ELECTRONIC FRONTIER FOUNDATION
                                                         
                                                        

EFF Analysis of SA 1562, Subtitle B

New Wiretap Bill Would Threaten Privacy and Free Expression (Sep. 19, 2001)

Part I: What Would SA 1562 Do?

A. Summary:

SA 1562 (S.AMDT.1562) is a Senate amendment to House-passed appropriations bill H.R. 2500, containing various anti-terrorism provisions - and other provisions that masquerade as anti-terrorism provisions but which are not. Among the goals of the legislation is increasing law enforcement wiretapping authority and scope. SA 1562 was introduced and passed the Senate on Sep. 13, 2001, and as of this writing is subject to a joint House/Senate conference committee, date to-be-determined.

Under current law, federal authorities already have very broad legal powers to conduct electronic surveillance. SA 1562 would unnecessarily expand government surveillance power in two areas: Title III wiretap or "interception" authority under 18 U.S.C. § 2510 et seq.; and authority to surveil via "pen register" and "trap and trace" (pen/trap) devices under 18 U.S.C. § 3121 et seq.

Wiretapping means the acquisition by device of the contents of a communication. Pen/trap devices are not wiretap devices; instead, they acquire the "numbers dialed or otherwise transmitted on the telephone line to which such device is attached." Pen devices capture the numbers dialed from a particular number, while trap devices capture the numbers dialed to a number.

1. Wiretapping

Wiretapping is stringently regulated by the Fourth Amendment. Berger v. New York, 388 U.S. 41, 63 (1967) ("Few threats to liberty exist which are greater than that posed by the use of eavesdropping devices."). Wiretapping also implicates important First Amendment values, especially in the national security context. United States v. U.S. District Court, 407 U.S. 297, 313-14 (1972) ("Though the investigative duty of the executive may be stronger in such cases, so also is there greater jeopardy to constitutionally protected speech. . . . Fourth Amendment protections become the more necessary when the targets of official surveillance may be those suspected of unorthodoxy in their political beliefs."). As the Supreme Court has observed, "Historically the struggle for freedom of speech and press in England was bound up with the issue of the scope of the search and seizure power." Marcus v. Search Warrant, 367 U.S. 717, 724 (1961).

Existing federal law is intended to meet these constitutional restrictions. One of the basic controls on wiretapping is that the government may only wiretap for certain crimes listed in the wiretap statute. SA 1562 adds two kinds of crimes to that list, those relating to terrorism and those relating to criminal violations of the main federal computer crime law.

Both expansions are unwarranted. First, virtually every terrorist act is already a federal felony on the list of crimes for which a wiretap order may be sought: all federal offenses involving murder, kidnaping, robbery, or extortion; espionage, sabotage, piracy, and treason; assassination and hostage-taking; destruction of trains, vessels, aircraft, and aircraft facilities; and offenses involving explosives, biological weapons, and nuclear materials. 18 U.S.C. § 2516(1).

Equally important, electronic communications are already less protected than ordinary telephone calls. For electronic communications, an interception order can be used to gather evidence "of any Federal felony." 18 U.S.C. § 2516(3). Terrorism-related felonies are already included.

Also, in terrorism cases, the government is likely to be able to invoke its secret surveillance powers under the Foreign Intelligence Surveillance Act of 1978 (FISA), 50 U.S.C. § 1801 et seq., which permits wiretapping of individuals if there is probable cause to believe that the target is a member of a foreign terrorist group or an agent of a foreign power. If the target is a U.S. citizen or permanent resident, there must also be probable cause to believe that he or she is engaged in activities that "may" involve a criminal violation.

Second, adding computer crime to this list goes well beyond the bill's ostensible focus on terrorism. The federal Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, generally prohibits access to an Internet-connected computer without or in excess of authorization to do so. Thus, it reaches much conduct unrelated to terrorism. E.g., America Online, Inc. v. LCGM, Inc., 46 F.Supp.2d 444, 450-51 (E.D.Va. 1998) (spam sent in violation of terms of service civilly violated 18 U.S.C. §§ 1030(a)(2)(C) and (a)(5)(C)); Register.com, Inc. v. Verio, Inc., (S.D.N.Y. Dec. 2000) (using a search bot to get information from a WHOIS database civilly violated 18 U.S.C. §§ 1030(a)(2)(C) and (a)(5)(C)); Shurgard Storage Centers v. Safeguard Self Storage, (W.D. Wa. Oct. 2000), (finding violations of 18 U.S.C. §§ 1030 (a)(2)(C), 1030(a)(4), and 1030(a)(5)(C) when employee planning to work for competitor used employer's computers to send e-mail containing employer's trade secrets).

