The Association appreciates your consideration of this issue which is so important for law enforcement. Sincerely, HUBERT H. HUMPHREY III, Attorney General of Minnesota, National Association of Attorneys General. COMPUTER PROFESSIONALS FOR SOCIAL RESPONSIBILITY, Washington, DC, March 18, 1994. Hon. PATRICK J. LEAHY, Subcommittee on Technology and Law, U.S. Senate, Washington, DC. Congressman DON EDWARDS, Subcommittee on Civil and Constitutional Rights, DEAR SENATOR LEAHY AND CONGRESSMAN EDWARDS: I am writing to you on behalf of CPSR to express our support for your public hearings on the FBI Digital Telephony plan and the Clipper Chip. Both proposals raise long-term concerns about the future of communications privacy in the United States. CPSR has a particular interest in these matters. As an organization of professionals in the computing field, we have a long-standing concern that new technologies be designed to provide strong privacy protection for networkusers. Privacy protection is a necessary condition for the successful deployment of advanced network technologies. Proposals that limit privacy protection will ultimately slow the development of advanced networks. In late January we sent a letter to the White House, signed by many of the most distinguished cryptographers in the United States, asking that the Clipper proposal be withdrawn. (See attached). In the past month nearly 50,000 network users have added their names to that letter. If more people understood the implications of the Clipper plan, the number could easily be 500,000. During the last-several years, we have also conducted extensive Freedom of Information Act litigation regarding the Clipper proposal and the Digital Telephony proposal. Documents disclosed as a result of our FOIA litigation have raised Directors substantial doubts about some of the claims made by the government in support of these initiatives. This letter highlights our findings. The Clipper proposal • The National Security Agency usurped the authority of the Department of Commerce and violated the Computer Security Act of 1987 in the development of the Clipper plan. The original Commerce Department plan to develop open, unclassified standards for public key cryptography was revised by the National Security Agency. The NSA substituted a hardware-based, classified standard o that certain surveillance features could be incorporated (CPSR v. National Institute of Standards and Technology, No. 92-0972, D.D.C.) • The National Security Agency, not the National Institute of Standards and Technology, has dominated the process of developing security standards for civilian communications. • A related technical standard for "digital signatures" was purposefully designed by the NSA to minimize its privacy capabilities. The FBI and the NSA worked jointly on the development of the Clipper proposal and the Digital Telephony plan (CPSR v. FBI, 92-2117, D.D.C.) • Many of these problems with the development of technical standards arose because a national security directive issued by President Bush bolstered the authority of the NSA at the expense of the Department of Commerce (CPSR v. Department of Defense and National Security Council, No. 91-13.) A good deal of relevant information continues to be withheld by the government. The Digital Telephony proposal • The General Services Administration and the National Telecommunications and Information Administration both opposed an earlier version of the Digital Telephony plan and cited potential threats to national security if the proposal went forward. • None of the FBI field offices has yet documented an instance where a lawful intercept was frustrated as a result of advances in digital technology. (CPSR v. FBI, 92-2117, D.D.C.) • As early as 1992, the FBI anticipated that private communications firms would The plan to make the network easier to wiretap was code-named "Operation The FBI also classified certain portions of the 1992 GAO assessment of the Digital Telephony proposal, thus keeping relevant information about the potential problems with the proposal from the public. Assessment The Clipper proposal resulted from the National Security Agency's desire to develop surveillance standards for US communications networks. Clipper was not developed by the agency charged with developing technical standards, nor do network user support the standard. The Digital Telephony proposal is based on the suspect premise that new technologies have hindered the ability of law enforcement to conduct criminal investigations. In fact, new technologies have clearly expanded the ability of law enforcement to monitor individuals, to gather personal data, and to obtain transactional records generated by telephone communications. The real challenge facing the Judiciary Committees is to narrow the scope, not expand, of the permissible seizure of personal information generated by advanced communications networks. In particular: 1) Amendments to the ECPA should narrow the use of subpoenas to obtain telephone toll records. The increasing use of subpoenas combined with the growth of digital networks has increased dramatically the amount of information available to law enforcement that does not require a judicial warrant. This trend runs contrary to the spirit of the federal wiretap statute and should be reversed. 2) Amendments to the ECPA should require annual reporting requirements that detail the number of requests for telephone toll records, telephone lines covered, and records obtained. Similar reporting requirements currently exist for wiretap and pen register warrants. 