CZAR or of regulating the development of new and beneficial telecommunications systems, services or features. Because telecommunications industry representatives have expressed a concern that the administration's proposal did not specifically address the capacities requirements that would be placed on each carrier, we developed, and the legislation includes, provisions which clearly place an affirmative responsibility on the Attorney General to advise carriers of law enforcement's specific capacity requirements within the first year after enactment of the legislation. These provisions will furnish carriers both with our short-term needs and our longer range capacity requirements, such that the required capacity will not be needlessly undersized or oversized. We have agreed to language regarding carrier reliance upon industry-based technical requirements and standards that meet law enforcement's requirements which serve as a so-called "safe harbor" for carriers and prevent needless concern about civil liability exposure where good faith efforts are made to comply with such technical requirements or standards. Further, in case of any dispute with regard to such technical requirements or standards, any person may petition the FCC to institute proceedings to resolve any conflict and establish appropriate requirements or standards consistent with the electronic surveillance requirements set forth in the legislation. With regard to enforcement, we have agreed to language that allows a carrier to prevent the issuance of an enforcing court order under circumstances where alternative technologies or technical capabilities exist or where the law enforcement requirements are better met by another carrier. Further, such an order would be precluded where compliance is not reasonably achievable through the application of available technology and timely action has been taken. Finally, an enforcement action is flatly precluded where the capacity demands exceed those for which the carrier has been provided notice. In any case, before a court can assess a civil penalty it would be required to take into account the nature, circumstances, and extent of the violation, and, with respect to the violator, ability to pay, good faith efforts to comply in a timely manner, effect on ability to continue to do business, the degree of culpability or delay in undertaking efforts to comply, and other matters. Perhaps of greatest concern to the telecommunications industry is the issue of cost. We all recognize this is a highly competitive industry and that the issue of cost had to be addressed to make this solution practical. The administration proposed a mechanism for reimbursing carriers for making the modifications necessary to achieve compliance during the specified compliance period. Your bills do likewise and includes a well thought out dispute resolution process. In my view, reimbursement is desirable if we are to meet the concerns of industry and still maintain effective law enforcement, ensure the public safety, and protect national security. For other public welfare and safety issues, such as the installation of sprinkler systems, smoke detectors, fire alarms, fire escapes, safety belts, and air bags, to name but a few, industry has been required to meet these obligations without the benefit of this type of solution. I believe the proposed reimbursement should be viewed as a substantial effort to assist industry in meeting the "technical assistance” requirement placed on carriers by Congress some twenty-five years ago. We have also been very willing to address the concerns of privacy advocates, which the provisions of your legislation make clear. First of all, there is the basic requirement that carriers fulfill their electronic surveillance assistance requirements in a manner that protects the privacy and security of communications and information of all subscribers whose communications are not authorized to be intercepted. Second, there are systems security provisions which enhance privacy and security by requiring that all electronic surveillance efforts initiated in switching premises be activated only with the affirmative intervention of a carrier employee. Third, enhanced privacy protection is included with regard to governmental access to any interactive transactions for which a carrier may keep a record. Fourth, law enforcement is required to utilize pen register technology, when reasonably available, that restricts the recording or decoding of electronic or other impulses to the dialing or signaling information utilized in call processing. Fifth, the assistance requirements in these bills exempt the provision of any location information associated with the use of cellular or mobile communications incidental to the execution of pen register court orders. Finally, there are a number of privacy enhancing amendments to the electronic communications privacy act of 1986, the foremost of which is the conferring of privacy protection on the radio portion of cordless telephone communications. After numerous meetings and drafting sessions with your staff, telecommunications industry representatives, and privacy advocates, balanced legislative language has been developed that, I believe, is acceptable to the affected parties. We all recognize that this issue