« PrécédentContinuer »
tronic communications equipment. The report will summarize the task force's conclusions, concerns and points of controversy in five major areas:
I) New Radio-Based Communications Technology and whether the content of communications carried on these technologies is or should be protected by federal law.
II) Out-of-Band Signaling and new service offerings and the related privacy risks from disclosure of transactional information (especially the calling party's number).
III) 800 and 900 Numbers and the appropriate use of customer information obtained by businesses employing these technologies.
IV) Electronic Mail and concerns about the privacy of electronic messages carried on private networks.
V Government Monitoring and the special concerns raised by the government's action, where it has obtained a valid warrant, to segregate and monitor specific communications.
I. NEW RADIO-BASED COMMUNICATIONS TECHNOLOGY The Electronic Communications Privacy Act updated the 1968 Wiretap Act to deal with two major trends that were sweeping the telecommunications industry. First, ECPA broadened coverage from voice only to other forms of communication, includ. ing data and video. Second, ECPA expanded coverage from communications common carriers to all electronic communications whether or not carried by a regulated common carrier.
The new law failed to anticipate fully the expansion of the number and kinds of private communications that can and will be carried by "wireless" systems where some or all of the communication is carried by radio link. While the drafters of ECPA considered and drew distinctions between "cordless" and "cellular phone technologies, the full range of potential service offerings was not well understood at the time.
The anticipated increase in the provision of such radio-based services and networks could dramatically change the current make-up of this country's telecommunications infrastructure and provide telecommunications consumers with added efficiency, cost-savings, and mobility. Radio-based communications may well displace many communications now carried on "wire" systems currently protected by federal law. Such communications will not fall neatly into the distinctions drawn by ECPA.
ECPA makes a key distinction between communications that are "readily accessible to the general public" and those that are not
Communications that are not readily accessible to the general public are protected, i.e., it is illegal to intentionally intercept such communications and any electronic surveillance carried out by government officials must be in compliance with ECPA, which generally requires court authorization, high-level administrative review and procedural safeguards.
Communications that are "readily accessible to the general public" are not protected, i.e., it is not illegal to intercept the communication and government officials can monitor and use as evidence the content of the communication without first obtaining a warrant.
With regard to radio-based technologies, ECPA sets out a definition in the negative, i.e., it defines specific communications that are not readily accessible to the general public. Section 2510 (16) states: "readily accessible to the general public" means, with respect to a radio communication, that such communication is not-A) scrambled or encrypted; B) transmitted using modulation techniques whose essential parameters have been withheld from the public with the intention of preserving the privacy of such communication; C) carried on a subcarrier or other signal subsidiary to a radio transmission; D) transmitted over a communication system provided by a common carrier, unless the communication is a tone only paging system communication; or E) transmitted on frequencies allocated under part 25, subpart D, E, or F of part 74, or part 94 of the Rules of the Federal Communications Commission, unless, in the case of a communication transmitted on a frequency allocated under part 74 that is not exclusively allocated to broadcast auxiliary services, the communication is a two-way voice communication by radio * . *.
In addition to drawing the above distinctions between communications which are not readily accessible to the general public, ECPA exempts from its coverage "the radio portion of a cordless telephone that is transmitted between the cordless telephone handset and the base unit." 18 U.S.C. Section 2510(1) and (12)
The drafters of ECPA relied on distinctions between communications technologies which, in 1986, made it difficult to intentionally target and monitor specific communications (where a reasonable expectation of privacy could be said to exist) and
those in which the communication was "out in the clear", where specific monitoring was easily achieved and where no reasonable expectation could be found.
The drafters of ECPA recognized that there were no bright line tests in this area. For example, the Committee reports of both the House and Senate recognized that radio equipment was available to the public that was capable of receiving cellular telephone conversations at the time the Act was passed. Because of the complexity of the cellular telephone system, however, including the number of channels and the ability to frequently change frequencies, the ability to monitor specific conversations was thought to be difficult a judgment confirmed by law enforcement officials at the time. In contrast, cordless phones, because of the fixed location of the base unit and constant frequency, could be easily targeted and monitored. Thus, no protection was afforded to that technology.
The task force examined a host of new communications offerings which have been proposed to carry personal communications to determine whether they were in fact covered by the current definitions of the statute and if they were not, whether they should be protected both legally and technically against government and intentional private surveillance. A list of those technologies and the task force's analysis follows.