2. Pen/trap devices

The current pen/trap law permits government to acquire "electronic or other impulses which identify the numbers dialed or otherwise transmitted on the telephone line to which such device is attached" and "incoming electronic or other impulses which identify the originating number of an instrument or device from which a wire or electronic communication was transmitted." 18 U.S.C. §§ 3127(3), (4).

Unlike wiretaps, the use of "pen register" and "trap and trace" devices is hardly regulated by federal law: while the government must apply to a court for a pen/trap order, there is no meaningful judicial review or oversight of either the application for or implementation of a pen/trap order.

Why are pen/trap devices so weakly regulated? The main reason is that pen/trap devices, as a historical matter, did not capture very much information. The Supreme Court has twice ruled on the legality of pen/trap devices, but both cases were decided more than 20 years ago. Back then, the Court described a pen register as a device that "records the numbers dialed on a telephone" on a paper tape, and that does not overhear communications or indicate that calls have been completed. Smith v. Maryland, 442 U.S. 735, 736 n.1 (1979).

The problem is that with modern telephony and even more so with Internet communications, there is no true equivalent to "numbers dialed on a telephone." This problem exists even under the current statute, under which courts have approved the use of pen/trap devices that capture far more information about a person's communications than did old-style pen/trap devices so long as they do not actually monitor the contents of the communications.

Our concern about SA 1562's amendment of pen/trap law revolves around the capacity of modern devices to capture far more information than ever contemplated by the Supreme Court in its previous pen/trap decisions. Carnivore is the most obvious example, but even the "call setup information" at issue in CALEA is problematic.

SA 1562 relaxes four "limits" on pen/trap orders. First, and most important, current pen/trap law is somewhat tied to telephony because it refers to "electronic or other impulses which identify the numbers dialed or otherwise transmitted on the telephone line to which such device is attached." Applying such language to packet-sniffers or Carnivore in pen mode is controversial: it's arguable that the current pen/trap statute simply doesn't apply in the Internet context because often no "telephone line" is involved or "attached."

SA 1562 would break the connection between pen/trap devices and telephony by referring instead to "dialing, routing, addressing, or signalling information." The problem is that these terms are not themselves defined, and create potential problems like those encountered in the CALEA debate. The most obvious examples are e-mail subject headers and URLs, both of which are highly revelatory of communications contents.

But as discussed below, there are less obvious problems as well involving the gap between the pen/trap device approved by the Supreme Court and modern pen/trap devices. In any case, the danger is that SA 1562 affirmatively authorizes the use of the very weak pen/trap regime to acquire information beyond that available with an ordinary pen/trap device.

Second, under current law, if the federal government seeks a pen/trap order, the applying official must be at least a Deputy Assistant Attorney General; under SA 1562, any United States Attorney may seek a pen/trap order.

Third, current law permits emergency use of pen/trap devices under only two circumstances, immediate danger of death or serious bodily injury to any person and conspiratorial activities characteristic of organized crime. SA 1562 adds three new emergency circumstances: immediate threat to U.S. national security interests; immediate threat to public health or safety; or an attack on the integrity or availability of a protected computer which attack would be an offense punishable under 18 U.S.C. § 1030(c)(2)(C).

Fourth, current law provides that a judge shall only authorize the installation and use of a pen/trap device "within the jurisdiction of the court." 18 U.S.C. § 3123(a). This is a geographical limit on the scope of a pen/trap order. SA 1562 removes this limit for all pen/trap applications by federal officials and expressly provides that pen/trap orders apply to any entity providing wire or electronic communication service in the United States whose assistance is required to effectuate the order. This means that a single application for a pen/trap order will reach nationwide and to any service provider of any kind, without even naming particular providers. A normal subpoena, even one with nationwide effect, is addressed to a specific custodian of the desired information. Fed. R. Crim. Proc. 17(c). Presumably, the government would obtain a blank order, which it could serve on multiple, unnamed service providers, with no limit as to time or how often the order could be used. Note that while it is arguable that relaxing geographic scope makes sense for computer communications, SA 1562 removes this geographic scope limit for wire communications as well.

