« PrécédentContinuer »
I. THE DIGITAL PRIVACY AND SECURITY WORKING GROUP We appear today on behalf of EFF and on behalf of the Digital Privacy and Security Working Group (DPSWG), a coalition of more than 50 computer, communications, and public interest organizations and associations working on communications privacy issues since 1991 under the coordination of the Electronic Frontier Foundation.
II. BACKGROUND ON DIGITAL TELEPHONY The Digital Privacy and Security Working Group has had to spend most of its time responding to government initiatives that would change and modify the principles that underlie ECPA. The Clinton Administration's Digital Telephony and Communications Privacy Improvement Act of 1944 is only the latest in a series of government initiatives put forward over the past few years to seek to resolve law enforcement's perceived problems in conducting wiretapping in the era of digital communications.
In each and every case, the members of the DPSWG, from AT&T to the United States Telephone Association, from the ACLU_to EFF, have uniformly sought to identify the specific technical concerns of the FBI and law enforcement. This has not been easy and, frankly, we continue to believe that the FBI has not made its case. On a policy level, there is little disagreement that the FBI and law enforcement should continue to be able to conduct wiretaps in a digital environment. On a technical level, their concerns are global and their resolutions are general. The resolution of this issue should be through carefully crafted solutions so as not to upset the balance between law enforcement interest and continued confidence in the public switched network. The proposals that we have seen are over-broad and would create more problems than they would resolve. In short, the FBI has not made a technical case that supports the sweeping changes that it seeks. • In 1991 the Bush Administration proposed a “Sense of the Congress Resolution”
that would have interpreted current wiretapping statutes to require communications carriers, network operators, and service providers to turn over the "plain text” of all communications for law enforcement purposes. The DPSWG argued that the proposal was unworkable and vague, and its efforts led congres
sional leaders to remove the provision from pending omnibus crime legislation. • In 1992 the Bush Administration circulated Digital Telephony No. 1, draft legis
lation that would have required all providers of electronic communications services to obtain an FCC or Attorney General Certification that their networks or facilities meet evolving FBI electronic surveillance requirements. In September 1992, the DPSWG published an "Analysis of the FBI's Digital Telephony Proposal,” signed by 35 computer, communications, and civil liberties organizations and associations highly critical of the digital telephony draft legislation on privacy, security, and economic cost grounds. This analysis, a copy of which we submit for the record, convinced Congress to reject the Bush Administration's
proposal • Last year, the DPSWG, based on optimism about the Clinton Administration's
information highway program, began work on a "white paper" designed to set forth new policies to enhance privacy and
security in the context of the emerging National Information Infrastructure. When the Clinton Administration announced its “clipper chip” encryption escrow plans and intention to conduct a high level review of privacy, encryption, and related policies in April 1993, the DPSWG turned its attention to addressing the Administration's concerns. On November 24, 1993, we submitted a draft report to the Administration that presented a detailed case against the need for legislation like digital telephony to resolve law enforcement surveillance problems. The FBI stated that it had concerns with the report, but has refused to state the basis for any of its concerns. We submit a copy of our November report for the record.
III. THE DIGITAL TELEPHONY AND COMMUNICATIONS PRIVACY IMPROVEMENTS ACT OF
1994 Despite our concerted efforts, the Clinton Administration has now proposed its own bill, the Digital Telephony and Communications Privacy Improvement Act of 1994. Responding to the February draft bill on March 9, 1994, 20 members of the DPSWG, including AT&T, MCI, USTA, Business Software Alliance, Software Publishers Association, Apple Computer, the American Civil Liberties Union, and the Electronic Frontier Foundation sent a letter to the President and Vice President stating strong opposition to the new version of digital telephony. On March 11, the DPSWG sent its initial analysis of the legislation to FBI Director Louis Freeh, which reiterated that the legislation is unnecessary and, as drafted, could undermine communications privacy and citizen confidence in the public switched telephone network.
