home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Shareware Overload Trio 2
/
Shareware Overload Trio Volume 2 (Chestnut CD-ROM).ISO
/
dir33
/
eff01017.zip
/
EFF01017.TXT
Wrap
Text File
|
1994-09-16
|
24KB
|
442 lines
Electronic Frontier Foundation
Testimony of
Jerry J. Berman, Policy Director
Electronic Frontier Foundation
before the
United States House Of Representatives
Committee on Energy and Commerce
Subcommittee On Telecommunications and Finance
Hearing on
Digital Telephony Legislation (H.R. 4922)
September 13, 1994
Chairman Markey and Members of the Subcommittee:
I want to thank you for the opportunity to testify today on the
recently introduced Digital Telephony bill (H.R. 4922, S. 2375). Over
the past several years under the leadership of Chairman Markey,
Representatives Fields, Boucher, and others, the Subcommittee has
demonstrated knowledge, sensitivity, and vision in crafting our nation's
telecommunications policy. I am pleased that the Subcommittee has
chosen to apply its experience and expertise to the extraordinarily
complex issues posed by the Digital Telephony legislation.
The Electronic Frontier Foundation (EFF) is a public interest
membership organization dedicated to achieving the democratic potential
of new communications and computer technology and works to protect civil
liberties in new digital environments. EFF also coordinates the Digital
Privacy and Security Working Group (DPSWG), a coalition of more than 50
computer, communications, and public interest organizations and
associations working on communications privacy issues. I am testifying
today, however, only on behalf of EFF.
Since 1992, the Electronic Frontier Foundation has opposed a
series of FBI Digital Telephony proposals, each of which would have
forced communications companies to install wiretap capability into every
communications network. However, earlier this year, when it became
apparent that some version of the bill would pass the Congress, Senator
Patrick Leahy and Representative Don Edwards asked EFF, along with
computer and communications industry groups, to participate in a process
that would yield a narrow bill that both met law enforcement needs and
had strong privacy protections. The result of that process is the bill
before us today.
EFF remains deeply troubled by the prospect of the federal
government requiring communications networks to be made "wiretap ready,"
but we believe that this legislation is substantially less intrusive
that the original FBI proposals. If Congress is going to act in this
area, it should work to improve and pass this version of the
legislation.
As I testified to before a joint hearing of the House Subcommittee
on Civil and Constitutional Rights and the Senate Subcommittee on
Technology and the Law on August 11, 1994, we have worked diligently on
this legislation with all interested parties in an effort to strike a
careful balance between law enforcement's ability to conduct electronic
surveillance and the more important public good -- the right to privacy
guaranteed by the 4th amendment. The bill strikes this balance in a
number of critical areas:
* Law enforcement gains no additional authority to conduct
electronic surveillance. The warrant requirements specified
under current law remain unchanged
* The standard for law enforcement access to online
transactional records is raised to require a court order
instead of a mere subpoena
* Information gleaned from pen register devices is limited to dialed
number information only. Law enforcement may not receive
location-specific information
* The bill does not preclude a citizen's right to use encryption
* Privacy must be maintained in making new technologies
conform to the requirements of the bill and privacy groups
may intervene in the administrative standard-setting
process.
However, Mr. Chairman, the effectiveness of these privacy
protections, as well as the future of technological innovation and the
deployment of advanced telecommunications services to the American
public, turn on one critical issue which remains to be addressed: Who
assumes the risk and pays the cost of complying with the bill's
requirements? The government or industry?
EFF believes that allocating the risk and cost to industry will
place privacy and security at risk if industry is required to foot the
bill for unnecessary or unwarranted surveillance capabilities.
Similarly, privacy may be shortchanged if industry takes short cuts to
save costs in meeting the legislation's requirements. Industry may
also be discouraged from deploying new and innovative technologies
because of the costs of law enforcement compliance features. Finally,
public accountability is undermined by making potentially significant
law enforcement costs without public scrutiny and debate. In our view,
the public interest can only be served if government assumes the risk
and pays the costs of compliance. While effective law enforcement may
be in the public interest, it should not come at the expense of other
public goods -- privacy, public accountability, and technological
innovation. To resolve this issue, we believe that the legislation
should be amended to require government to pay all reasonable costs
incurred to meet the statute's requirements on an ongoing basis.
