Electronic Frontier Foundation Testimony of Jerry J. Berman, Policy Director Electronic Frontier Foundation before the United States House Of Representatives Committee on Energy and Commerce Subcommittee On Telecommunications and Finance Hearing on Digital Telephony Legislation (H.R. 4922) September 13, 1994 Chairman Markey and Members of the Subcommittee: I want to thank you for the opportunity to testify today on the recently introduced Digital Telephony bill (H.R. 4922, S. 2375). Over the past several years under the leadership of Chairman Markey, Representatives Fields, Boucher, and others, the Subcommittee has demonstrated knowledge, sensitivity, and vision in crafting our nation's telecommunications policy. I am pleased that the Subcommittee has chosen to apply its experience and expertise to the extraordinarily complex issues posed by the Digital Telephony legislation. The Electronic Frontier Foundation (EFF) is a public interest membership organization dedicated to achieving the democratic potential of new communications and computer technology and works to protect civil liberties in new digital environments. EFF also coordinates the Digital Privacy and Security Working Group (DPSWG), a coalition of more than 50 computer, communications, and public interest organizations and associations working on communications privacy issues. I am testifying today, however, only on behalf of EFF. Since 1992, the Electronic Frontier Foundation has opposed a series of FBI Digital Telephony proposals, each of which would have forced communications companies to install wiretap capability into every communications network. However, earlier this year, when it became apparent that some version of the bill would pass the Congress, Senator Patrick Leahy and Representative Don Edwards asked EFF, along with computer and communications industry groups, to participate in a process that would yield a narrow bill that both met law enforcement needs and had strong privacy protections. The result of that process is the bill before us today. EFF remains deeply troubled by the prospect of the federal government requiring communications networks to be made "wiretap ready," but we believe that this legislation is substantially less intrusive that the original FBI proposals. If Congress is going to act in this area, it should work to improve and pass this version of the legislation. As I testified to before a joint hearing of the House Subcommittee on Civil and Constitutional Rights and the Senate Subcommittee on Technology and the Law on August 11, 1994, we have worked diligently on this legislation with all interested parties in an effort to strike a careful balance between law enforcement's ability to conduct electronic surveillance and the more important public good -- the right to privacy guaranteed by the 4th amendment. The bill strikes this balance in a number of critical areas: * Law enforcement gains no additional authority to conduct electronic surveillance. The warrant requirements specified under current law remain unchanged * The standard for law enforcement access to online transactional records is raised to require a court order instead of a mere subpoena * Information gleaned from pen register devices is limited to dialed number information only. Law enforcement may not receive location-specific information * The bill does not preclude a citizen's right to use encryption * Privacy must be maintained in making new technologies conform to the requirements of the bill and privacy groups may intervene in the administrative standard-setting process. However, Mr. Chairman, the effectiveness of these privacy protections, as well as the future of technological innovation and the deployment of advanced telecommunications services to the American public, turn on one critical issue which remains to be addressed: Who assumes the risk and pays the cost of complying with the bill's requirements? The government or industry? EFF believes that allocating the risk and cost to industry will place privacy and security at risk if industry is required to foot the bill for unnecessary or unwarranted surveillance capabilities. Similarly, privacy may be shortchanged if industry takes short cuts to save costs in meeting the legislation's requirements. Industry may also be discouraged from deploying new and innovative technologies because of the costs of law enforcement compliance features. Finally, public accountability is undermined by making potentially significant law enforcement costs without public scrutiny and debate. In our view, the public interest can only be served if government assumes the risk and pays the costs of compliance. While effective law enforcement may be in the public interest, it should not come at the expense of other public goods -- privacy, public accountability, and technological innovation. To resolve this issue, we believe that the legislation should be amended to require government to pay all reasonable costs incurred to meet the statute's requirements on an ongoing basis. A. Linkage of cost to compliance requirements in the first four years -- the FBI gets what it pays for and no more The bill authorizes, but does not appropriate, $500 million to be spent by the government in reimbursing telecommunications carriers for bringing their networks into compliance with the bill within the first four years of enactment. The FBI maintains that this is enough money to cover all reasonable expenses of retrofitting. The industry, however, has consistently maintained that the costs are five to ten