Cordless Telephone 2 (CT2; Telepoint): This technology utilizes a series of public base stations which can be accessed by a personal handset if the phone is within a short distance from the base station. Such systems are currently being deployed in the U.K., where they serve as an alternative to coin pay phones. Some experimental licenses have been issued in the U.S. They also can be used in public buildings such as hospitals, convention centers, etc., where users have the flexibility to roam within a prescribed area, but retain access to the phone system. Calls must be outgoing; incoming calls can not be received by the handset. The technology cur. rently uses analog transmission but is moving towards digital transmission. Random monitoring of conversations would be possible with a receiver placed within 150 to 200 feet of the base stations. Targeted monitoring of specific conversations would be difficult. The task force was of the view that the technology could be found to fall within the ECPA's exception for cordless phones. The task force was of the view that such communications should be legally protected from unauthorized Interceptions by ECPA, and that the government should obtain a warrant before monitoring conversations.
Personal Communications Network (PCN/PCS): Still in an embryonic stage of development, the concept of PCN/PCS envisions the use of portable, pocket-sized handsets capable of initiating and receiving communications regardless of the user's location at any point in time. As a result of improvements in both telecommuni. cations and computer technology, the handset will be able to signal its location to the network so that incoming calls can be routed on a national, perhaps international, basis. The majority of experimental licenses issued by the Federal Communications Commission (FCC) anticipate the use of digital technology. Thus, interception of specific conversations will be difficult. The task force was of the view that this type of communication should be protected by ECPA, since the current generation of cellular technologies is protected. Some question remains, however, as to whether the law could be interpreted to permit BCN to fall within the exception from coverage for cordless phones. A clarification of the law to make certain that such communications are legally protected against unauthorized interception is recommended.
Specialized Mobile Radio (SMR) system operations: The FCC recently took action to allow an existing SMR operator (Fleet Call, Inc.) to proceed with its plans to construct and operate on a private carrier basis "enhanced" SMR systems in the top six markets in the U.S. As proposed, the new system configurations incorporate the basic design concepts embodied in the provision of public cellular mobile service, i.e. frequency re-use/call hand-off between transmitting cell sites. In addition, the systems will employ digital technology. As such, unauthorized monitoring of specific communications will be difficult. These systems will clearly fail outside the protections currently afforded to the public cellular systems under ECPA because they will operate on private land mobile frequencies. See Section 2510 (16/D). The task force concluded that no meaningful technological distinctions, which would warrant a dif. ferent treatment of privacy rights under ECPA, exist between public carrier cellular systems and this new limited class of SMR cellular systems. if such systems are to be deployed, ECPA should treat cellular systems, whether provided by a common carrier or private system, as "not readily accessible to the general public."
Cordless Telephone 3 (CT3, radio PBX): Technology exists to construct office build. ings with a mini-cellular switching system inside the building. Such a system can be utilized to avoid the costs of rewiring a building when the office structure is reconfigured. Such a system can provide businesses with flexibility and cost savings when deploying telecommunications instruments. Under the current ECPA structure, however, such radio-based PBX systems would probably fall within the exception for cordless telephones, and therefore, a business or individual utilizing this technology could be legally unprotected from unauthorized interception of their communications. The task force Is of the view that such legal protection should be afforded.
Wireless Data Communications: Computer companies are experimenting with, and seeking FCC licenses for, "wireless" modems which can transmit data between computers without the computers being wired together, either directly or through phone lines. Such modems will have applications in several environments including the transmission of data from remote sites (a kind of cellular laptop computer) as well as within an office environment (wireless local area network or LAN). Under ECPA, the answer to the question whether such communications will be legally protected from unauthorized interception will depend on where, within its regulatory structure, the FCC decides to allocate spectrum for these uses and whether the communication is encrypted or the digital means used for such communications qualifies for protection under Section 2510(16)(B) relating to modulation techniques that are not readily accessible to the general public. Under current FCC proceedings, there is a likelihood that such communications will not be protected unless the user goes to the expense of full data encryption. The task force recommends appropriate amendments to legally protect digital communications of this type from unauthorized Interception.
Cordless Telephones: The discussion of these newer technologies led the task force to a lengthy discussion of the premise of the 1986 Act that "the radio portion of a cordless telephone communication that is transmitted between the cordless telephone handset and the base unit * . " should be exempt from coverage of the Act.
The task force first considered some newer technological developments which make communication carried on cordless telephones somewhat more secure. Cordless phones have reduced the transmission power so that the phenomenon of having calls blast through on an FM radio receiver has been eliminated. Cordless phones also have begun to utilize technology which permits the call to be carried between the handset and base unit on more than one frequency. This feature can and is available to add security and privacy to the phone call. The next generation of phones will utilize digital transmission technology which will make unauthorized interception more difficult.