A. Linkage of cost to compliance requirements in the first four
years -- the FBI gets what it pays for and no more
The bill authorizes, but does not appropriate, $500 million to be
spent by the government in reimbursing telecommunications carriers for
bringing their networks into compliance with the bill within the first
four years of enactment. The FBI maintains that this is enough money to
cover all reasonable expenses of retrofitting. The industry, however,
has consistently maintained that the costs are five to ten times higher.
Given the FBI's confidence in their cost estimate, we believe that
telecommunications carriers should only be required to comply to the
extent that they have been reimbursed.
In his testimony before a joint hearing of the House Subcommittee
on Civil and Constitutional Rights and the Senate Subcommittee on
Technology and the Law on August 11, 1994, the FBI director stated that
"I think it would be [...] extremely unlikely for a district court judge
in the process which is contemplated by this legislation to force
compliance or use of any sanctions when compliance is impossible because
of the non-reimbursement which is the predicate in the legislation".
Based on the Director's previous testimony and other discussions with
the FBI, EFF believes that the bill should include a provision to
directly link telecommunications carriers liability with government
reimbursement for retrofitting.
B. Government reimbursement for compliance costs after four years
-- public accountability necessary
The problem, Mr. Chairman, is that under the current bill, the
government is not responsible for paying the cost of meeting the
mandated capability requirements after four years, particularly with
respect to new services. The FBI has repeatedly argued that the costs
for incorporating surveillance capabilities in new services at the
design stage will be de minimis, a contention which most industry
representatives and EFF believe may not be correct.
As this Subcommittee is aware, it is impossible to estimate
compliance costs for technologies which are not even on the drawing
boards. The way to resolve the issue is to have the government assume
the risks.
If costs for compliance after four years are truly de minimis,
then the expenses born by the taxpayers will be minimal. If, however,
costs are substantial, the government should pay. This will insure that
the government, on a case-by-case basis and with an opportunity for
public oversight, determines if compliance is significant enough to pay
for out of taxpayers' funds. This will also ensure that the government
sets law enforcement priorities.
As I stated earlier, if the telecommunications industry is
responsible for all future compliance costs, it may be forced to accept
solutions which short-cut the privacy and security of telecommunications
networks, or be forced to leave advanced features on the shelf, slowing
technological innovation and the development of the NII. Linking
compliance to government reimbursement in the out years also has the
added benefit of providing public oversight and accountability for law
enforcement surveillance capability.
The drafters of this legislation have wisely included public
oversight of government surveillance expenditures in the first four
years. This same principal should be applied to out year compliance
costs.
C. Ensure the right to deploy untappable services
The enforcement provisions of the bill suggest, but do not state
explicitly, that services which are untappable may be deployed.
Having worked for many years towards the goal of promoting the
development of the NII, the members of this Subcommittee are clearly
aware that its promise and potential rest on the deployment of advanced
technologies and services. EFF remains deeply concerned that
technological innovation and the deployment of advanced
telecommunications services to the public may be stifled if
telecommunications carriers are forced to incur huge costs for
compliance, or if the Government is allowed to prohibit a new feature or
service from being deployed. Although EFF believes that the bill
intends to allow carriers to deploy untappable features or services,
the bill must clearly state that if it is technically and economically
unreasonable to make a service tappable, or if the government has failed
to reimburse a carrier for compliance costs, then it may be deployed,
without interference by a court. Making the government responsible for
all reasonable costs of having new services comply with the legislation
will go a long way to insuring that this legislation will not be a drag
on innovation.
D. Additional areas where strengthening is necessary
In addition to our concerns about compliance costs, EFF believes
that the bill requires strengthening in the following areas before final
passage:
1. Strengthened public process
In the first four years of the bill's implementation, most of the
requests that law enforcement makes to carriers are required to be
recorded in the public record. However, additional demands for
compliance after that time are only required to be made by written
notice to the carrier. To facilitate public scrutiny, the bill should
require all compliance requirements, whether initial requests or
subsequent modification, must be recorded in the Federal Register.
2. Clarify definition of call identifying information
The definition of call identifying information in the bill is too
broad. Whether intentionally or not, the term now covers network
signaling information of networks which are beyond the scope of the
bill. As drafted, the definition would appear to require
telecommunications carriers to deliver not only the signaling
information generated by their own services, but also the signaling
information generated by information services and electronic
communication services that travel over the facilities of the
telecommunication carrier. In many cases this may be technically
impractical. Moreover, it is contrary to the policy adopted by the bill
to maintain a narrow scope.
