« PrécédentContinuer »
by the showing of "gpecific and articulable facts” that the records requested are rel. evant to an ongoing criminal investigation. This means that the government may not request volumes of transactional records merely to see what it can find through traffic analysis. Rather, law enforcement will have to prove to a court that it has reason to believe that it will find specific information relevant to an ongoing crimi. nal investigation in the records it requested.
With these provisions, we have achieved for all online systems, a significantly greater level of protection than exists today for records such as email logs, and greater protection than currently exists for telephone toll records. The lists of telephone calls that are kept by local and long distance phone companies are available to law enforcement without any judicial intervention at all. Law enforcement gains access to hundreds of thousands of such telephone records each year, without a warrant and without even notice to the citizens involved. Court order protection will make it much more difficult for law enforcement to go on "fishing expeditions" through online transactional records, hoping to find evidence of a crime by accident. We have also submitted a detailed memorandum on the importance of protection and would ask that this document be included in the record of these proceedings along with this testimony. • Standard of proof much greater than for telephone toll records, but below that
for content The most important change that these new provisions offer is that law enforcement will: (a) have to convince a judge that there is reason to look at a particular set of records, and; (b) have to expend the time and energy necessary to have a United States Attorney or District Attorney actually present a case before a court. However, the burden or proof to be met by the government in such a proceeding is lower than required for access to the content of a communication. 2. New protection for location-specific Information available in cellular, PCS and
other advanced networks Much of the electronic surveillance conducted by law enforcement today involves gathering telephone dialing information through a device known as a pen register. Authority to attach pen registers is obtained merely by asserting that the information would be relevant to a criminal investigation. Under current law, courts must approve pen register requests without any substantive review of the basis for law enforcement's request. This legislation offers significant new limits on the use of pen register data.
Under this bill, when law enforcement seeks pen register information from a telecommunications carrier, the carrier is forbidden to deliver to law enforcement any information which would disclose the location or movement of the calling or called party. Cellular phone networks, PCS systems, and so-called "follow-me" services all store location information in their networks. This new limitation is a major safeguard which will prevent law enforcement from casually using mobile and intelligent communications services as nation-wide tracking systems. 3. New limitations on “pen register" authority
Contemporary uses of pen registers also involve substantial privacy invasion, even aside from location information. Currently, law enforcement is able to use pen registers to capture not only the telephone number dialed, but also any other touchtone digits dialed which reflect the user's interaction with an automated information service on the other end of the line, such as an automatic banking system or a voicemail password. If this bill is enacted, law enforcement would be required to use "technology reasonably available" to limit pen registers to the collection of calling number information only. We are aware that new pen register devices are now on the market which automatically screen out all dialed digits except for the actual telephone numbers. Just as this bill would require telecommunications carriers to deploy technology which facilitates taps, we believe that law enforcement should be required to deploy technology which shields users communications from unauthorized invasion. 4. Bill does not preclude use of encryption
Unlike previous Digital Telephony proposals, this bill places no obligation on telecommunication carriers to decipher encrypted messages, unless the carrier actually holds the key to the message as well. 5. Automated remote monitoring precluded
Law enforcement is specifically precluded from having automated, remote surveillance capability. Any court-ordered electronic surveillance must be initiated by an employee of the telecommunications carrier, upon request by law enforcement. Maintaining operational separation between law enforcement agents and communication networks is an important privacy safeguard. 6. Privacy considerations essential to development of new technology
One of the requirements that telecommunications carriers must meet to be in compliance with the Act is that the wiretap access methods adopted must protect the privacy and security of each user's communication. If this requirement is not met, anyone may petition the FCC to have the wiretap access service be modified so that network security is maintained. This requirement, just like those designed to serve law enforcement's needs, must be carefully implemented and monitored so that, the technology used to conduct wiretaps cannot also jeopardize the security of the network as a whole. If network-wide security problems arise because of wiretapping standards, then the standards should be overturned.
B. DIGITAL TELEPHONY REQUIREMENTS NARROWED AND PUBLIC PROCESS BROADENED
In addition to the privacy protections added to this bill, we also note that the surveillance requirements are not as far-reaching as the original FBI version. A number of procedural safeguards are added which seek to minimize the threatens to privacy, security, and innovation. Though the underlying premise of the Act is still cause for concern, these new limitations deserve attention: 1. Narrow scope
The bill explicitly excludes Internet providers, email systems, BBS's, and other online services. Unlike the bills previously proposed by the FBI, this bill is limited to local and long distance telephone companies, cellular and PCS providers, and other common carriers. 2. Open process with public right of intervention
The public will have access to information about the implementation of the Act, including open access to all standards adopted in compliance with the Act, the details of how much wiretap capacity the government demands, and a detailed accounting of all federal money paid to carriers for modifications to their networks. Privacy groups, industry interests, and anyone else has a statutory right under this bill to challenge implementation steps taken by law enforcement if they threaten privacy or impede technology advancement. 3. Technical requirements standards developed by industry instead of the Attorney
General All surveillance requirements are to be implemented according to standards devel. oped by industry groups. The government is specifically precluded from forcing any particular technical standard, and all requirements are qualified by notions of economic and technical reasonableness. 4. Right to deploy untappable services
Unlike the original FBI proposal, this bill recognizes that there may be services which are untappable, even with Herculean effort to accommodate surveillance needs. We understand that the bill intends to allow untappable services to be deployed if redesign is not economically or technically feasible. These provisions, however, should be clarified.