Part II. Background

Federal law currently protects the privacy of wire and electronic communications under a two-tiered system. The actual contents of communications occupy the first tier. To collect contents, a "super-warrant" or interception order is required.

Non-content information occupies a much lower second tier, where the protections are weak, ambiguous and sometimes non-existent under current law. Non-content information encompasses all other information that can be learned about a communication, such as whether, when and where it occurred, to and from whom it was sent, and how long it lasted.

Importantly, while the Supreme Court held that the use of pen/trap devices to capture dialed telephone numbers did not implicate a Fourth Amendment privacy interest in 1976, the Court has not since ruled on the constitutionality of more advanced pen/trap devices that capture more information.

A. Wiretapping: legal background

Modern wiretapping law begins with Berger v. New York, 388 U.S. 41 (1967), where the Supreme Court found a state surveillance statute unconstitutional under the Fourth Amendment. Berger found that the statute was a "blanket grant" of permission to eavesdrop "without adequate supervision or protective procedures."

In Berger, the Court outlined seven constitutional requirements for court-ordered electronic surveillance: (1) a probable cause showing that a particular offense has been or is about to be committed; (2) the applicant must describe with particularity the conversations to be intercepted; (3) the surveillance must be for a specific and limited period of time in order to minimize the invasion of privacy (the N.Y. statute authorized two months' worth of surveillance at a time); (4) there must be continuing probable cause showings if the surveillance is to continue beyond the original termination date; (5) the surveillance must cease once the conversation sought is seized; (6) notice must be given unless there is an adequate showing of exigency; and (7) a return on the warrant is required so that the court may oversee and limit the use of the intercepted conversations.

Following Berger, wiretapping is governed by 18 U.S.C. § 2510 et seq., originally known as Title III of the Omnibus Crime Control and Safe Streets Act of 1968. Congress listed two reasons for passing Title III: to protect the privacy of wire and oral communications against the use and abuse of electronic surveillance, and to establish uniform national rules to govern surveillance practices. Today, the law regulates the "interception" of wire and electronic communications (also oral communications, but this isn't relevant here). But "interception" is defined as the acquisition by device of the content (substance, meaning, purport) of communications. 18 U.S.C. § 2510(8).

The privacy protections are significant. Agents seeking to intercept communications must obtain a court order. Unlike ordinary search warrants, which may be issued by a magistrate judge, interception orders must be issued by a district or circuit court judge. The reviewing judge may grant such an order only upon a finding that there is probable cause to believe that an individual has committed or will commit an enumerated crime, that communications concerning the crime will be obtained, and that either the targeted communications facilities will be used in connection with the crime, or that they are commonly used by the targeted individual. 18 U.S.C. § 2518(3). In addition, the judge must find that normal investigative procedures have not succeeded or appear unlikely to succeed or are too dangerous. Id. at § 2518(3)(c).

Only the Attorney General or the principal state prosecutor may authorize wiretap applications, and wiretapping is available only to investigate certain "serious" crimes. Applications must include a complete statement of the facts justifying the officers' belief that an order is warranted and other details of the investigation. An order must list the procedures it authorizes; must specify the identity of the target and the investigating agency, as well as the nature of the suspected offense and the communications targeted; and must set the duration of the authorization, which may not exceed 30 days. Orders must also require that interceptions be conducted so as to minimize the interception of communications that are not the target of the investigation. Judges may require periodic progress reports to help them determine if the interceptions should continue.

Additionally, Title III orders are geographically limited. See 18 U.S.C. § 2518(3) (judges may enter Title III order permitting interception of communications "within the territorial jurisdiction of the court in which the judge is sitting")

Finally, Title III has a significant compliance regime. For instance, targets of electronic surveillance must be given notice of the surveillance after the investigation has been completed. There are other compliance provisions I won't go into now.