3. Review of minimization requirements in view of commingled
communications
The bill implicitly contemplates that law enforcement, in some
cases, will intercept large bundles of communications, some of which are
from subscribers who are not subject of wiretap orders. For example,
when tapping a single individual whose calls are handled by a PBX, law
enforcement may sweep in calls of other individuals as well. Currently
the Constitution and Title III requires "minimization" procedures in all
wiretaps, to minimize the intrusion on the privacy of conversations not
covered by a court's wiretap order. In the world of 1968, when the
original Wiretap Act was passed, most subscribers telecommunications
facilities carried single conversations on single lines. But today,
many conversations are co-mingled on one broadband communications
facility. In order to ensure that constitutionally-mandated
minimization is maintained, the bill should recognize that stronger
minimization procedures may be required.
E. New privacy protections
The Digital Telephony legislation before us includes significant
recognition that new communication technologies, and new patterns of
technology use, require new privacy protections. Thanks to the work of
Senator Leahy and Representative Edwards and Senator Biden, the bill
contains a number of significant privacy advances, including enhanced
protection for the detailed transactional information records generated
by online information services, email systems, and the Internet. These
protections should remain in the legislation.
1. Expanded protection for transactional records sought by law
enforcement
Chief among these new protections is an enhanced protection for
transactional records from indiscriminate law enforcement access. For
purposes of maintenance and billing, most online communication and
information systems create detailed records of users' communication
activities as well as lists of the information that they have accessed.
Provisions in the bill recognize that this transactional information
created by new digital communications systems is extremely sensitive and
deserves a high degree of protection from casual law enforcement access
which is currently possible without any independent judicial
supervision.
EFF commends the authors of this legislation for recognizing that
law enforcement access to transactional records in online communication
systems (everything from the Internet to America OnLine to hobbyist
BBSs) threatens privacy rights. Indiscriminate access to transactional
records implicates privacy interests because:
* the records are personally identifiable,
* they reveal the content of people's communications, and,
* the compilation of such records makes it easy for law enforcement
to create a detailed picture of people's lives online.
Based on this recognition, the draft bill contains the following
provisions:
* Court order required for access to transactional records instead
of mere subpoena
In order to gain access to transactional records, such as a list
of to whom a subject sent email, which online discussion group one
subscribes to, or which movies a subject requested on a pay-per view
channel, law enforcement will have to prove to a court, by the showing
of "specific and articulable facts" that the records requested are
relevant to an ongoing criminal investigation. This means that the
government may not request volumes of transactional records merely to
see what it can find through traffic analysis. Rather, law enforcement
will have to prove to a court that it has reason to believe that it will
find specific information relevant to an ongoing criminal investigation
in the records it requests.
With these provisions, we have achieved for all online systems a
significantly greater level of protection than exists today for records
such as email logs, and greater protection than currently exists for
telephone toll records. The lists of telephone calls that are kept by
local and long distance phone companies are available to law enforcement
without any judicial intervention at all. Law enforcement gains access
to hundreds of thousands of such telephone records each year, without a
warrant and without even notice to the citizens involved. Court order
protection will make it much more difficult for law enforcement to go on
"fishing expeditions" through online transactional records, hoping to
find evidence of a crime by accident. We have also submitted a detailed
memorandum on the importance of protection and would ask that this
document be included in the record of these proceedings along with this
testimony.
* Standard of proof much greater than for telephone toll records,
but below that for content
The most important change that these new provisions offer is that
law enforcement will: (a) have to convince a judge that there is reason
to look at a particular set of records, and; (b) have to expend the time
and energy necessary to have a United States Attorney or District
Attorney actually present a case before a court. However, the burden of
proof to be met by the government in such a proceeding is lower than
required for access to the content of a communication.
2. New protection for location-specific information available in
cellular, PCS and other advanced networks
Much of the electronic surveillance conducted by law enforcement
today involves gathering telephone dialing information through a device
known as a pen register. Authority to attach pen registers is obtained
merely by asserting that the information would be relevant to a criminal
investigation. Under current law, courts must approve pen register
requests without any substantive review of the basis for law
enforcement's request. This legislation offers significant new limits on
the use of pen register data.
