TESTIMONY OF JERRY BERMAN EXECUTIVE DIRECTOR ELECTRONIC FRONTIER FOUNDATION ACCOMPANIED BY RONALD L. PLESSER PIPER & MARBURY ON BEHALF OF THE ELECTRONIC FRONTIER FOUNDATION AND THE DIGITAL PRIVACY AND SECURITY WORKING GROUP CONCERNING THE DIGITAL TELEPHONY AND COMMUNICATIONS PRIVACY IMPROVEMENT ACT OF 1994 BEFORE THE SENATE JUDICIARY SUBCOMMITTEE ON TECHNOLOGY AND LAW AND HOUSE JUDICIARY SUBCOMMITTEE ON CIVIL AND CONSTITUTIONAL RIGHTS MARCH 18, 1994 Chairman Leahy. Chairman Edwards, and Members of the Subcommittees: We appreciate the opportunity to testify today on the Clinton Administration's draft legislation "the Digital Telephony and Communications Privacy Improvement Act of 1994." I am the executive director of the Electronic Frontier Foundation (EFF), a public interest organization dedicated to achieving the democratic potential of new communications and computer technology. With me today is Ronald Plesser. a partner at Piper and Marbury and counsel to EFF on digital telephony issues. I. The Digital Privacy and Security Working Group We appear today on behalf of EFF and on behalf of the Digital Privacy and Security Working Group (DPSWG), a coalition of more than 50 computer, communications, and public interest organizations and associations working on communications privacy issues since 1991 under the coordination of the Electronic Frontier Foundation. Senator Leahy, we must give credit where credit is due. The DPSWG has evolved as a direct result of your privacy policy initiatives. In 1986, many of the organizations and individuals in the working group joined together to support your successful effort to enact the Electronic Communications Privacy Act of 1986 (ECPA). landmark legislation establishing early on that public policies must and can be devised to ensure that the emerging information superhighway operate in a manner consistent with privacy, free speech, and other core democratic values. In 1991, many of the organizations in the DPSWG participated in the "Ad Hoc Leahy Task Force" which you tasked to look at how ECPA was faring and to make recommendations to you for improving communications privacy protections. II. Background on Digital Telephony The Digital Privacy and Security Working Group has had to spend most of its time responding to govemment initiatives that would change and modify the principles that underlie ECPA. The Clinton Administration's Digital Telephony and Communications Privacy Improvement Act of 1994 is only the latest in a series of government initiatives put forward over the past few years to seek to resolve law enforcement's perceived problems in conducting wiretapping in the era of digital communications. In each and every case. the members of the DPSWG from AT&T to the United States Telephone Association, from the ACLU to EFF, have uniformly sought to identify the specific technical concerns of the FBI and law enforcement. This has not been easy and, frankly, we continue to believe that the FBI has not made its case. On a policy level, there is little disagreement that the FBI and law enforcement should continue to be able to conduct wiretaps in a digital environment. On a technical level. their concerns are global and their resolutions are general. The resolution of this issue should be through carefully crafted solutions so as not to upset the balance between law enforcement interest and continued confidence in the public switched network. The proposals that we have seen are over- broad and would create more problems than they would resolve. In short, the FBI has not made a technical case that supports the sweeping changes that it seeks. * In 1991 the Bush Administration proposed a "Sense of the Congress Resolution" that would have interpreted current wiretapping statutes to require communications carriers, network operators, and service providers to turn over the "plain text" of all communications for law enforcement purposes. The DPSWG argued that the proposal was unworkable and vague, and its efforts led congressional leaders to remove the provision from pending omnibus crime legislation. * In 1992 the Bush Administration circulated Digital Telephony No. 1, draft legislation that would have required all providers of electronic communications services to obtain an FCC or Attorney General Certification that their networks or facilities meet evolving FBI electronic surveillance requirements. In September 1992, the DPSWG published an "Analysis of the FBI's Digital Telephony Proposal," signed by 35 computer, communications, and civil liberties organizations and associations highly critical of the digital telephony draft legislation on privacy, security, and economic cost grounds. This analysis, a copy of which we submit for the record, convinced Congress to reject the Bush Administration's proposal. * Last year. the DPSWG. based on optimism about the Clinton Administration's information highway program. began work on a "white paper" designed to set forth new policies to enhance privacy and security in the context of the emerging National Information infrastructure. When the Clinton Administration announced its "clipper chip" encryption escrow plans and intention to conduct a high level review of privacy, encryption, and related policies in April 1993, the DPSWG turned its attention to addressing the Administration's concerns. On November 24, 1993. we submitted a draft report to the Administration that presented a detailed case against the need for legislation like digital telephony to resolve law enforcement surveillance problems. The FBI stated that it had concerns with the report, but has refused to state the basis for any of its concerns. We submit a copy of our November report for the record. III. The Digital Telephony and Communications Privacy Improvements Act of 1994 Despite our concerted efforts, the Clinton Administration has now proposed its own bill, the Digital Telephony and Communications Privacy Improvement Act of 1994. Responding to the February draft bill on March 9, 1994, 20 members of the DPSWG, including