is a difficult one, one which each of the parties ap proaches from a distinctly different vantage point. All parties have work hard and all have been flexible. it is understandable that a small number may not be enthusiastic or strong advocates for legislation. However, public safety demands that a legislative solution be found and found quickly. I believe that this is why everyone made concessions and reached acceptable compromises. I also believe that this is why all acknowledge that your legislation is reasonable and acceptable as a means of resolving this critical law enforcement problem in light of the competing concerns and considerations. Once again, I would like to personally thank both Chairman Edwards and Chairman Leahy, the members of the Subcommittees and your staffs, in particular Jim Dempsey, Beryl Howell, Nelson Cunningham and Ken Mendelson, for taking on this difficult issue and for your unwavering support for the enactment of legislation to resolve this problem during this session of Congress. This is a "drop dead" issue for law enforcement. Your efforts will ensure law enforcement's continued ability to protect the American public and safeguard our national security through the use of this vital investigative technique, while being ever mindful of legitimate privacy and industry concerns. At this time I would welcome any questions you may have. Mr. LOUIS J. FREEH, DIGITAL PRIVACY AND SECURITY WORKING GROUP, Director, Federal Bureau of Investigation, Washington, DC, March 11, 1994. DEAR DIRECTOR FREEH: This letter is a follow-up to our letter of March 9, 1994 to President Clinton and Vice President Gore (a copy is attached). While we do not believe that new legislation is needed to accomplish the FBI's goals, we take this opportunity to more specifically raise some of the questions that should be answered in pursuing any digital telephony legislation. The draft that the White House has given us for comment is overly broad, and it is our hope that this letter will assist in narrowing the scope of any legislation. While we have additional, important questions and concerns, this letter sets forth our primary concerns. (1) Should digital telephony legislation reach "call setup information" independently of a "Title III" search warrant? The New York Times of February 28, 1994 quotes you as stating, "My real objective is to get access to the content of telephone calls." The bill should therefore be limited to content of communications and incidental call setup or transactional data. Legislation should apply to "call setup information" only when that information is incident to a warrant issued for wire, oral, or electronic communications as set forth in 18 U.S.C. §2518. Extending the legislation's scope beyond the acquisition of content (pursuant to a warrant under section 2518) to the independent acquisition of call setup information raises many issues that require examination. For example, currently the legal standard for obtaining transactional data is a certification (via subpoena or statement to a judge) that the sought-after data is relevant to an ongoing criminal investigation. In the era of personal communications services ("PCS") and of the information highway, transactional data will reveal far more about individuals than it has in the past. In fact, in some cases it may be equivalent to content information. Thins transactional data certainly could make it possible to build a detailed model of an individual's behavior and movements. The net result could be government dictating to industry that it create a surveillance-based system that will allow federal, state, and local government to use a service provider's electronic communication facilities to conduct minute-by-minute surveillance of individuals. As long as they have an IRS or other administrative subpoena or a law enforcement agent willing to certify that the sought-after data is relevant to an ongoing criminal investigation law enforcement officials could demand that they be notified at some remote location every time certain individuals communicate by telephone and their location at the time, as well as every database they connect to and when they log on and off. In short, law enforcement officials could insist on instantaneously knowing the existence of every single electronic communication (but not its content). The enormous potential for abuse and threat to personal privacy suggests that, if transactional data were to be covered by digital telephony legislation, it should be incidental to a "Title III" wiretap warrant. This would not limit in any way law enforcement's access to trap and trace, pen register, or call billing information under current law or practice. This is particularly true given that there has been no case made that demonstrates any current or potential difficulty in getting this noncontent information under current practices. The technology in fact has made these type of services much easier for law enforcement to use and access. Additional legislation is simply not necessary to obtain this data. (2) What is covered? The obligation to isolate the content of communications must be reasonably related to the service provider's telecommunications services. It would be unreasonable for the FBI to demand any person involved with the communication