times higher. Given the FBI's confidence in their cost estimate, we believe that telecommunications carriers should only be required to comply to the extent that they have been reimbursed. In his testimony before a joint hearing of the House Subcommittee on Civil and Constitutional Rights and the Senate Subcommittee on Technology and the Law on August 11, 1994, the FBI director stated that "I think it would be [...] extremely unlikely for a district court judge in the process which is contemplated by this legislation to force compliance or use of any sanctions when compliance is impossible because of the non-reimbursement which is the predicate in the legislation". Based on the Director's previous testimony and other discussions with the FBI, EFF believes that the bill should include a provision to directly link telecommunications carriers liability with government reimbursement for retrofitting. B. Government reimbursement for compliance costs after four years -- public accountability necessary The problem, Mr. Chairman, is that under the current bill, the government is not responsible for paying the cost of meeting the mandated capability requirements after four years, particularly with respect to new services. The FBI has repeatedly argued that the costs for incorporating surveillance capabilities in new services at the design stage will be de minimis, a contention which most industry representatives and EFF believe may not be correct. As this Subcommittee is aware, it is impossible to estimate compliance costs for technologies which are not even on the drawing boards. The way to resolve the issue is to have the government assume the risks. If costs for compliance after four years are truly de minimis, then the expenses born by the taxpayers will be minimal. If, however, costs are substantial, the government should pay. This will insure that the government, on a case-by-case basis and with an opportunity for public oversight, determines if compliance is significant enough to pay for out of taxpayers' funds. This will also ensure that the government sets law enforcement priorities. As I stated earlier, if the telecommunications industry is responsible for all future compliance costs, it may be forced to accept solutions which short-cut the privacy and security of telecommunications networks, or be forced to leave advanced features on the shelf, slowing technological innovation and the development of the NII. Linking compliance to government reimbursement in the out years also has the added benefit of providing public oversight and accountability for law enforcement surveillance capability. The drafters of this legislation have wisely included public oversight of government surveillance expenditures in the first four years. This same principal should be applied to out year compliance costs. C. Ensure the right to deploy untappable services The enforcement provisions of the bill suggest, but do not state explicitly, that services which are untappable may be deployed. Having worked for many years towards the goal of promoting the development of the NII, the members of this Subcommittee are clearly aware that its promise and potential rest on the deployment of advanced technologies and services. EFF remains deeply concerned that technological innovation and the deployment of advanced telecommunications services to the public may be stifled if telecommunications carriers are forced to incur huge costs for compliance, or if the Government is allowed to prohibit a new feature or service from being deployed. Although EFF believes that the bill intends to allow carriers to deploy untappable features or services, the bill must clearly state that if it is technically and economically unreasonable to make a service tappable, or if the government has failed to reimburse a carrier for compliance costs, then it may be deployed, without interference by a court. Making the government responsible for all reasonable costs of having new services comply with the legislation will go a long way to insuring that this legislation will not be a drag on innovation. D. Additional areas where strengthening is necessary In addition to our concerns about compliance costs, EFF believes that the bill requires strengthening in the following areas before final passage: 1. Strengthened public process In the first four years of the bill's implementation, most of the requests that law enforcement makes to carriers are required to be recorded in the public record. However, additional demands for compliance after that time are only required to be made by written notice to the carrier. To facilitate public scrutiny, the bill should require all compliance requirements, whether initial requests or subsequent modification, must be recorded in the Federal Register. 2. Clarify definition of call identifying information The definition of call identifying information in the bill is too broad. Whether intentionally or not, the term now covers network signaling information of networks which are beyond the scope of the bill. As drafted, the definition would appear to require telecommunications carriers to deliver not only the signaling information generated by their own services, but also the signaling information generated by information services and electronic communication services that travel over the facilities of the telecommunication carrier. In many cases this may be technically impractical. Moreover, it is contrary to the policy adopted by the bill to maintain a narrow scope. 