Under this bill, when law enforcement seeks pen register
information from a telecommunications carrier, the carrier is forbidden
to deliver to law enforcement any information which would disclose the
location or movement of the calling or called party. Cellular phone
networks, PCS systems, and so-called "follow-me" services all store
location information in their networks. This new limitation is a major
safeguard which will prevent law enforcement from casually using mobile
and intelligent communications services as nation-wide tracking systems.
3. New limitations on "pen register" authority
Contemporary uses of pen registers also involve substantial
privacy invasion, even aside from location information. Currently, law
enforcement is able to use pen registers to capture not only the
telephone number dialed, but also any other touch-tone digits dialed
which reflect the user's interaction with an automated information
service on the other end of the line, such as an automatic banking
system or a voice-mail password. If this bill is enacted, law
enforcement would be required to use "technology reasonably available"
to limit pen registers to the collection of calling number information
only. We are aware that new pen register devices are now on the market
which automatically screen out all dialed digits except for the actual
telephone numbers. Just as this bill would require telecommunications
carriers to deploy technology which facilitates taps, we believe that
law enforcement should be required to deploy technology which shields
users communications from unauthorized invasion.
4. Bill does not preclude use of encryption
Unlike previous Digital Telephony proposals, this bill places no
obligation on telecommunication carriers to decipher encrypted messages,
unless the carrier actually holds the key to the message as well.
5. Automated remote monitoring precluded
Law enforcement is specifically precluded from having automated,
remote surveillance capability. Any court-ordered electronic
surveillance must be initiated by an employee of the telecommunications
carrier, upon request by law enforcement. Maintaining operational
separation between law enforcement agents and communication networks is
an important privacy safeguard.
6. Privacy considerations essential to development of new technology
One of the requirements that telecommunications carriers must meet
to be in compliance with the bill is that the wiretap access methods
adopted must protect the privacy and security of each user's
communication. If this requirement is not met, anyone may petition the
FCC to have the wiretap access requirements modified so that network
security is maintained. This requirement, just like those designed to
serve law enforcement's needs, must be carefully implemented and
monitored so that the technology used to conduct wiretaps cannot also
jeopardize the security of the network as a whole. If network-wide
security problems arise because of wiretapping standards, then the
standards should be overturned.
F. Improvements over previous Administration proposals
In addition to the privacy protections added to this bill, we also
note that the surveillance requirements are not as far-reaching as the
original FBI version. A number of procedural safeguards are added which
seek to minimize the threatens to privacy, security, and innovation.
Though the underlying premise of the bill is still cause for concern,
these new limitations deserve attention:
1. Narrow Scope
The bill explicitly excludes Internet providers, email systems,
BBSs, and other online services. Unlike the bills previously proposed by
the FBI, this bill is limited to local and long distance telephone
companies, cellular and PCS providers, and other common carriers.
2. Open process with public right of intervention
The public will have access to information about the
implementation of the bill, including open access to all standards
adopted in compliance with the bill, the details of how much wiretap
capacity the government demands, and a detailed accounting of all
federal money paid to carriers for modifications to their networks.
Privacy groups, industry interests, and anyone else has a statutory
right under this bill to challenge implementation steps taken by law
enforcement if they threaten privacy or impede technology advancement.
3. Technical requirements standards developed by industry instead of
the Attorney General
All surveillance requirements are to be implemented according to
standards developed by industry groups. The government is specifically
precluded from forcing any particular technical standard, and all
requirements are qualified by notions of economic and technical
reasonableness.
4. Right to deploy untappable services
Unlike the original FBI proposal, this bill recognizes that there
may be services which are untappable, even with Herculean effort to
accommodate surveillance needs. We understand that the bill intends to
allow untappable services to be deployed if redesign is not economically
or technically feasible. These provisions, however, should be
clarified.
G. Conclusion
In closing, I would like to thank Chairman Markey and members of
the Subcommittee, as well as others who have worked so hard on this
legislation. The Electronic Frontier Foundation looks forward to
working with all of you as the bill moves through the legislative
process.
--
<A HREF="http://www.eff.org/~mech/mech.html"> Stanton McCandlish
</A><HR><A HREF="mailto:mech@eff.org"> mech@eff.org
</A><P><A HREF="http://www.eff.org/"> Electronic Frontier Fndtn.
</A><P><A HREF="http://www.eff.org/~mech/a.html"> Online Activist </A>