to furnish it with access to that communication. For example, most providers, including local telephone companies, usually need to isolate communications for purposes of billing and maintenance. It is appropriate for the FBI to seek their assistance in intercepting communications on their networks only when the requests are reasonably related to the telecommunications services they provide. Therefore, the question is not necessarily who is covered, but what telecommunications services are covered. For example, the legislation should reflect the fact that, in reselling services, even local telephone companies sometimes are unable in those instances to furnish call setup information regardless of whether it is incident to the acquisition of a communication's content. (3) What will be the requirements placed upon service providers and what will be the standard of compliance that will be applied? Legislation should carefully define the obligations of service providers. This is not the case with the FBI's current draft of proposed legislation. These obligations are vague and subject to considerable interpretation. Service providers and manufactures must have flexibility to adopt procedures that reasonably comply with the specific functional performance requirements of law enforcement. This is particularly true where, as here, compliance requires an assessment of future needs and interoperability requirements. There is a difference between compliance and a guarantee, and legislation must reflect that difference. Carriers should be required to provide reasonable cooperation and that cooperation should be measured by a standard of reasonable compliance. In installing new software or equipment under this statute, a service provider must be able to reasonably assess future demands by law enforcement. Other industries subject to regulation at least know, for example, the temperature at which they must maintain the specimens, the emission standard they must satisfy, or the type of safety restraint equipment they must install and the date by which they must have it installed in vehicles. Service providers cannot be held to an absolute standard of compliance where they are using and delivering new technologies to the public and the demands of law enforcement are not clearly specified. This applies to both capability and capacity. Law enforcement must be specific in its requirements for capacity and capability from each service provider. (4) What is expected of commercial mobile service providers? It is not a foregone conclusion that mobility in a digitized telecommunications environment will degrade or otherwise impede the law enforcement community's ability to effectively execute court-approved wiretap orders. Wireless carriers are committed to assisting law enforcement agencies to successfully wiretap and intercept voice communications. To accomplish this goal, the wireless industry understands that available excess port capacity is needed in all switches throughout the nation. While it may be reasonable for federal and state law enforcement agencies to acquire the contents of wireless communications pursuant to "Title III" warrants through additional port capacity, it would be prohibitively expensive to require that every one of the nation's switches be connected to the FBI to enable it to acquire such information on a "real time" basis at remote locations. Connecting every one of the nation's switches to the FBI, moreover, would increase exponentially the risk of unauthorized access to wireless communications. Further, the proliferation of fraudulent use of wireless telephones through such techniques as "cloning" and "tumbling" ESN's (electronic serial numbers) poses additional questions with respect to privacy and the ability of law enforcement to properly execute court-approved wiretap orders. (5) What are the responsibilities of manufacturers and suppliers, if any? The FBI wishes manufacturers of telecommunications equipment and providers of support services to fall within the scope of the legislation. But, would service providers be held liable for software or hardware that is not available from vendors? Why? How would the obligations be enforced against foreign manufacturers? What would be the liability of a domestic carrier that relies upon foreign manufacturers? What are the trade implications of having domestic manufacturers export equipment designed for governmental surveillance? (6) How, and during what period, are costs to be recovered to ensure that there is a direct relationship been the costs reasonably incurred by covered entities and the government's requirements? Government should pay for what it needs, which will help focus attention upon the facilities that truly need upgrading. if the government does not pay for upgrades or facilities, then the service providers should not be held responsible. The FBI appears to have accepted the concept that government should pay for the costs of compliance but has so far underestimated these costs and proposed an arbitrary threeyear limit on cost reimbursement. Government compensation should be ongoing with industry's compliance. We trust you find our comments helpful. We remain prepared to work with you, Congress, and others to attempt to resolve the legitimate concerns of law