3. Review of minimization requirements in view of commingled communications The bill implicitly contemplates that law enforcement, in some cases, will intercept large bundles of communications, some of which are from subscribers who are not subject of wiretap orders. For example, when tapping a single individual whose calls are handled by a PBX, law enforcement may sweep in calls of other individuals as well. Currently the Constitution and Title III requires "minimization" procedures in all wiretaps, to minimize the intrusion on the privacy of conversations not covered by a court's wiretap order. In the world of 1968, when the original Wiretap Act was passed, most subscribers telecommunications facilities carried single conversations on single lines. But today, many conversations are co-mingled on one broadband communications facility. In order to ensure that constitutionally-mandated minimization is maintained, the bill should recognize that stronger minimization procedures may be required. E. New privacy protections The Digital Telephony legislation before us includes significant recognition that new communication technologies, and new patterns of technology use, require new privacy protections. Thanks to the work of Senator Leahy and Representative Edwards and Senator Biden, the bill contains a number of significant privacy advances, including enhanced protection for the detailed transactional information records generated by online information services, email systems, and the Internet. These protections should remain in the legislation. 1. Expanded protection for transactional records sought by law enforcement Chief among these new protections is an enhanced protection for transactional records from indiscriminate law enforcement access. For purposes of maintenance and billing, most online communication and information systems create detailed records of users' communication activities as well as lists of the information that they have accessed. Provisions in the bill recognize that this transactional information created by new digital communications systems is extremely sensitive and deserves a high degree of protection from casual law enforcement access which is currently possible without any independent judicial supervision. EFF commends the authors of this legislation for recognizing that law enforcement access to transactional records in online communication systems (everything from the Internet to America OnLine to hobbyist BBSs) threatens privacy rights. Indiscriminate access to transactional records implicates privacy interests because: * the records are personally identifiable, * they reveal the content of people's communications, and, * the compilation of such records makes it easy for law enforcement to create a detailed picture of people's lives online. Based on this recognition, the draft bill contains the following provisions: * Court order required for access to transactional records instead of mere subpoena In order to gain access to transactional records, such as a list of to whom a subject sent email, which online discussion group one subscribes to, or which movies a subject requested on a pay-per view channel, law enforcement will have to prove to a court, by the showing of "specific and articulable facts" that the records requested are relevant to an ongoing criminal investigation. This means that the government may not request volumes of transactional records merely to see what it can find through traffic analysis. Rather, law enforcement will have to prove to a court that it has reason to believe that it will find specific information relevant to an ongoing criminal investigation in the records it requests. With these provisions, we have achieved for all online systems a significantly greater level of protection than exists today for records such as email logs, and greater protection than currently exists for telephone toll records. The lists of telephone calls that are kept by local and long distance phone companies are available to law enforcement without any judicial intervention at all. Law enforcement gains access to hundreds of thousands of such telephone records each year, without a warrant and without even notice to the citizens involved. Court order protection will make it much more difficult for law enforcement to go on "fishing expeditions" through online transactional records, hoping to find evidence of a crime by accident. We have also submitted a detailed memorandum on the importance of protection and would ask that this document be included in the record of these proceedings along with this testimony. * Standard of proof much greater than for telephone toll records, but below that for content The most important change that these new provisions offer is that law enforcement will: (a) have to convince a judge that there is reason to look at a particular set of records, and; (b) have to expend the time and energy necessary to have a United States Attorney or District Attorney actually present a case before a court. However, the burden of proof to be met by the government in such a proceeding is lower than required for access to the content of a communication. 