AT&T, MCI. USTA, Business Software Alliance, Software Publishers Association, Apple Computer. the American Civil Liberties Union, and the Electronic Frontier Foundation sent a letter to the President and Vice President stating strong opposition to the new version of digital telephony. On March 11, the DPSWG sent its initial analysis of the legislation to FBI Director Louis Freeh, which reiterated that the legislation is unnecessary and, as drafted, could undermine communications privacy and citizen confidence in the public switched telephone network. The Clinton Administration's proposed digital telephony legislation would: * require carriers to provide real-time remote access not only to the contents of communications data sought pursuant to a judicial warrant but also to call setup and other transactional data sought in any lawful investigation; * require suppliers of hardware and software to telecommunications providers to meet law enforcement requirements on a priority basis at reasonable cost; and * empower the Attorney General to seek to enjoin a carrier from operating who was not in compliance with law enforcement requirements and to impose significant fines on carriers and suppliers who fail to meet law enforcement demands. 1. The legislation threatens privacy rights. As we interpret the draft legislation, it would require a service provider to hand off not only the contents of communications but deliver to remote locations "call setup information" whether or not incident to a warrant issued for wire. oral, or electronic communications as set forth in 18 U.S.C. Section 2518. Extending the legislation's scope beyond the acquisition of content (pursuant to a warrant under Section 2518) to the independent acquisition of call setup information raises many issues that require examination. For example, currently the legal standard for obtaining transactional data is a certification (via subpoena or statement to a judge) that the sought-after data is relevant to an ongoing criminal investigation. In the era of personal communications services (PCS) and the information highway, transactional data will reveal far more about individuals than it has in the past. In fact, in some cases it may be equivalent to content information. This transactional data certainly could make it possible to build a detailed model of an individual's behavior and movements. The net result could be government dictating to industry. that it create a surveillance-based system that would allow federal, state, and local governments to use a service provider's electronic communication facilities to conduct minute-by-minute surveillance of individuals. As long as they have an IRS or other administrative subpoena or a law enforcement agent willing to certify that the sought-after data is relevant to an ongoing criminal investigation, law enforcement officials could demand that they be notified at some remote location every time certain individuals communicate by telephone, and their location at the time, as well as every database they connect to and when they log on and off. In short, law enforcement officials could insist on instantaneously knowing the existence of every single electronic communication (but not its content). The enormous potential for abuse and threat to personal privacy suggests that. if transactional data were to be covered bv digital telephony legislation. it should be incidental to a "Title III" wiretap warrant. This would not limit in any wav law enforcement's access to trap and trace. pen register. or call billing information under current law or practice. This is particularly true given that no case has been made that demonstrates any current or potential difficulty in getting this non-content information under current practices. The technology in fact has made these types of services much easier for law enforcement to use and access. Additional legislation is simply not necessary to obtain this data. 2. We do not know what is covered. The obligation to isolate the content of communications must be reasonably related to the service provider's telecommunications services. It would be unreasonable for the FBI to demand any person involved with the communication to furnish it with access to that communication. For example, most providers, including local telephone companies. usually need to isolate communications for purposes of billing and maintenance. It is appropriate for the FBI to seek their assistance in intercepting communications on their networks only when the requests are reasonably related to the telecommunications services they provide. Therefore, the question is not necessarily who is covered, but what telecommunications services are covered. For example, the legislation should reflect the fact that. in reselling services, even local telephone companies sometimes are unable in those instances to furnish call setup information regardless of whether it is incidental to the acquisition of a communication's content. 3. It is not clear what requirements would be placed upon service providers and what standard of compliance would be applied. Legislation should carefully define the obligations of service providers. This is not the case with the FBI's current draft of proposed legislation. These obligations are vague and subject to considerable interpretation. Service providers and manufactures must have flexibility to adopt procedures that reasonably comply with the specific functional performance requirements of law enforcement. This is particularly true where, as here, compliance requires an assessment of future needs and interoperability requirements. There is a difference between compliance and a guarantee, and legislation must reflect that difference. Carriers should be required to provide reasonable cooperation and that cooperation should be measured bv a standard of reasonable compliance. In installing new software or equipment under this statute, a service provider must be able to reasonably assess future demands by law enforcement. Other industries subject to regulation at least know, for example, the temperature at which they must maintain the specimens, the emission standard they must satisfy, or the type of safety restraint equipment they must install and the date by which they must have it installed in vehicles. Service providers cannot be held to an absolute standard of compliance where they are using and delivering new technologies to the public and the demands of law enforcement are not clearly specified. This applies to both capability and capacity. Law enforcement must be specific in its requirements for capacity and capability from each service provider. 