enforce DEAR MR. PRESIDENT AND MR. VICE PRESIDENT: Telecommunications carriers and other members of the Digital Privacy and Security Working Group are keenly aware of the concerns raised by the Administration regarding the ability to intercept communications transmitted over advanced communications networks. We are concerned, however, about the nature of the process upon which the Administration has embarked to address these issues. Seeking immediate industry reaction to the FBI's draft legislation and congressional passage of such legislation shortly thereafter is troubling. It suggests curtailment of public debate and of congressional deliberation. Given the interest of the public in these matters and their complexity, it is essential that there be a full public debate on these issues. Industry is currently cooperating with appropriate authorities to avoid fixture problems and to expand existing capacities. This is not to say that there have not been some transitional concerns particularly upon the introduction of new technologies that have grown greatly in popularity. But, whenever transitional problems have arisen, industry representatives have worked with law enforcement officials to resolve them. The FBI's actions are especially troubling in light of our view that legislation is not needed to accomplish the Agency's goals. We still see no evidence that current law enforcement efforts are being jeopardized by new technologies. Nor are we convinced that future law enforcement activities will be jeopardized given industry cooperation. We still believe that continued cooperation by government and industry within the working relationship that has emerged from the 1992 Quantico Joint Government Industry Group will resolve "the digital telephony problem" and preserve the government's current authorities. The discussions have succeeded in identifying specific problems and have begun the process of generating concrete, cost-effective solutions. This process has facilitated a more robust exchange of technical information and an identification of possible new equipment and police tactics needed to achieve law enforcement goals. Nevertheless, we are prepared to work with the Congress and the Administration to attempt to resolve the legitimate concerns of law enforce ment. The signatories to this letter cannot overemphasize how critical it is that any new initiatives in this area preserve the public's confidence in the privacy of information carried over the public switched network. Less than a decade after enactment of the Electronic Communications Privacy Act of 1986, the nation can ill afford to undercut customer privacy expectations. Indeed, on the eve of the National Information Infrastructure's deployment, preserving customer confidence is all the more important. Privacy protection is not a secondary interest here. Survey after survey performed by Professor Alan Westin and others have demonstrated the public's concern with privacy and the security of their communications. We all must seek to maximize those interests and assure the public that their communications are protected. Sincerely yours, APPLE COMPUTER, INC., AT&T, AMERICAN CIVIL LIBERTIES UNION, BUSINESS SOFTWARE ALLIANCE, CELLULAR TELECOMMUNICATIONS COMPUTER BUSINESS EQUIPMENT & DIGITAL EQUIPMENT CORPORATION, INFORMATION INDUSTRY ASSOCIATION, INFORMATION TECHNOLOGY ASSOCIATION IRIS ASSOCIATES, INC., MCCAW CELLULAR, MCI COMMUNICATIONS CORPORATION, PEOPLE FOR THE AMERICAN WAY, TRUSTED INFORMATION SYSTEMS, CONGRESS OF THE UNITED STATES, Hon. LOUIS J. FREEH, Federal Bureau of Investigation, J. Edgar Hoover Building, Washington, DC. DEAR DIRECTOR FREEH: The Subcommittees are eager to continue their hearings on digital telephony, and would like to ask for your assistance in expediting our consideration of this issue. A critical point of controversy at our last hearing was whether there are current or prospective impediments that cannot be resolved by industry/law enforcement cooperation. You testified that an informal FBI survey of federal, state, and local law enforcement agencies had disclosed 91 instances of technological impediments to law enforcement surveillance. The telephone industry testified, as they have indicated on other occasions, that they were unaware of any problems that have not been solved, or are on the way to being solved, through cooperation. Before we proceed with our next hearing, we request the details of the 91 instances (and any others that you can identify) so we can provide them to industry witnesses and get their response at the hearing. The exact number of instances is not important; what is important is being able to identify specific cases, so industry and law enforcement witnesses can discuss how legislation would deal with those cases in a way that the voluntary efforts have not. For this purpose, we are requesting copies of the responses to your informal survey. You may, of course, redact any names of subjects and local case numbers. We only need to know the date, the law enforcement agency, the service provider, the type of service, the type of impediment, and any steps taken to resolve the problem. We would like to receive this information as soon as possible so that all witnesses would have an opportunity to respond to it in an informed fashion. |