B. Pen/trap devices: legal background

Pen/trap devices are treated entirely differently. Some rather convoluted background is essential to understanding where we are today and why.

We start with the pure telephony context. Pen registers record the numbers dialed by a particular telephone, while trap and trace devices record the telephone numbers of those who call a particular telephone. From the outset, Congress regarded pen/trap devices as not involving "interceptions" within the meaning of Title III. Explaining that the law protects the privacy of the communication itself, and not its means, the Senate Report accompanying Title III's passage said that the tracing of phone calls through use of a pen register device would not be regulated under Title III, even though "contents" at the time reached "any information concerning the identity of the parties to such communication or the existence, substance, purport, or meaning of the communication."

In 1968, a pen register was understood to be a mechanical device that could be attached to a given telephone line, usually at the central telephone offices. A pulsation of the dial on a line to which the pen register is attached recorded on a paper tape dashes equal to the number dialed. The paper tape then becomes a permanent and complete record of outgoing calls as well as the numbers called on the particular line. Immediately after the number is dialed and before the line called has had an opportunity to answer the pen register mechanically and automatically is disconnected, with neither recording nor monitoring of the conversation. See United States v. Dote, 371 F.2d 176 (7th Cir. 1966), cited in Title III Senate Report, S. Rep. No. 1097, 90th Cong., 2d Sess. 66 (1968), reprinted in 1968 U.S.C.C.A.N. 2112, 2178.

The Dote pen register did not disclose whether the call had been completed or how long it had lasted, the caller's physical location or electronic address, or the numbers dialed after the call had been completed. In Dote, the pen register was installed by the telephone company, and the record was created on paper.

The Supreme Court then found that Title III did not apply to pen registers (no Fourth Amendment analysis because probable cause was found to exist). United States v. New York Telephone Co., 434 U.S. 159 (1977). In New York Telephone, law enforcement agents asked the telephone company to transmit the pen register information over a leased line running from the terminal box to a remote monitoring point. The telephone company refused, and the Court upheld a court order mandating compliance. 434 U.S. at 161-163, 177-78. The Court emphasized that pen registers disclosed neither the purport of the communication, the identities of the parties communicating, nor whether the communication was even completed. 434 U.S. at 166-68.

In its only other pen-register case, the Court described a pen register by incorporating definitions found in prior cases and by repeating the description in New York Telephone of the pen register's limited capabilities. Smith v. Maryland, 442 U.S. 735, 736 n.1, 741-42 (1979). The pen register in Smith was installed by the telephone company at its central offices. Id. at 741.

The Court found that pen registers did not even implicate the Fourth Amendment, because no constitutional privacy interest attached to the numbers dialed on a telephone, which was the only information obtained from the installation of the pen register on the defendant's telephone line. The Court held that Smith had assumed the risk that the telephone company would reveal the numbers he had dialed: people entertain no actual expectation of privacy in those numbers because they must convey them to the telephone company, and subscribers know that telephone companies can record dialed numbers because they see their toll call numbers listed on their phone bills and because telephone books tell them that the phone company can trace calls to protect them from harassment. 442 U.S. at 742-43.

Smith left non-content communications privacy in a shambles. On the one hand, the Smith Court emphasized the extremely limited scope of the information disclosed by pen register investigations, echoing its discussion in New York Telephone. 442 U.S. at 741 (noting that the device had recorded neither the purport of Smith's communications, nor the identity of the parties, nor even whether calls were completed); (. But the "assumption of risk" analysis invited lower courts to reject constitutional protection for any aspect of a communication that could be captured as long as it did not constitute the contents of a telephone conversation.

In 1986, Congress enacted the pen/trap statute. In so doing, it approved devices that could capture information beyond that approved by the Supreme

Court in both New York Telephone and Smith. Congress omitted the Supreme Court's reference to the "mechanical" nature of the pen register device, and it did not limit the pen register to something that acquired information about a telephone, although it did specify that a telephone line would be involved. The legislative history described pen registers as "devices that record the telephone numbers to which calls have been placed from a particular telephone." ECPA Senate Report, S. Rep. No. 541, 99th Cong., 2d Sess. 14 (1986), at 10, reprinted in 1986 U.S.C.C.A.N. 3555, 3564.

