillance without fail within existing and emerging telecommunications systems.

As I have previously indicated, the efforts of many committee members have been greatly appreciated by law enforcement. However, it is apparent that the recommended industry approach, the ECSPC, cannot address all of the necessary elements I have listed above. In fact, several committee members have made the point that, as matters stand, only an individual company can determine whether or not it is willing to pursue and implement solutions once they are identified.

It is my view that the committee process should be a mechanism for discussing law enforcement needs and identifying technical solutions. Committee products thus far, such as those reflected in the ISDN, Digital Loop Carriers, and Cellular action teams' written recommendations, have not included solutions, but rather have largely only restated law enforcement's current abilities and limitations in performing electronic surveillance in these technical environments-information which the FBI itself provided nearly two years ago. In the main, these products observe the need for the development of solutions to meet law enforcement needs, but they do not provide these solutions. Inasmuch as the committee is not empowered to resolve cost and other issues key to the implementation of solutions, the lack of meaningful and timely solutions to these technological problems will continue.

As we have indicated previously, we shall continue our active participation in the committee process. However, given the results to date, we are also obligated to pursue other approaches which will ensure law enforcement's continued ability to protect the safety and economic well-being of the American public through the use of this essential investigative technique.

Sincerely yours,

Mr. JAMES K. KALLSTROM,
Special Operations Division,

JAMES K. KALLSTROM,

Special Agent in Charge.

TELECOMMUNICATIONS INDUSTRY SOLUTIONS,
Washington, DC, March 1, 1994.

Federal Bureau of Investigation, New York, NY.

DEAR JIM: I am writing in response to your letter of January 5, 1994, in which you expressed your concerns regarding industry efforts to address the electronic surveillance requirements of state and federal. law enforcement agencies.

First, let me say that your observations regarding the functioning of the Electronic Communications Service Provider Committee (ECSP) and its progress to date in resolving issues are understandable. These comments included: the Committee is not equipped to implement the technical solutions which it identifies; some companies have not supported these efforts and others have not contributed meaningfully to the effort; and efforts by the FBI to have law enforcement's requirements brought to the attention of industry standards bodies were not supported by all representatives on the Committee. However, these observations which you find troubling are aspects of the committee process which are fundamental to the operation and interest of open industry forums.

One of the basic principles of any inter-industry committee or forum is that solutions reached are proposals for voluntary implementation by the participants: recommendations are non-binding. While each participant is committed to good faith discussions and consideration of timely implementation, each company represented also reserves fully independent judgment in terms of any implementation. This tenet of operation serves a number of purposes, a key one being that it litigates the legal/antitrust risks of conducting these discussions in any industry meeting. The forum process also ensures that there is careful consideration of all views and objections, appropriate notification and opportunity for the industry to review and provide comments on any proposed solution, and ultimate resolution by consensus. While there is no guarantee, the fact that all participants have been a part of these sensitive discussions, have been afforded due process, and have willingly expended the necessary resources in the development of a solution more often than not results in strong incentives to implement. It simply may not produce the direct and open commitment to implement solutions at the Committee level that you appear to be looking for.

As I am sure you are aware, most of the solutions developed or being discussed are costly to implement, and can require months, even years to develop. Quite frankly, decisions of this magnitude require review by higher levels of management than those representatives present at the ECSP Committee. Industry sends the subject matter experts to these meetings to develop the technical solutions. Typically, industry does not send representatives who are authorized to make business decisions which may involve large expenditures. While you may view that as a shortcoming of this industry process. I believe that federal agencies operate in the same fashion.

Another characteristic of industry forums is that participating companies do not support and/or contribute to efforts equally. Participants tend to gravitate toward and contribute to those issues in which they have the most interest or the greatest

business need. They rely on other participants to provide leadership on the remaining issues. Over time, leadership and contributions tend to balance. Evaluating an individual company's commitment to the process by its level of participation on a single issue can possibly provide a distorted view. The fact that a particular company is not among the leaders on a particular issue does not mean it is not aware or does not care about what is being discussed. The minutes or notes of all meetings, as well as the contributions discussed, are available to all participants for review and comment; and I assure you they are scrupulously reviewed. The stakes are simply too high for them to be ignored. Even though resolutions and recommendations are non-binding, no company wishes to be part of a consensus it cannot ultimately support.

Your concern that efforts by the FBI to have law enforcement's requirements brought to the attention of industry standards bodies were not supported by all industry representatives on the Committee, has proved short lived. At the October meeting the Committee agreed to provide a contribution to the Joint Experts Meeting (JEM) on Privacy and Authentication for Personal Communications held November 8-12. It was reported at the December 1993 Committee meeting that at the GEM the law enforcement requirements were presented and discussed. The Committee observed that the "objective to raise awareness of the needs of law enforcement to support surveillance were met." At the most recent meeting of the ECSP Committee. The PCS action team was empowered by the full committee to prepare and submit contributions to a number of standards bodies addressing PCS issues. The initial reluctance of the Committee to support this effort was no doubt due to the short turn-arounds required to prepare and approve contributions, and the fact that both industry and law enforcement continue to insist that nearly all Committee documents be considered proprietary. The standards process is an open, public process which requires that all contributions submitted be nonproprietary. Similarly, if new service providers are to become aware of law enforcement's requirements, those requirements must be publicly available. To date, the Committee has been reluctant to publicize these requirements in the belief that to do so will serve to highlight current shortcomings.

Even though discussions between law enforcement and industry have been ongoing for some time, this particular committee, which is co-chaired by industry and law enforcement, and its incumbent operating principles, has been in existence for less than one year. participants are only now gaining the mutual respect required to bring forth meaningful solutions. You noted the fact that the Committee's products to date merely "observe the need for the development of solutions to meet law enforcement needs." I see this as a necessary step forward. If meaningful solutions are to result, all participants must first understand that there is in fact a problem, not that one participant, or one group of participants, says so. Now that the Committee recognizes the problems, it can proceed to identify and develop appropriate solutions.

I understand your obligation to pursue whatever approaches you deem necessary to ensure law enforcement's continued ability to conduct the lawful intercept of communications. However, whatever those other approaches may be, and whatever results those approaches may yield, it will still be necessary for industry and law enforcement to work together to identify and develop suitable technical solutions. I believe the ECSP Committee is the appropriate forum for that purpose.

Sincerely,

CASIMIR S. SKRZYPCZAK,
ATIS Chairman.

« PrécédentContinuer »