4. Issues arise as to what is expected of commercial mobile service providers. It is not a foregone conclusion that mobility in a digitized telecommunications environment will degrade or otherwise impede the law enforcement community's ability to effectively execute court- approved wiretap orders. Wireless carriers are committed to assisting law enforcement agencies to successfully wiretap and intercept voice communications. To accomplish this goal, the wireless industry understands that available excess port capacity is needed in all switches throughout the nation. While it may be reasonable for federal and state law enforcement agencies to acquire the contents of wireless communications pursuant to "Title III" warrants through additional port capacity, it would be prohibitively expensive to require that every one of the nation's switches be connected to the FBI to enable it to acquire such information on a "real time" basis at remote locations. Connecting every one of the nation's switches to the FBI. moreover, would increase exponentially the risk of unauthorized access to wireless communications. Further, the proliferation of fraudulent use of wireless telephones through such techniques as "cloning" and "tumbling" ESNs (electronic serial numbers) poses additional questions with respect to privacy and the ability of law enforcement to properly execute courtapproved wiretap orders. 5. It is uncertain what the responsibilities of manufacturers and suppliers are under the legislation. The FBI wishes manufacturers of telecommunications equipment and providers of support services to fall within the scope of the legislation. But, would service providers be held liable for software or hardware that is not available from vendors? Why? How would the obligations be enforced against foreign manufacturers? What would be the liability of a domestic carrier that relies upon foreign manufacturers? What are the trade implications of having domestic manufacturers export equipment designed for governmental surveillance? 6. Serious issues are raised as to how, and during what period, costs are to be recovered to ensure that there is a direct relationship between the costs reasonably incurred by covered entities and the government's requirements. Government should pay for what it needs, which will help focus attention upon the facilities that truly need upgrading. If the government does not pay for upgrades or facilities, then the service providers should not be held responsible. The FBI appears to have accepted the concept that govemment should pay for the costs of compliance but has so far underestimated these costs and proposed an arbitrary three-year limit on cost reimbursement. Government compensation should be ongoing with industry's compliance. IV. Is this Legislation Neeessary? The most fundamental question that needs to be resolved is whether this legislation is necessary. In our view neither the Bush nor Clinton Administrations have made a persuasive case. They argue that electronic surveillance is essential to law enforcement. but they have not demonstrated that their access to communications subject to judicial warrants have been impaired. They have pointed to problems encountered with call forwarding and cellular communications, but carriers have been able to meet new requirements through cooperative efforts. In the report prepared for the Clinton Administration and sent to the FBI last November, the DPSWG presented the following case: * First, there is no evidence that current law enforcement efforts are being jeopardized by new technologies. As described in our attached report, a Freedom of Information Act request made by Computer Professionals for Social Responsibility turned up evidence that not one law enforcement agency could demonstrate that digital telephony has interfered with any electronic surveillance activities. * Second, industry is cooperating with appropriate authorities to avoid future problems and to expand existing capacities. * Finally, given this lack of ascertainable concern now or in the future, it is not justifiable to require all providers, including telephone companies, packet switching networks, computer and software manufacturers, and the like, to be subject to new design standards and requirements. This is particularly the case where such requirements may in some cases severely limit the development of the new national infrastructure and once again lessen the American public's confidence in our communications networks. ECPA was enacted to reaffirm the confidence of all Americans that their communications whether aural or digital, common or private, voice, date, or video are secure from unauthorized interceptions. The govemment has the current authority and ability to adequately intercept electronic communications when authorized to do so. Sufficient reasons to amend this statute now to allow the government to dictate the design of communications technology just do not exist. V. Conclusion We applaud the fact that Congress is holding these hearings. Only Congress can resolve whether or not legislation is necessary and work to bridge the considerable division between the Administration and the private sector. We welcome the opportunity to state our views, and are ready and anxious to work with you and the Administration to find solutions to law enforcement needs that strike a balance between those needs. privacy. and other significant societal interests.