3) A privacy agency should be established within the federal government. Such an agency could help ensure that proposals such as the Digital Telephony proposal are not put forward without a proper review by an agency competent to evaluate the implications of such a plan. Though some have described encryption as a form of "societal paranoia," there can be no doubt that encryption is the single most important technology for the protection of communications privacy. Not only does encryption provide for the confidential transmission of electronic communications, it also permits the authentication of business documents, and provides the basis for new forms of private communications. Policies that restrict the development of encryption or expand the ability of law enforcement to gather personal data will reduce privacy protection and diminish the value of communication networks in the United States. We appreciate your consideration of our views. We would be pleased to provide to you or your staffs whatever additional information you request. Hon. PATRICK J. LEAHY, Subcommittee on Technology and the Law, U.S. Senate, Washington, DC. Hon. DON EDWARDS, DISTRICT ATTORNEY'S OFFICE, Philadelphia, PA, March 28, 1994. Subcommittee on Civil and Constitutional Rights, U.S. House, Washington, DC. DEAR SENATOR LEAHY AND CONGRESSMAN EDWARDS: In response to the NDAA memorandum from Jim Polley inquiring about law enforcement's concern as it relates to digital telephony, I offer the following: In the Fall of 1991, this office was involved in an investigation which involved the extensive use of cellular telephones by the targets. One of the features being offered by the cellular industry is called "Follow Me Roaming". This feature allows a cellular telephone, operating out of its home switch to have all incoming calls automatically forwarded to it no matter where in the country it is operating. If a court authorized intercept is being conducted on this particular instrument, it would appear to be inactive to us but could still be making and receiving calls. This occurs because once "Follow Me Roaming" is activated, the cellular system, which our equipment is attached to, treats the call in a different fashion and routes the calls through a data link instead of through a normal voice channel. Due to the fact that "Follow Me Roaming" is activated and de-activated on a daily basis, the target instrument is assigned a temporary telephone number which changes daily. Even the target does not know what this number is. Any person involved in a criminal activity who is aware of this technology would know that, except on possibly a federal level, with the expenditure of great resources and a great amount of cooperation from the various cellular companies, this telephone cannot be intercepted. An example of how this could be used, without the target roaming around the country is as follows: 1) I travel to Washington, DC and, through a contact or my own resources, I have a cellular telephone activated, through the local carrier with a 202 area code. 2) I return to Philadelphia and activate "Follow Me Roaming." 3) Any outgoing calls made by me on this telephone would be going through the Philadelphia carrier and then into a land line. They would never even hit my home switch in Washington. 4) Any incoming calls made to my assigned 202 telephone number would automatically be forwarded to me in Philadelphia to the telephone number that my instrument had been temporarily assigned on that particular day. This process would be completely transparent to any intercept equipment attached to the switching office in my home area. It would appear, to anyone monitoring my telephone, that it was not in use. As long as I kept my bill current with the mobile telephone company, I could do this indefinitely. Another problem that we have encountered with the telephone company is the installation of a trap and trace on a telephone number assigned to a pager. The position of Bell of PA is that this cannot be done by them but must be done by the paging company. I disagree with the telephone company and feel that this is an instance where their legal department does not want to get involved in a potential problem with a large customer (i.e. a paging company). The paging company is only responsible for what is being sent out over the air. Until the incoming call connects with the paging company's computerized equipment, it is handled by the local telephone company just like any other call. This means that the telephone number of the pager, just like your home telephone number, appears on a frame in a switch and is routed through the telephone equipment just like any other call. Once it hits the paging company's computer, it then becomes their responsibility. In fact, in all other states that have the Caller I.D. function, the paging companies are able to pass the incoming telephone number on to the pager. This is information that they receive from the telephone company. We have been unsuccessful in getting Bell of PA to comply with any court order to date. This is an issue that should be specifically addressed by the Digital Telephony and Communications Privacy Improvement Act of 1994 and made applicable to all telephone companies (Baby Bells, or other wise) as well as to those companies whose business interacts with local and national phone companies. Sincerely, LYNNE ABRAHAM, Mr. CASIMIR S. SKRZYPCZAK, U.S. DEPARTMENT OF JUSTICE, President, NYNEX Science and Technologies, Inc., DEAR MR. SKRZYPCZAK: Upon receipt of your November 8, 1993, letter, my staff and I conducted a careful and detailed review of the results of the industry working group, which was formed at the request of industry, in March 1992 to address the electronic surveillance requirements of our Nation's state and federal law enforcement agencies. According to senior telecommunications executives, this group was to be "the approach" to address law enforcement's concerns in this area. Although the efforts of industry have been useful to a degree, an honest and candid assessment of the results achieved to date, unfortunately, leads me to conclude that this body does not appear to be equipped or able to develop and implement the solutions that are needed to remove the current and emerging impediments which prevent or hinder law enforcement agencies in executing court orders for electronic surveillance. Although I have held out hope that the industry working group, the Alliance for Telecommunications Industry Solutions (ATIS), and the Electronic Communications Service providers Committee (ECSPC) would provide a mechanism for achieving solutions and removing the impediments, this recent assessment compels me to acknowledge that these efforts have been inadequate. As I mentioned in my letter of September 28, 1993, at the outset, back in March 1992, we were pleased with and supportive of the committee's mission to resolve this significant threat to the public safety, national security, and effective law enforcement. To aid in the initiative, we have devoted FBI technical experts and engineers to this process, as well as funding a telecommunications consulting firm to facilitate meetings, provide subject matter expertise, and prepare written contributions. Also, as I previously mentioned, some of the industry representatives have worked hard and appear to have been sincere in their efforts to reach solutions. However, some companies have