2. New protection for location-specific information available in cellular, PCS and other advanced networks Much of the electronic surveillance conducted by law enforcement today involves gathering telephone dialing information through a device known as a pen register. Authority to attach pen registers is obtained merely by asserting that the information would be relevant to a criminal investigation. Under current law, courts must approve pen register requests without any substantive review of the basis for law enforcement's request. This legislation offers significant new limits on the use of pen register data. Under this bill, when law enforcement seeks pen register information from a telecommunications carrier, the carrier is forbidden to deliver to law enforcement any information which would disclose the location or movement of the calling or called party. Cellular phone networks, PCS systems, and so-called "follow-me" services all store location information in their networks. This new limitation is a major safeguard which will prevent law enforcement from casually using mobile and intelligent communications services as nation-wide tracking systems. 3. New limitations on "pen register" authority Contemporary uses of pen registers also involve substantial privacy invasion, even aside from location information. Currently, law enforcement is able to use pen registers to capture not only the telephone number dialed, but also any other touch-tone digits dialed which reflect the user's interaction with an automated information service on the other end of the line, such as an automatic banking system or a voice-mail password. If this bill is enacted, law enforcement would be required to use "technology reasonably available" to limit pen registers to the collection of calling number information only. We are aware that new pen register devices are now on the market which automatically screen out all dialed digits except for the actual telephone numbers. Just as this bill would require telecommunications carriers to deploy technology which facilitates taps, we believe that law enforcement should be required to deploy technology which shields users communications from unauthorized invasion. 4. Bill does not preclude use of encryption Unlike previous Digital Telephony proposals, this bill places no obligation on telecommunication carriers to decipher encrypted messages, unless the carrier actually holds the key to the message as well. 5. Automated remote monitoring precluded Law enforcement is specifically precluded from having automated, remote surveillance capability. Any court-ordered electronic surveillance must be initiated by an employee of the telecommunications carrier, upon request by law enforcement. Maintaining operational separation between law enforcement agents and communication networks is an important privacy safeguard. 6. Privacy considerations essential to development of new technology One of the requirements that telecommunications carriers must meet to be in compliance with the bill is that the wiretap access methods adopted must protect the privacy and security of each user's communication. If this requirement is not met, anyone may petition the FCC to have the wiretap access requirements modified so that network security is maintained. This requirement, just like those designed to serve law enforcement's needs, must be carefully implemented and monitored so that the technology used to conduct wiretaps cannot also jeopardize the security of the network as a whole. If network-wide security problems arise because of wiretapping standards, then the standards should be overturned. F. Improvements over previous Administration proposals In addition to the privacy protections added to this bill, we also note that the surveillance requirements are not as far-reaching as the original FBI version. A number of procedural safeguards are added which seek to minimize the threatens to privacy, security, and innovation. Though the underlying premise of the bill is still cause for concern, these new limitations deserve attention: 1. Narrow Scope The bill explicitly excludes Internet providers, email systems, BBSs, and other online services. Unlike the bills previously proposed by the FBI, this bill is limited to local and long distance telephone companies, cellular and PCS providers, and other common carriers. 2. Open process with public right of intervention The public will have access to information about the implementation of the bill, including open access to all standards adopted in compliance with the bill, the details of how much wiretap capacity the government demands, and a detailed accounting of all federal money paid to carriers for modifications to their networks. Privacy groups, industry interests, and anyone else has a statutory right under this bill to challenge implementation steps taken by law enforcement if they threaten privacy or impede technology advancement. 3. Technical requirements standards developed by industry instead of the Attorney General All surveillance requirements are to be implemented according to standards developed by industry groups. The government is specifically precluded from forcing any particular technical standard, and all requirements are qualified by notions of economic and technical reasonableness. 4. Right to deploy untappable services Unlike the original FBI proposal, this bill recognizes that there may be services which are untappable, even with Herculean effort to accommodate surveillance needs. We understand that the bill intends to allow untappable services to be deployed if redesign is not economically or technically feasible. These provisions, however, should be clarified. G. Conclusion In closing, I would like to thank Chairman Markey and members of the Subcommittee, as well as others who have worked so hard on this legislation. The Electronic Frontier Foundation looks forward to working with all of you as the bill moves through the legislative process.