The Clinton Administration's proposed digital telephony legislation would: • Require carriers to provide real-time remote access not only to the contents of
communications data sought pursuant to a judicial warrant but also to call
setup and other transactional data sought in any lawful investigation; • Require suppliers of hardware and software to telecommunications providers to
meet law enforcement requirements on a priority basis at reasonable cost; and • Empower the Attorney General to seek to enjoin a carrier from operating who
was not in compliance with law enforcement requirements and to impose significant fines on carriers and suppliers who fail to meet law enforcement de
mands. 1. The legislation threatens privacy rights
As we interpret the draft legislation, it would require a service provider to hand off not only the contents of communications but deliver to remote locations "call setup information" whether or not incident to a warrant issued for wire, oral, or electronic communications as set forth in 18 U.S.C. $2518. Extending the legislation's scope beyond the acquisition of content (pursuant to a warrant under $ 2518) to the independent acquisition of call setup information raises many issues that require examination.
For example, currently the legal standard for obtaining transactional data is a certification (via subpoena or statement to a judge) that the sought-after data is relevant to an ongoing criminal investigation. In the era of personal communications services (PCS) and the information highway, transactional data will reveal far more about individuals than it has in the past. In fact, in some cases it may be equivalent to content information. This transactional data certainly could make it possible to build a detailed model of an individual's behavior and movements. The net result could be government dictating to industry that it create a surveillance-based system that would allow federal, state, and local governments to use a service provider's electronic communication facilities to conduct minute-by-minute surveillance of individuals.
As long as they have an IRS or other administrative subpoena or a law enforcement agent willing to certify that the sought-after data is relevant to an ongoing criminal investigation, law enforcement officials could demand that they be notified at some remote location every time certain individuals communicate by telephone, and their location at the time, as well as every database they connect to and when they log on and off. In short, law enforcement officials could insist on instantaneously knowing the existence of every single electronic communication (but not its content).
The enormous potential for abuse and threat to personal privacy suggests that, if transactional data were to be covered by digital telephony legislation, it should be incidental to a "Title III” wiretap warrant. This would not limit in any way law enforcement's access to trap and trace, pen register, or call billing information under current law or practice. This is particularly true given that no case has been made that demonstrates any current or potential difficulty in getting this noncontent information under current practices. The technology in fact has made these types of services much easier for law enforcement to use and access. Additional legislation is simply not necessary to obtain this data. 2. We do not know what is covered
The obligation to isolate the content of communications must be reasonably related to the service provider's telecommunications services. It would be unreasonable for the FBI to demand any person involved with the communication to furnish it with access to that communication. For example, most providers, including local telephone companies, usually need to isolate communications for purposes of billing
and maintenance. It is appropriate for the FBI to seek their assistance in intercepting communications on their networks only when the requests are reasonably related to the telecommunications services they provide.
Therefore, the question is not necessarily who is covered, but what telecommunications services are covered. For example, the legislation should reflect the fact that, in reselling services, even local telephone companies sometimes are unable in those instances to furnish call setup information regardless of whether it is incidental to the acquisition of a communication's content. 3. It is not clear what requirements would be placed upon service providers and what
standard of compliance would be applied Legislation should carefully define the obligations of service providers. This is not the case with the FBI's current draft of proposed legislation. These obligations are vague and subject to considerable interpretation. Service providers and manufactures must have flexibility to adopt procedures that reasonably comply with the specific functional performance requirements of law enforcement.
This is particularly true where, as here, compliance requires an assessment of future needs and interoperability requirements. There is a difference between compli. ance and a guarantee, and legislation must reflect that difference. Carriers should be required to provide reasonable cooperation and that cooperation should be measured by a standard of reasonable compliance.
In installing new software or equipment under this statute, a service provider must be able to reasonably assess future demands by law enforcement. Other industries subject to regulation at least know, for example, the temperature at which they must maintain the specimens, the emission standard they must satisfy, or the type of safety restraint equipment they must install and the date by which they must have it installed in vehicles. Service providers cannot be held to an absolute standard of compliance where they are using and delivering new technologies to the public and the demands of law enforcement are not clearly specified. This applies to both capability and capacity. Law enforcement must be specific in its requirements for capacity and capability from each service provider. 4. Issues arise as to what is expected of commercial mobile service providers
It is not a foregone conclusion that mobility in a digitized telecommunications environment will degrade or otherwise impede the law enforcement community's ability
Wireless carriers are committed to assisting law enforcement agencies to successfully wiretap and intercept voice communications. To accomplish this goal, the wireless industry understands that available excess port capacity is needed in all switches throughout the nation. While it may be reasonable for federal and state law enforcement agencies to acquire the contents of wireless communications pursuant to "Title III” warrants through additional port capacity, it would be prohibitively expensive to require that every one of the nation's switches be connected to the FBI to enable it to acquire such information on a "real time” basis at remote locations.