Perhaps the most important change since 1986, though, is not technological but societal. The cordless phone, far from being a novelty item used only at "poolside," has become ubiquitous. A leading telephone equipment supplier now sells as many cordless telephone units as wired sets. It is projected that cordless phones will be in use in 68 percent of American households by the end of the decade. More and more communications are being carried out by people in private, in their homes and offices, with an expectation that such calls are just like any other phone call. Given such technological changes and under such societal circumstances, the task force concluded that to relieve the government of the duty to obtain a warrant before monitoring such communications is to vitiate much of the protection which should be afforded to communications privacy by the federal wiretap law and the Fourth Amendment. Therefore, the task force recommends that consideration be given to elimination of the exemption for cordless phones, while preserving an exception for unintentional or accidental private party interception.
In recommending both the maintenance and extension of legal protection for "wireless" radio communications, the task force is aware that inexpensive, widely available scanners and other devices are available that make it possible to intercept radio communications. The task force strongly believes that such technologies should not defeat citizens' reasonable expectation of privacy against government intrusion and that government agents should conduct electronic surveillance of the technologies described above only under appropriate court authorization. At the same time, criminal sanctions could be overbroad in criminalizing inadvertent and unintentional interceptions of radio communications by persons with access who legally possess and use scanner and other devices that intercept radio communications. The existence of monitoring devices makes it difficult to rely solely on legal protection against third-party eavesdropping. The task force is aware that legal protections may not go far enough in affording citizens real privacy protection against intentional but undetected private surveillance. For example, concerns were expressed by a number of task force members that technical privacy enhancing features for radio-based systems should be more rapidly deployed by manufacturers and service providers.
To rectify this situation, the task force does not want to overcriminalize in this area, i.e., penalize unintentional conduct. The task force Is of the view that the rights of private citizens using radio scanners can appropriately be addressed by clearly setting forth specific intent requirements in the Act, by tying the criminal penalty to targeted surveillance of specific communications and by further adjusting the civil and criminal penalty structure of the Act, rather than exempting whole categories of telephone technologies and thus making them fair game for monitoring by government agents without a warrant, corporate spies, or just plain snoops.
Second, in order to ensure that citizens both understand the vulnerability of particular radio technologies to private, intentional, illegal interception and to encourage industry to develop and market communications devices that are less vulnerable to intrusion, the task force endorses the concept that ECPA should be amended in such a way as to encourage the placement of warnings and notice of the vulnerability of customer premises telephone equipment on specific CPE and that manufacturers be encouraged to make consumers aware of the technical levels of privacy on different types of equipment. The task force believes this will encourage industry to compete with each other in developing devices which are more secure. The task force believes Congress should work with the FCC, Industry, and technical experts to further explore ways to enhance the security of different types of equipment and to further explore ways to enhance consumer awareness of the security of different types of equipment and laws pertaining to communications privacy. In particular, the task force recommends the examination of encryption technology and its potential impact on enhancing the privacy, security, and authenticity of electronic communications. The task force further encourages communications service providers to continue to explore the incorporation of encryption and other privacy enhancing features in new communications services, so as to improve communications privacy.
II. OUT-OF-BAND SIGNALLING Telephone transactional information caller I.D.
Prior to 1976, telephone calls were processed between telephone company offices using signaling information on the same trunk as the voice or talk path between the offices. This type of signaling is referred to as "in-band” because it is an inherent part of the path on which the call is carried. Part of the information contained in this signaling is Automatic Number Identification (ANI), which allows the automatic identification of a calling station for billing purposes. The use of ANI allows telephone subscribers to dial directly a toll call without operator involvement.
However, transmitting signaling information over voice circuits is inefficient. In order to improve network efficiency, a new interoffice signaling technology called Common Channel Interoffice Signaling (CCIS) was introduced. CCIS was the precursor of today's Common Channel Signaling 7 (CCS7). Instead of processing interoffice calls using a common path for both signaling and voice, the CCS7 network allows signaling information to be sent through a separate high speed data network before calls are connected between offices. This type of signaling is known as "outof-band" because it does not utilize the same facilities for the transmission of call processing information as are used for connecting the call. CCS7 signaling information contains routing information (where does the call go?), translations (does the dialed number equate to something else?, as is the case with an 800 number), billing, and calling party information (where did the call come from?). The calling party information is similar to ANI in that the calling party's number is automatically identified. However, unlike ANI, because the information is part of a data stream, CCST also has the capability to provide a "privacy indicators to flow along with the other call processing information in the data stream. The privacy indicator makes it technically possible for calling parties to block the release or display of information outside the network. However, the information blocked can still be used within the network for billing and routing purposes.