For instance, 18 U.S.C. § 3127 does not exclude information that could determine whether the call has been completed, even though in neither of the Supreme Court's pen-register cases was such information available.

As a result, courts have expanded the definition of a pen register from the device considered in Smith. Courts treat as pen registers devices that record the time, date and duration of both incoming and outgoing calls, devices that record, on tape rather than paper, not only the telephone numbers of the calls placed on a telephone, but other digits dialed, such as personal ID numbers and numbers used in maneuvering through voice-mail systems, and even devices that can record the contents of conversations, as long as that capacity is not used. But see Brown v. Waddell, 50 F.3d 285, 287-288, 294 (4th Cir. 1995) (finding that, in capturing and displaying up to 25 digits, digital display pager clones, including paging transmission units, may divulge coded messages that constitute content, such as a code for "en route") People v. Bialostok, 610 N.E.2d 374 (N.Y. 1993) (holding that a device's capacity to record communication contents disqualifies it as a pen register under New York law); United States v. David, 940 F.2d 722, 727-29 (1st Cir.) (evaluating use of beeper clone under Title III intercept provisions rather than ECPA pen register provisions), cert. denied, 504 U.S. 955 (1992).

The expansion of pen/trap devices is important first because the pen/trap statute hardly constrains law enforcement at all. Law enforcement agents must get a court order before using the devices, but courts "shall" grant ex parte orders whenever the applicant has certified that the information likely to be obtained is relevant to an ongoing criminal investigation. 18 U.S.C. § 3123(a). See, e.g., United States v. Hallmark, 911 F.2d 399, 402 (10th Cir. 1990) (describing the judicial review provision as "intended merely to safeguard against purely random use" of pen registers). Unlike the wiretap statute, which has a statutory exclusionary rule, the pen/trap law has no such provision, and the Fourth Amendment's exclusionary rule does not apply. There is no notice provision. There is no provision for judicial supervision of the conduct of pen/trap devices. There is no minimization rule; § 3121(c) only requires the government to use technology reasonably available to it that restricts the recording or decoding of electronic or other impulses to the dialing and signaling information used in call processing.

Second, the expansion is important because new surveillance techniques blur the line between contents and non-contents.

Courts have found that some new surveillance techniques are completely unregulated and can be conducted without satisfying any procedural safeguards. A California district court granted an application for a cellular telephone digital analyzer that could detect the target cellular phone's electronic serial number, its telephone number and the telephone numbers it called. The court, having refused to consider the device a pen register since it did not attach to a telephone line, found that no court order of any kind was required to use the device. Order Re Use of Digital

Analyzer, 885 F. Supp.197, 199 (C.D. Cal. 1995). The government had applied for a pen register order "'out of an abundance of caution,' " and the court evaluated the court order granted according to the requirements set out in the pen register provision of the ECPA. See id. at 200-02. The device also had the capability to intercept the contents of cellular telephone conversations.

In sum, the ECPA's vague definition of a pen register, in combination with innovations in communications technologies and judicial permissiveness, allows law enforcement agents to acquire much communication attribute information by satisfying, at most, the minimal pen register procedures.

Part III. Detailed analysis of SA 1562

A. How SA 1562 expands wiretap power

The only changes to wiretap law contemplated by SA 1562 pertain to the crimes for which a wiretap order may be sought. These changes are, however, either unnecessary or overreaching.

1. SA 1562 would unnecessarily include federal crimes relating to terrorism.

SA 1562 provides:

SEC. 833. AUTHORITY TO INTERCEPT WIRE, ORAL, AND ELECTRONIC COMMUNICATIONS RELATING TO TERRORISM OFFENSES.

Section 2516(1) of title 18, United States Code, is amended--

(1) by redesignating paragraph (p), as so redesignated by section 434(2) of the Antiterrorism and Effective Death Penalty Act of 1996 (Public Law 104-132; 110 Stat. 1274), as paragraph (r); and

(2) by inserting after paragraph (p) as so redesignated by section 201(3) of the Illegal Immigration Reform and Immigrant Responsibility Act of 1996 (division C of Public Law 104-208; 110 Stat. 3009-565), the following new paragraph:

``(q) any criminal violation of sections 2332, 2332a, 2332b, 2332d, 2339A, or 2339B of this title (relating to terrorism); or''.