Connecting every one of the nation's switches to the FBI, moreover, would increase exponentially the risk of unauthorized access to wireless communications. Further, the proliferation of fraudulent use of wireless telephones through such techniques as "cloning” and “tumbling" ESN's (electronic serial numbers) poses additional questions with respect to privacy and the ability of law enforcement to properly execute court-approved wiretap orders. 5. It is uncertain what the responsibilities of manufacturers and suppliers are under
the legislation The FBI wishes manufacturers of telecommunications equipment and providers of support services to fall within the scope of the legislation. But, would service providers be held liable for software or hardware that is not available from vendors? Why? How would the obligations be enforced against foreign manufacturers? What would be the liability of a domestic carrier that relies upon foreign manufacturers? What are the trade implications of having domestic manufacturers export equipment designed for governmental surveillance? 6. Serious issues are raised as to how, and during what period, costs are to be recov
ered to ensure that there is a direct relationship between the costs reasonably in
curred by covered entities and the government's requirements Government should pay for what it needs, which will help focus attention upon the facilities that truly need upgrading. If the government does not pay for upgrades or facilities, then the service providers should not be held responsible. The FBI appears to have accepted the concept that government should pay for the costs of compliance but has so far underestimated these costs and proposed an arbitrary three
year limit on cost reimbursement. Government compensation should be ongoing with industry's compliance.
IV. IS THIS LEGISLATION NECESSARY?
The most fundamental question that needs to be resolved is whether this legislation is necessary. In our view neither the Bush nor Clinton Administrations have made a persuasive case. They argue that electronic surveillance is essential to law enforcement, but they have not demonstrated that their access to communications subject to judicial warrants have been impaired. They have pointed to problems encountered with call forwarding and cellular communications, but carriers have been able to meet new requirements through cooperative efforts. In the report prepared for the Clinton Administration and sent to the FBI last November, the DPSWG presented the following case: • First, there is no evidence that current law enforcement efforts are being jeop
ardized by new technologies. As described in our attached report, a Freedom of Information Act request made by Computer Professionals for Social Responsibility turned up evidence that not one law enforcement agency could demonstrate
that digital telephony has interfered with any electronic surveillance activities. • Second, industry is cooperating with appropriate authorities to avoid future
problems and to expand existing capacities. Finally, given this lack of ascertainable concern now or in the future, it is not justifiable to require all providers, including telephone companies, packet switching networks, computer and software manufacturers, and the like, to be subject to new design standards and requirements. This is particularly the case where such requirements may in some cases severely limit the development of the new national infrastructure and once again lessen the American public's
confidence in our communications networks. ECPA was enacted to reaffirm the confidence of all Americans that their communications whether aural or digital, common or private, voice, date, or video are secure from unauthorized interceptions. The government has the current authority and ability to adequately intercept electronic communications when authorized to do so. Sufficient reasons to amend this statute now to allow the government to dictate the design of communications technology just do not exist.
V. CONCLUSION We applaud the fact that Congress is holding these hearings. Only Congress can resolve whether or not legislation is necessary and work to bridge the considerable division between the Administration and the private sector. We welcome the opportunity to state our views, and are ready and anxious to work with you and the Administration to find solutions to law enforcement needs that strike a balance between those needs, privacy, and other significant societal interests.