CCS7 has the capability to provide blocking in two ways: per-call or per-line (also known as subscription blocking). Per-call blocking allows the calling party to dial a code, before a call is placed, to indicate that, for a particular call, the Calling Party Number (CPN) should not be disclosed to the called party. If per-line blocking is available, the calling party need not dial a code prior to the call; CPN is automatically withheld from the called party. Both options prevent CPN from being disclosed to the called party, but neither prevents delivery of billing information to the interexchange carriers (whether via ANI or CPN).
As CCS7 began to be deployed, phone companies began to offer a service known as Caller I.D., Caller I.D. allows telephone subscribers to see the telephone number of the person calling before they answer the phone. In order to have the number displayed, telephone company offices must be equipped with CCS7, customers must subscribe to the service, and customers must buy either a number display unit to connect to their existing telephone or a special Caller I.D. telephone. When a call
is delivered to the called party, the telephone number of the calling party is displayed on the screen.
ECPA prohibits "trapping and tracing” of information regarding the origination of electronic communications. A trap and trace device is defined (18 U.S.C. Section 3126(4) as "a device which captures the incoming electronic or other impulses which identify the originating number of an instrument or device from which a wire or electronic communication was transmitted." This prohibition has three exceptions.
Trapping and tracing is permitted in order to operate, maintain, and test the communications service; to record the beginning and end of communications for billing or other similar functions; and, in those instances “where the consent of the user of that service has been obtained.” (18 U.S.C. 3121(b)).
There is a sharp division of views among task force members on whether Caller I.D. is a trap and trace device as defined in ECPA. The only court to rule on this question is the Commonwealth Court of Pennsylvania which held that Caller I.D. constituted a trap and trace device under state law which paralleled ECPA. There is a further division of views on the question of whether the customer or the service provider may employ a trap or trace device where the consent of the user has been obtained.
As phone companies began to market Caller I.D., privacy and consumer advocates argued that the right to control the disclosure of a subscriber's phone number should not be transferred to the telephone company. They said that the service violated ECPA, and they advised policy makers to require that phone companies provide free blocking," on either a per-line or per-call basis.
Initially the Caller I.D. debate took place before state public utility commissions, as phone companies sought authorization to provide Caller I.D. through tariff actions. The policy decisions have varied widely from state to state. New Jersey permits phone companies to offer Caller I.D. without any call-blocking service. Neighboring New York is considering a PUG regulation which would require that all customers with unpublished numbers automatically be given a blocked line. D.C. permits Caller I.D. but requires that per-call blocking be made available to the calling party at no charge. California has enacted legislation authorizing Caller I.D. but requiring that per-call blocking be offered to calling parties.
In Pennsylvania, the Commonwealth Court found that Caller I.D. violated both the state wiretap statute, a law virtually identical to ECPA, and the state constitutional right to privacy. The Court also found that the proposal to provide a blocking service to particular phone subscribers lacked minimal due process standards and was therefore unconstitutional. (Barash v. Pennsylvania Public Utility Commission, Commonwealth Court of Pennsylvania No. 2270, May 30, 1990). That case is on appeal to the Pennsylvania Supreme Court.
The task force recognized that there were privacy interests of both calling and called parties that any public policy on Caller I.D. must recognize. The task force noted, however, that in calls to 800 and 900 subscribers, the called parties had no such privacy interest.
Consumer and privacy advocates said that Caller I.D. would undermine privacy as the right to control the disclosure of personal information was transferred from the phone subscriber to the phone company. They said that the benefits of Caller I.D. for residential phone subscribers had been greatly overstated, that answering machines were a less expensive, less intrusive, but far more effective way to screen incoming calls. They also said that the Call Trace service provides all the safety benefits of Caller I.D. without placing the subscriber in the dangerous position of responding directly to harassing phone callers. They said that "balancing the privacy rights of call originators and call recipients was a false characterization of the service since the privacy rights of both parties could be easily accommodated.
Opponents of blocking, such as Bell Atlantic, believe that if Caller I.D. is available without blocking, it will achieve the greatest deterrent impact on anonymous, obscene, harassing, and threatening calls. Bell Atlantic has presented congressional testimony supporting the deterrent value in the availability of Caller I.D., a benefit which accrues even to those who do not subscribe to Caller I.D.. Bell Atlantic states that Caller I.D. broadly serves the public's right to be let alone and gives recipients of telephone calls the same information that callers have the number of the person to whom they are speaking. They further argue that there are ways other than blocking to address the unique needs of groups with a need to prevent identification, i.e., domestic violence and law enforcement agencies, etc., and telephone companies have worked with these groups and have successfully provided alternatives, other than blocking.
The task force was split among four different viewpoints. The first group was comprised of some of the consumer and privacy rights advocates. This group was of the