In plain English, SA 1562 says that the government may apply for a wiretap order in order to investigate the crimes listed in 18 U.S.C. §§ 2332, 2332a, 2332b, 2332d, 2339A, and 2339B, which relate to terrorism.

While there is no doubt that these crimes are serious, the government does not need additional authority to investigate terrorism. First, the current list of federal offenses that may support a wiretap order already includes virtually every felony that might be committed by terrorists, including but not limited to:

  • sabotage of nuclear facilities or fuel
  • espionage
  • sabotage
  • malicious mischief
  • destruction of vessels
  • unlawful use of explosives
  • presidential and presidential staff assassination, kidnapping, and assault
  • interference with commerce by threats or violence
  • use of interstate commerce facilities in the commission of murder for hire
  • hostage taking
  • threatening or retaliating against a Federal official
  • destruction of aircraft or aircraft facilties
  • destruction of motor vehicles or motor vehicle facilities
  • biological weapons
  • wrecking trains
  • false identification information
  • forgery or false use of passports
  • fraud or misuse of visas
  • destruction of natural gas pipelines
  • aircraft piracy
  • violation of the Arms Export Control Act
  • fleeing prosecution for an offense listed in this section
  • felony firearms violations
  • any conspiracy to commit any offense listed in this section.

Also, the current federal anti-terrorism statutes present serious First Amendment issues. For instance, 18 U.S.C. § 2339A, which criminalizes the provision of material support to terrorists, originally provided that:

An investigation may not be initiated or continued under this section based on activities protected by the First Amendment to the Constitution, including expressions of support or the provision of financial support for the nonviolent political, religious, philosophical, or ideological goals or beliefs of any person or group.

So written, the statute drew careful lines between prescribable support for terrorism on the one hand and protected support for political advocacy on the other. This provision has been removed, however.

Moreover, the Foreign Intelligence Surveillance Act of 1978 (FISA), 50 U.S.C. § § 1801-1811, 1821-1829, 1841-1846, permits secret electronic surveillance orders, including interception orders, for foreign intelligence information (FII). FISA is very broad and would certainly extend to many terrorist acts. FII includes information that relates to (or in the case of a U.S. person, is necessary to) the United States' ability to protect against an "actual or potential attack or other grave hostile acts of a foreign power or . . . agent"; "sabotage or international terrorism . . ."; or "clandestine intelligence activities" by a foreign network or agent. 50 U.S.C. § 1801(e)(1)(A)-(C). FISA warrants are wholly cloaked in secrecy and through 1997 the FISA Court has granted more than 10,201 warrants and denied none.

Indeed, news reports have said that government agents presented ISPs with FISA warrants after the attack on Tuesday, showing that the government already has authority to investigate terrorist activity under existing law.

One important difference between FISA and Title III, however, is that Title III authorizes "roving wiretaps." 18 U.S.C. § 2518(11)(b). FISA does not. A roving wiretap allows law enforcement to place a wiretap on any telephone line from any location that an individual uses. A conventional wiretap, may be placed only on a specifically designated telephone line at a specific location identified in the wiretap application and allows interception of that location's telephone conversations. Thus, if a target switches telephones, the investigators must reapply for a wiretap order for the other phone location. Roving wiretaps, on the other hand, allow investigators to tap any phone that the suspect may use, without having to seek permission for each change of telephone. Furthermore, an application for a conventional wiretap must identify the location of the facilities to be wiretapped, whereas an application for a roving wiretap need not.

Roving wiretaps have always been controversial as well as constitutionally problematic. The authority to perform roving wiretaps under Title III was granted in 1986, and then expanded in 1998.

Furthermore, this list of offenses only limits the government for telephone wiretaps. Any federal felony can be a predicate offense for interception of electronic communications. 18 U.S.C. § 2516(3) (electronic communications interception order may be authorized "when such interception may provide or has provided evidence of any Federal felony").