C. PROVISIONS THAT REQUIRE FURTHER AMENDMENT BEFORE FINAL PASSAGE EFF plans to work on the following issues in the bill as the legislative process continues: 1. Strengthened public process
In the first four years of the bill's implementation, most of the requests that law enforcement makes to carriers are required to be recorded in the public record. However, additional demands for compliance after that time are only required to be made by written notice to the carrier. All compliance requirements, whether initial requests or subsequent modification, must be recorded in the Federal Register, to allow for public scrutiny. 2. Linkage of cost to compliance requirements—the FBI gets what it pays for and no
more The bill authorizes, but does not appropriate, $500 million to be spent by the government in reimbursing telecommunications carriers for bringing their networks into compliance with the bill. The FBI maintains that this is enough money to cover all reasonable expenses. The industry, however, has consistently maintained that
the costs are five to ten times higher. Given the FBI's confidence in their cost estimate, we believe that telecommunications carriers should only be required to comply to the extent that they have been reimbursed.
The bill as introduced wisely includes detailed reporting requirements for all reimbursements to carriers for retrofits during the first four years. Not only is this fiscally responsible, but also it allows those concerned about privacy and civil liberties to monitor the deployment of surveillance technology. From a civil-liberties perspective, this is a crucial safeguard.
However, after four years, reimbursement will be limited to costs incurred for adding capacity only, not including surveillance capability in new services. This defeats the purpose of providing public scrutiny of the government's surveillance expenditures. We are concerned that failure to limit the bill's requirements to actual reimbursements will cause deployment of unnecessary surveillance capability around the country that would be a threat to privacy and civil liberties. 3. Ensure right to deploy untappable services
The enforcement provisions of the bill suggest, but do not state explicitly, that services which are untappable may be deployed. The bill should be state directly that if it is technically and economically unreasonable to make a service tappable, then it may be deployed, without interference by a court. 4. Clarify definition of call identifying information
The definition of call identifying information in the bill is too broad. Whether intentionally or not, the term now covers network signaling information of networks which are beyond the scope of the bill. As drafted the definition would appear to require telecommunications carriers to deliver not only the signaling information generated by their own services, but also the signaling information generated by information services and electronic communication services that travel over the facilities of the telecommunication carrier. In many cases this may be technically impractical. Moreover, it is contrary to the policy adopted by the bill to maintain a narrow scope. 5. Review of minimization requirements in view of commingled communications
The bill implicitly contemplates that law enforcement, in some cases, will intercept large bundles of communications, some of which are from subscribers who are not subject of wiretap orders. For example, when tapping a single individual whose calls are handled by a PBX, law enforcement may sweep in calls of other individuals as well. Currently the Constitution and Title III requires "minimization" procedures in all wiretaps, to minimize the intrusion on the privacy of conversations not covered by a court's wiretap order. In the world of 1968, when the original Wiretap Act was passed, most subscribers telecommunications facilities carried single conversations on single lines. But today, many conversations are co-mingled on one broadband communications facility. In order to ensure that constitutionally-mandated minimization is maintained, the bill should recognize that stronger minimization procedures may be required.
D. CONCLUSION In closing, I would like to thank both subcommittees, as well as others who have worked so hard on this legislation. The Electronic Frontier Foundation looks forward to working with all of you as the bill moves through the legislative process.
ELECTRONIC FRONTIER FOUNDATION, INC.,
Washington, DC, August 11, 1994. Chairman PATRICK LEAHY, Subcommittee on Law and Technology, Senate Judiciary Committee, Washington, DC. Chairman DON EDWARDS, Subcommittee on Civil and Constitutional Rights, House Judiciary Committee, Washington, DC.
DEAR CHAIRMEN LEAHY AND EDWARDS, All of us in the Digital Privacy and Secu. rity Working Group wish to thank you and your staffs for the extraordinary leadership that you have shown in the process of crafting Digital Telephony legislation. Over the last few months, the bill has been transformed from a proposal that was wholly one-sided to one that is considerably more reasonable. However, one of the most significant outstanding issues is the calculation of the overall costs that will
be incurred in complying with the bill, and the appropriate policy for determining who should pay for this compliance.
