Subject: Letter of DPSWG's Berman and Plesser to FBI Dir. Freeh --------------------------------------------------------------- March 11, 1994 By Hand Delivery Mr. Louis Freeh Director Federal Bureau of Investigation Washington, D.C. Dear Director Freeh: This letter is a follow-up to our letter of March 9, 1994 to President Clinton and Vice President Gore (a copy is attached). While we do not believe that new legislation is needed to accomplish the FBI's goals, we take this opportunity to more specifically raise some of the questions that should be answered in pursuing any digital telephony legislation. The draft that the White House has given us for comment is overly broad, and it is our hope that this letter will assist in narrowing the scope of any legislation. While we have additional, important questions and concerns, this letter sets forth our primary concerns. (1) Should digital telephony legislation reach "call setup information" independently of a "Title III" search warrant? The New York Times of February 28, 1994 quotes you as stating, "My real objective is to get access to the content of telephone calls." The bill should therefore be limited to content of communications and incidental call setup or transactional data. Legislation should apply to "call setup information" only when that information is incident to a warrant issued for wire, oral, or electronic communications as set forth in 18 U.S.C. ¤ 2518. Extending the legislation's scope beyond the acquisition of content (pursuant to a warrant under section 2518) to the independent acquisition of call setup information raises many issues that require examination. For example, currently the legal standard for obtaining transactional data is a certification (via subpoena or statement to a judge) that the sought-after data is relevant to an ongoing criminal investigation. In the era of personal communications services ("PCS") and of the information highway, transactional data will reveal far more about individuals than it has in the past. In fact, in some cases it may be equivalent to content information. This transactional data certainly could make it possible to build a detailed model of an individual's behavior and movements. The net result could be government dictating to industry that it create a surveillance-based system that will allow federal, state, and local government to use a service provider's electronic communication facilities to conduct minute-by-minute surveillance of individuals. As long as they have an IRS or other administrative subpoena or a law enforcement agent willing to certify that the sought-after data is relevant to an ongoing criminal investigation, law enforcement officials could demand that they be notified at some remote location every time certain individuals communicate by telephone, and their location at the time, as well as every database they connect to and when they log on and off. In short, law enforcement officials could insist on instantaneously knowing the existence of every single electronic communication (but not its content). The enormous potential for abuse and threat to personal privacy suggests that, if transactional data were to be covered by digital telephony legislation, it should be incidental to a "Title III" wiretap warrant. This would not limit in any way law enforcement's access to trap and trace, pen register, or call billing information under current law or practice. This is particularly true given that there has been no case made that demonstrates any current or potential difficulty in getting this non-content information under current practices. The technology in fact has made these type of services much easier for law enforcement to use and access. Additional legislation is simply not necessary to obtain this data. (2) What is covered? The obligation to isolate the content of communications must be reasonably related to the service provider's telecommunications services. It would be unreasonable for the FBI to demand any person involved with the communication to furnish it with access to that communication. For example, most providers, including local telephone companies, usually need to isolate communications for purposes of billing and maintenance. It is appropriate for the FBI to seek their assistance in intercepting communications on their networks only when the requests are reasonably related to the telecommunications services they provide. Therefore, the question is not necessarily who is covered, but what telecommunications services are covered. For example, the legislation should reflect the fact that, in reselling services, even local telephone companies sometimes are unable in those instances to furnish call setup information regardless of whether it is incident to the acquisition of a communication's content. (3) What will be the requirements placed upon service providers and what will be the standard of compliance that will be applied? Legislation should carefully define the obligations of service providers. This is not the case with the FBI's current draft of proposed legislation. These obligations are vague and subject to considerable interpretation. Service providers and manufactures must have flexibility to adopt procedures that reasonably comply with the specific functional performance requirements of law enforcement. This is particularly true where, as here, compliance requires an assessment of future needs and interoperability requirements. There is a difference between compliance and a guarantee, and legislation must reflect that difference. Carriers should be required to provide reasonable cooperation and that cooperation should be measured by a standard of reasonable compliance. In installing new software or equipment under this statute, a service provider must be able to reasonably assess future demands by law enforcement. Other industries subject to regulation at least know, for example, the temperature at which they must maintain the specimens, the emission standard they must satisfy, or the type of safety restraint equipment they must install and the date by which they must have it installed in vehicles. Service providers cannot be held to an absolute standard of compliance where they are using and delivering new technologies to the public and the demands of law enforcement are not clearly specified. This applies to both capability and capacity. Law enforcement must be specific in its requirements for capacity and capability from each service provider. (4) What is expected of commercial mobile service providers? It is not a foregone conclusion that mobility in a digitized telecommunications environment will degrade or otherwise impede the law enforcement community's ability to effectively execute court- approved wiretap orders. Wireless carriers are committed to assisting law enforcement agencies to successfully wiretap and intercept voice communications. To accomplish this goal, the wireless industry understands that available excess port capacity is needed in all switches throughout the nation. While it may be reasonable for federal and state law enforcement agencies to acquire the contents of wireless communications pursuant to "Title III" warrants through additional port capacity, it would be prohibitively expensive to require that every one of the nation's switches be connected to the FBI to enable it to acquire such information on a "real time" basis at remote locations. Connecting every one of the nation's switches to the FBI, moreover, would increase exponentially the risk of unauthorized access to wireless communications. Further, the proliferation of fraudulent use of wireless telephones through such techniques as "cloning" and "tumbling" ESNs (electronic serial numbers) poses additional questions with respect to privacy and the ability of law enforcement to properly execute court- approved wiretap orders. (5) What are the responsibilities of manufacturers and suppliers, if any? The FBI wishes manufacturers of telecommunications equipment and providers of support services to fall within the scope of the legislation. But, would service providers be held liable for software or hardware that is not available from vendors? Why? How would the obligations be enforced against foreign manufacturers? What would be the liability of a domestic carrier that relies upon foreign manufacturers? What are the trade implications of having domestic manufacturers export equipment designed for governmental surveillance? (6) How, and during what period, are costs to be recovered to ensure that there is a direct relationship between the costs reasonably incurred by covered entities and the government's requirements? Government should pay for what it needs, which will help focus attention upon the facilities that truly need upgrading. If the government does not pay for upgrades or facilities, then the service providers should not be held responsible. The FBI appears to have accepted the concept that government should pay for the costs of compliance but has so far underestimated these costs and proposed an arbitrary three-year limit on cost reimbursement. Government compensation should be ongoing with industry's compliance. * * * We trust you find our comments helpful. We remain prepared to work with you, Congress, and others to attempt to resolve the legitimate concerns of law enforcement. Sincerely yours, [signed] Jerry Berman (202) 347-5400 [signed] Ronald Plesser (202) 861-3969 Enclosure cc: John Podesta, Office of the President Michael Nelson, Office of Science & Technology Policy Senator Joseph Biden Senator Ernest Hollings Senator Patrick Leahy Representative Jack Brooks Representative John Dingell Representative Don Edwards Representative Edward Markey