INTERIM REPORT OF THE DIGITAL PRIVACY AND SECURITY WORKING GROUP ON THE
FBI's DIGITAL TELEPHONY PROPOSALS
INTRODUCTION AND SUMMARY The Electronic Communications Privacy Act of 1986, (“ECPA," P.L. 99–508), established the current legal framework for the interception of electronic communications. Prior to ECPA the only relevant statutory provisions were set forth in Title III of the Omnibus Crime Control and Safe Streets Act of 1968 (“the Wiretap Act," P.L. 90–351). The Wiretap Act covered only common carrier communications that were aurally intercepted. With the range of new communications technologies coming on-line in the 1970's and 1980's, the law had obviously become obsolete. ECPA was designed to provide the public with a sense of privacy and security in the new range of data communication services, many of which were provided by noncommon carriers and hence were "unprotected from a legal standpoint.
ECPA amended the Wiretap Act by establishing procedures through which the government can obtain access to electronic communications held or transmitted by electronic communications service providers. It covers traditional voice communications as well as data communications. Data communications includes electronic mail and other computer-type communications that often are stored in the process of dissemination. In the years since its enactment, ECPA has worked well.
An essential part of ECPA is the technical ability to effect access or interception. ECPA requires that electronic communications service providers furnish the govern
ment with technical assistance in completing authorized interceptions, as it should. Local telephone companies, long distance providers, electronic mail providers, cellular services and other providers all have solid records of compliance with authorized requests for interception.
Law enforcement, however, has asserted that the continued advent of digital communications and the modernization of the national information infrastructure (NII) requires an amendment to ECPA in order to ensure a broader level of assistance by electronic communication service providers. We do not agree.
The government should not have the ability to dictate how communications services are provided or how they are designed. First, there is no evidence that current law enforcement efforts are being jeopardized by new technologies. Second, industry is cooperating with appropriate authorities to avoid future problems and to expand existing capacities. Finally, given this lack of ascertainable concern now or in the future, it is not justifiable to require all providers, including telephone companies, packet switching networks, computer, software manufacturers, and the like, to be subject to new design standards and requirements. This is particularly the case where such requirements may in some cases severely limit the development of the new NII, hamper American competitiveness in the technology, and once again lessen the American public's confidence in communications products.
ECPA was enacted to assure Americans that their communications whether aural or digital, common or private, are secure from unauthorized interceptions. The government currently has both the authority and the ability to adequately intercept electronic communications when authorized to do so. Sufficient reasons to amend this statute now, to allow the government to dictate the design of communications technology, just do not exist.
A. BACKGROUND In recent years the U.S. Government has been advocating a legislative solution to the law enforcement challenges posed by new communication technologies. In 1992, for example, the Federal Bureau of Investigation (FBI) unveiled a digital telephony legislative proposal (known internally as "Project Root Canal"), which would have imposed mandatory system design requirements. The draft legislation would essentially force industry to perpetually accommodate current surveillance equipment and procedures, and would thus significantly retard the development and deployment of new telecommunications technologies. While the proposal received attention from the press, the General Accounting Office (GAO), and others; no such legislation was introduced in Congress.
The National Institute of Standards and Technology (NIST) has requested the Digital Privacy and Security Working Group's (DPSWG) recommendation on how the government should cope with the new technologies. NIST has specifically asked whether DPSWG can develop a means of ensuring access to digitized communications that preserves, but does not extend, the government's current authorities.
DPSWG acknowledges that law enforcement officials need adequate communications interception tools to do their job. We believe that continued cooperation by government and industry within the working relationship that has emerged from the 1992 Quantico Joint Government Industry Group will resolve "the digital telephony problem” and preserve the government's current authorities. The discussions have succeeded in identifying specific problems and have begun the process of generating concrete, cost-effective solutions. This process has facilitated a more robust exchange of technical information and an identification of possible new equipment and police tactics needed to achieve law enforcement goals. We do not believe that new legislation is needed or advisable.
Before proceeding, we set forth our understanding of “the digital telephony problem," the FBI's proposed solution, and the U.S. Government's current authority both to intercept communications and to compel assistance by providers of electronic communications in such interceptions. We also underscore the importance of distinguishing between legitimate areas of mutual concern and rhetorical characterizations of the digital telephony problem.
1. What is the "digital telephony problem" ?
According to the FBI's Digital Telephony proposal, "advances in technology, and undoubtedly the future introduction of new technologies, will soon make it impossible for law enforcement agencies to effect lawful court orders to intercept elec