The expansion to violations of 18 U.S.C. § 1030, the Computer Fraud and Abuse Act (CFAA) is also easily criticized. Originally, CFAA was limited to federal government computers and certain records on bank computers. By 1996, CFAA had been amended to reach all computers involved in interstate and foreign commerce or communication, whether or not any federal government proprietary interest was involved. In general, if accessing a protected computer "without authorization" or "in excess of authorization" results in the person's obtaining information from the protected computer, and the conduct involves interstate or foreign communication, then a violation of the Act is established.

Individuals who intentionally break into, or abuse their authority to use, a computer and thereby obtain information of minimal value of $ 5,000 or less, would be subject to a misdemeanor penalty. The crime becomes a felony if the offense was committed for purposes of commercial advantage or private financial gain, for the purposes of committing any criminal or tortious act in violation of the laws of the United States or of any State, or if the value of the information obtained exceeds $ 5,000.

This damage requirement is easy to meet. Under § 1030(e)(8), damage means "any impairment to the integrity or availability of data, a program, a system, or information that (A) causes loss aggregating at least $5000 in value during any 1-year period to one or more individuals."

Three cases illustrate the scope of CFAA today. In America Online, Inc. v. LCGM, Inc., 46 F.Supp.2d 444, 450-51 (E.D.Va. 1998), a court held that spamming civilly violated 18 U.S.C. § 1030(a)(2)(C) because the spammers used their AOL membership to harvest other AOL members' e-mail addresses in violation of AOL's terms of service, thus exceeding their authorization. The spammers also violated 18 U.S.C. § 1030 (a)(5)(C) because AOL suffered damage of more than $5000 in dealing with the spam and in lost goodwill, revenue, and customers.

In Shurgard Storage Centers v. Safeguard Self Storage, (W.D. Wa. Oct. 2000), the court found on a motion to dismiss that e-mails containing trade secrets sent by a former employee while he was still a Shurgard employee constituted violations of CFAA. In effect, the court found that an employee's using his employer's computer system in a disloyal way could violate CFAA.

The key issue in Shurgard was the CFAA requirement that a person access a protected computer in excess of "authorized access." One might think that while an employee, the person was authorized to send e-mails. But the court accepted Shurgard's agency-law argument that a disloyal employee who acts surreptitiously while on the employer's premises, intending to join a competitor and to use the employer's secret information for the competitor's benefit, effectively terminates any prior authorization. The court essentially found an implicit revocation of authority such that "the authority of the plaintiff's former employees ended when they allegedly became agents of the defendant." The court then found that Shurgard had stated claims for civil violations of 18 U.S.C. §§ 1030 (a)(2)(C), 1030(a)(4), and 1030(a)(5)(C).

In Register.com, Inc. v. Verio, Inc., (S.D.N.Y. December 12, 2000), the court issued a preliminary injunction enjoining Verio, Inc. from either using a search robot to get information from Register.com's Whois database, or using information derived from that database for mass unsolicited advertising by telephone, direct mail or electronic mail. The court held that Verio's actions would likely violate CFAA, 18 U.S.C. §§ 1030(a)(2)(c) and (a)(5)(c). The court noted that "[i]f the strain on Register.com's resources generated by robotic searches becomes large enough, it could cause Register.com's computer systems to malfunction or crash. Such a crash would satisfy § 1030(a)(5)(C)'s threshold requirement that a plaintiff demonstrate $5000 in economic damages."

2. SA 1562 and pen/trap authority

Because the pen/trap statute provides so little in the way of procedural protections, the expansion of pen/trap authority is very important. As described above, even existing pen/trap law goes well beyond the bounds set by the Supreme Court. But SA 1562 goes even further.

a. How pen/trap devices are now defined under 18 U.S.C. § 3127

(3) the term "pen register" means a device which records or decodes electronic or other impulses which identify the numbers dialed or otherwise transmitted on the telephone line to which such device is attached" [there are exceptions that we won't go into - ed.]

(4) the term "trap and trace device" means a device which captures the incoming electronic or other impulses which identify the originating number of an instrument or device from which a wire or electronic communication was transmitted.

b. How SA 1562 defines them

(3) the term "pen register" means a device or process which records or decodes dialing, routing, addressing, or signalling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted. [roughly the same exceptions - ed.]