Among the major improvements of the Leahy Edwards bill over the original Bush Administration proposals is that the federal government has taken responsibility to pay for at least the initial retrofit costs incurred in complying with the requirements of the Act. However, the magnitude of these costs remains a source of significant dispute. • No reliable costs estimates FBI estimates are too low and based on faulty as
sumptions The legislation as introduced authorizes $500 million over a four year period to pay for redesign of services that the FBI believes are currently causing problems. Yet Director Freeh himself testified before your joint hearing in March that costs could run to $1.5 billion. Industry estimates put compliance costs at $2 billion to $3 billion dollars.
While we are awaiting the report from the General Accounting Office on the cost issue, we already have further reason to doubt the FBI's cost estimates. For example, we know that the FBI estimates fail to account for new competitors that are already entering the local telecommunications market in competition with the local exchange carriers. Cable companies, for example, are already deploying technology which will allow them to offer local telephone services as a complete replacement for the service now provided by the local telephone companies. Yet, the FBI has failed to account for the costs that these new firms may incur under the Act as proposed.
We hope that you will use the hearing process now beginning to explore on the public record the true costs of the FBI's proposal. That current costs estimates diverge by factor of at least six causes us great concern. • Failure to cover "out year" costs assumes static technology and will stifle Inno
vation and competition The structure of the current bill presumes that capability compliance costs will be de minimis after the first four years of retrofits are completed. We disagree with this presumption. Four to six years may or may not be enough time to modify cur. rent telecommunication services to meet law enforcement needs. Yet new services are being deployed every day in the telecommunications market. In some cases, accomplishing surveillance needs may be relatively simple during the design process. But in other cases, substantial effort and expense will be required. If the bill is enacted with its current cost treatment, it will certainly discourage the deployment of new communications services once reimbursement is no longer available.
The four-year cap on reimbursement also ignores the fact that many new competi. tors are planning to enter the telecommunications market. No matter how this legis. lation is ultimately written, the technology needed to comply will be packaged by telecommunications equipment manufacturers as individual features. Each feature carries a cost to the manufacturer and a price to the telecommunications carriers that purchase them. New entrants into the communications marketplace would have to purchase these features. If they enter after the four-year reimbursement period expires, then they would have to bear the cost on their own, despite the fact that the incumbents in the market may have been reimbursed for that same cost by the federal government. As such, the current reimbursement structure runs counter to the overall United States communications policy, which seeks to promote competition in the local telecommunications market.
• Privacy and civil liberties will be victim without firm spending cap
The Leahy/Edwards bill as introduced wisely includes detailed reporting requirements for all reimbursements to carriers for retrofits during the first four years. Not only is this fiscally responsible, but also it allows those concerned about privacy and civil liberties to monitor the deployment of surveillance technology. From a civil-liberties perspective, this is a crucial safeguard.
After four years however, reimbursement will be limited to costs incurred for adding capacity only, not including surveillance capability in new services. This defeats the purpose of providing public scrutiny of the government's surveillance expenditures. We are concerned that failure to limit the bill's requirements to actual reimbursements will cause deployment of unnecessary surveillance capability around the country that would be a threat to privacy and civil liberties. • Proposal Expand current bill's provisions which link compliance obligations to
reimbursements In recognition of the fact that current cost estimates are inconclusive, and that the long-term cost of compliance is virtually impossible to estimate, we recommend that existing provisions in the bill that link compliance obligations to reimbursement be expanded. In the first four years, telecommunications carriers should be liable for compliance only to the extent that they have been reimbursed by law enforcement for the costs of retrofitting existing services. Such a provision would actually allow the Attorney General to allocate limited resources in the most efficient way possible and would eliminate pressure from carriers to be reimbursed for retrofits which law enforcement does not consider critical.
Data supplied by the Department of Justice shows that the bulk of wiretaps occur in a very few areas of the country and only in the context of certain services. For example, in 1993 there were 225 taps on cellular phone services, but fully 50 percent of those occurred in only two states, New York and Florida. (Similar patterns exist for wireline taps.) It would make sense, then, to target appropriated money to those areas where the need for retrofitting is great. However, since all cellular and wireline networks around the country are required to comply with the bill, they may request reimbursement from the Attorney General. Linking liability to reimbursement would give law enforcement the leeway to allocate its resources in the most sensible, efficient manner possible, and eliminate the need to pay for retrofits in areas, or for services, where the costs dramatically outweigh the benefits.
Following the four-year cutoff, existing telecommunications carriers as well as new entrants face substantial compliance costs, especially where new services are not easy to shape to law enforcement's requirements. Thus, there should be a mechanism for securing reimbursement.
If, after four years, costs are truly de minimis, then the expenses born by the taxpayer will be minimal. If, however, costs are substantial, the burden of compliance cannot be expected to be absorbed by private companies. The same linkage between reimbursement and compliance in the first four years should be applied to capability requirements in later years. This would protect American consumers from unreasonable demands by the government to pass surveillance costs through to the public sector and avoid public scrutiny.
We thank you for consideration of this matter, and look forward to working with you and your staffs toward a solution to this very important unresolved issue. Sincerely,