not supported these efforts and others have not contributed meaningfully to the effort. In my estimation, this is a result of the voluntary basis and elective nature of the working group and committee approach. Particularly troubling is the fact that new service providers who are now entering the marketplace are unaware of law enforcement's requirements, and efforts by the FBI to have these requirements brought to the attention of industry standards bodies, such as the one now considering personal communications Services (PCS) systems, were not supported by industry representatives in the committee. I believe that in order to successfully accommodate law enforcement's needs and to ensure that electronic surveillance responsibilities are discharged as new technologies emerge, a mechanism must exist that, in a certain and comprehensive fashion: • Identifies fully law enforcement's electronic surveillance requirements to the telecommunications industry; • Prompts the technical solutions necessary to meet the requirements of law enforcement; • Assures timely implementation of these solutions into the telecommunications industry's existing and emerging technologies; and • Addresses the cost issues associated with the technical solutions and their implementation. Time has shown that the ECSPC, by itself, is not capable of achieving our goal of ensuring the ability of law enforcement to perform electronic surveillance without fail within existing and emerging telecommunications systems. As I have previously indicated, the efforts of many committee members have been greatly appreciated by law enforcement. However, it is apparent that the recommended industry approach, the ECSPC, cannot address all of the necessary elements I have listed above. In fact, several committee members have made the point that, as matters stand, only an individual company can determine whether or not it is willing to pursue and implement solutions once they are identified. It is my view that the committee process should be a mechanism for discussing law enforcement needs and identifying technical solutions. Committee products thus far, such as those reflected in the ISDN, Digital Loop Carriers, and Cellular action teams' written recommendations, have not included solutions, but rather have largely only restated law enforcement's current abilities and limitations in performing electronic surveillance in these technical environments-information which the FBI itself provided nearly two years ago. In the main, these products observe the need for the development of solutions to meet law enforcement needs, but they do not provide these solutions. Inasmuch as the committee is not empowered to resolve cost and other issues key to the implementation of solutions, the lack of meaningful and timely solutions to these technological problems will continue. As we have indicated previously, we shall continue our active participation in the committee process. However, given the results to date, we are also obligated to pursue other approaches which will ensure law enforcement's continued ability to protect the safety and economic well-being of the American public through the use of this essential investigative technique. Sincerely yours, JAMES K. KALLSTROM, Mr. JAMES K. KALLSTROM, Special Agent in Charge. TELECOMMUNICATIONS INDUSTRY SOLUTIONS, Federal Bureau of Investigation, New York, NY. DEAR JIM: I am writing in response to your letter of January 5, 1994, in which you expressed your concerns regarding industry efforts to address the electronic surveillance requirements of state and federal. law enforcement agencies. First, let me say that your observations regarding the functioning of the Electronic Communications Service Provider Committee (ECSP) and its progress to date in resolving issues are understandable. These comments included: the Committee is not equipped to implement the technical solutions which it identifies; some companies have not supported these efforts and others have not contributed meaningfully to the effort; and efforts by the FBI to have law enforcement's requirements brought to the attention of industry standards bodies were not supported by all representatives on the Committee. However, these observations which you find troubling are aspects of the committee process which are fundamental to the operation and interest of open industry forums. One of the basic principles of any inter-industry committee or forum is that solutions reached are proposals for voluntary implementation by the participants: recommendations are non-binding. While each participant is committed to good faith discussions and consideration of timely implementation, each company represented also reserves fully independent judgment in terms of any implementation. This tenet of operation serves a number of purposes, a key one being that it litigates the legal/antitrust risks of conducting these discussions in any industry meeting. The forum process also ensures that there is careful consideration of all views and objections, appropriate notification and opportunity for the industry to review and provide comments on any proposed solution, and ultimate resolution by consensus. While there is no guarantee, the fact that all participants have been a part of these sensitive discussions, have been afforded due process, and have willingly expended the necessary resources in the development of a solution more often than not results in strong incentives to implement. It simply may not produce the direct and open commitment to implement solutions at the Committee level that you appear to be looking for. As I am sure you are aware, most of the solutions developed or being discussed are costly to implement, and can require months, even years to develop. Quite frankly, decisions of this magnitude require review by higher levels of management than those representatives present at the ECSP Committee. Industry sends the subject matter experts to these meetings to develop the technical solutions. Typically, industry does not send representatives who are authorized to make business decisions which may involve large expenditures. While you may view that as a shortcoming of this industry process. I believe that federal agencies operate in the same fashion. Another characteristic of industry forums is that participating companies do not support and/or contribute to efforts equally. Participants tend to gravitate toward and contribute to those issues in which they have the most interest or the greatest |