This language departs greatly from the Supreme Court's prior understanding of pen registers, and weakens the current sense of the statute, which is limited mainly to information identifying the destination of a communication. The phrase "dialing, routing, addressing or signalling information" is very broad and in the Internet context easily includes information that conveys the substance, purport and meaning of the communication.

(4) the term "trap and trace device" means a device or process which captures the incoming electronic or other impulses which identify the originating number or other dialing, routing, addressing, and signalling information relevant to identifying the source of a wire or electronic communication.

The same criticism applies, except that the touchstone is information identifying the origin of a communication. The proposed language by its terms goes beyond origin information by reaching "information relevant to identifying the source of a wire or electronic communication."

c. In the Internet context, addressing information reveals far more about the contents of a person's communications as well as his or her First Amendment activities.

This is not just about expanding pen/trap authority from phone to Internet communications. It also expands the scope and quantity of information collected. In the context of telephones, the information obtained is only the phone number, not the content of the phone call. In Internet communications, a significant amount of substantive content is included within "routing, addressing, and signalling" information. Simply put, transactional or addressing data of electronic communications like e-mail and Web browsing can be much more revealing than telephone numbers dialed.

One obvious example is subject lines in e-mail headers, which even the Justice Department at present agrees constitutes communications "contents" outside the scope of a pen/trap order. By not defining "dialing, routing, addressing, and signalling information," SA 1562 leaves open the argument that Congress has decided that subject lines are not contents under Title III.

More generally, e-mail addresses are more personally revealing than phone numbers because email addresses are unique to individual users. So while a pen register on a phone line only shows the general number called, a pen register served on an ISP will likely identify the specific recipient of each message. Even in a household, each person online may have a separate email, and may have different email addresses for different purposes, making it more likely that the government can determine precisely who is contacting whom.

Another example is Web browsing. Under SA 1562, URLs or ftp addresses clearly qualify as "addressing information." But URLs are in no way analogous to telephone numbers in terms of the content/non-content distinction. Indeed, it is possible that the search terms one enters for a search engine might be treated as "addressing information." Such information reveals far more about what one is reading or studying than do the telephone numbers one dials or is dialed by.

It is therefore necessary for any expansion of pen/trap authority to the Internet to define as clearly as possible precisely what information Congress intends for law enforcement officials to obtain with that authority.

d. Jurisdictional expansion of the pen/trap statute

18 USC § 3123(a) currently states that a judge shall authorize the installation and use of a pen register or trap and trace device "within the jurisdiction of the court." This limits the geographic scope of a pen/trap order.

SA 1562 would remove this limit for federal pen/trap orders. At the very least, if federal pen/trap orders may have nationwide effect, that authority should not automatically attach. The applicant should at least be required to explain to the judge's satisfaction why authority is sought to conduct the investigation across jurisdictional lines: Section 3122(b) should be amended to require in the application, if an order with nationwide effect is sought, a full and complete statement as to the grounds for believing that some of the communications to be identified originate or will terminate outside the jurisdiction of the issuing court or are passing through multiple service providers and that the cooperation of multiple service providers or service providers in other jurisdictions will be necessary to identify their origin or destination. Also, 3123 should be amended to require the judge to specify to whom the subpoena is directed by name, as well as the geographic extent of the order and the time within which it is effective. Such limiting language on geographic extent already appears in the statute. 18 U.S.C. §3123(b)(1)(C).

e. Heightening the standards for pen/trap orders

Any expansion of pen/trap authority to Internet communication should be accompanied by heightened standards. Under current law, the judge has an essentially ministerial role in issuing pen/trap orders. The judge receives no explanation of the reason for the application and cannot question the government's claim that the information sought is relevant to a criminal investigation.

At the very least, the pen/trap statute should be amended to require the government's application to include a specific description of the ongoing investigation and how the information sought would be relevant and material to such investigation, and section 3123(a) should be amended to state that an order may issue only if the court finds, based on a showing by the government of specific and articulable facts, that the information likely to be obtained by such installation and use is relevant and material to an ongoing criminal investigation.

Lee Tien
Senior Staff Attorney
Electronic Frontier Foundation



Please send any questions or comments to webmaster@eff.org.