September 6, 2000

Mr. Chairman, and Members of the Subcommittee. Thank you for inviting me to testify on these significant legislative proposals. The views I express today are mine alone; I am not testifying on behalf of any client. ⁽¹⁾/ My testimony will focus principally on H.R. 5018, the Electronic Communications Privacy Act of 2000 and H.R. 4987, the Digital Privacy Act of 2000.

This hearing, and the legislative proposals that prompted it, come at an opportune time because the amount of electronic surveillance conducted on U.S. citizens is increasing steadily. The 1999 Wiretap Report, issued annually by the Administrative Office of the U.S. Courts, reported last May that the number of federal intercept applications increased 94 percent between 1989 and 1999. ⁽²⁾/ In 1999, there were 601 federal intercept orders issued, and 749 orders at the state and local level. ⁽³⁾/ Not only is the number of surveillance orders increasing, the type of surveillance being authorized is changing as well. Prior to 1998, the most common method of surveillance was the telephone wiretap. Now, however, the most common form of surveillance is the electronic wiretap, which includes eavesdropping on devices such as digital display pagers, voice pagers, cellular phones and email. ⁽⁴⁾/ Most notably, this type of electronic surveillance showed the largest rise among the reported categories, with a 17 percent increase from 1998 to 1999. Such trends tend to heighten concerns about the development of new sophisticated forms of surveillance, such as Carnivore, which this Subcommittee already has begun to investigate.

The growth of electronic surveillance of newer technologies such as email is particularly significant as people increasingly lead much of their lives online. Accordingly, the privacy issues facing us now are of a far different magnitude than when Congress first adopted the Omnibus Crime Control and Safe Streets Act in 1968 or when it updated the law in 1986 to include electronic communications through passage of the Electronic Communications Privacy Act ("ECPA"). A growing number of U.S. citizens send (and store) sensitive personal and business correspondence, consult confidential databases relating to personal finances or health, shop, read and/or buy magazines and books, browse websites for information and entertainment, and a host of other uses too numerous to list. The Internet revolution has altered the calculus for what may be considered a reasonable expectation of privacy.

This is particularly true for the type of surveillance conducted by pen registers and trap and trace devices, generally considered to be the least intrusive form of eavesdropping. Such devices historically could obtain only the phone numbers dialed on a target's telephone and the phone numbers of incoming callers, and consequently were subject to the least rigorous legal proscriptions. The Supreme Court previously found that individuals do not have a reasonable expectation of privacy in the information that could be gathered by such means, noting that "pen registers do not acquire the contents of communications." Smith v. Maryland, 442 U.S. 735, 742 (1979). The Court emphasized that "[n]either the purport of any communication between the caller and the recipient of the call, their identities, nor whether the call was even completed is disclosed by pen registers." United States v. New York Tel. Co., 434 U.S. 159, 167 (1977). Federal law has imposed some procedural protections in this area, but they are minimal. The law provides that a court "shall enter an ex parte order authorizing the installation and use of a pen register or trap and trace device" where a law enforcement officer certifies that the "information likely to be obtained is relevant to an ongoing criminal investigation." ⁽⁵⁾/

The debates over Carnivore and Internet surveillance generally have focused attention on the question of what privacy expectations should be considered "reasonable" and provided greater legal protection. A recent decision by the United States Court of Appeals for the District of Columbia Circuit highlights this issue. In United States Telecom Ass'n. v. FCC, 2000 WL 1059852 (Aug. 15, 2000), the D.C. Circuit vacated portions of an FCC order that required telecommunications providers to implement certain advanced surveillance capabilities pursuant to the Communications Assistance for Law Enforcement Act of 1994 ("CALEA"). The court held that the FCC had given insufficient weight to CALEA's requirement that, in requiring carriers to provide all "dialed digits" in response to a pen register order, the Commission "protect the privacy and security of communications not authorized to be intercepted." ⁽⁶⁾/ The court noted that:

Post-cut-through dialed digits can also represent call content. For example, subjects calling automated banking services enter account numbers. When calling voicemail systems, they enter passwords. When calling pagers, they dial digits that convey actual messages. And when calling pharmacies to renew prescriptions, they enter prescription numbers.

Id. at *12.

Similar privacy concerns apply to electronic surveillance of Internet communications. Any analogy between Internet surveillance and traditional pen registers or trap and trace devices is strained at best, given the vast amounts of personal data that may be available on the Internet. The Supreme Court's understanding over two decades ago that a pen register cannot obtain either the identities of those engaged in communication or whether a "call" was "completed" is outmoded in an age of email where email addresses often contain the names of the parties and where there is no question about whether the message was delivered to the recipient's mailbox. Additionally, where technologies such as Carnivore can obtain (in its pen register mode) the numbers associated with FTP logins, the information collected implicates some of the privacy concerns that troubled the court in U.S. Telecom Ass'n. ⁽⁷⁾/ Even more significantly, electronic surveillance on packet-switched networks, such as the Internet, is potentially far more intrusive than that conducted on circuit switched networks, such as the traditional telephone system.  Because of these differences, it is appropriate to recognize a reasonable expectation of privacy in such information and to establish a higher evidentiary threshold to obtain a surveillance order than currently exists.

In this regard, H.R. 5018 and H.R. 4987 represent a step in the right direction. Accountability regarding the use of electronic surveillance has been a critical part of the current law, and the annual wiretap reports mentioned earlier play an important role in monitoring its use. However, there have been gaps in the reporting requirements that both bills address. Section 3 of H.R. 5018 and Section 2 of H.R. 4987 would require inclusion in the annual wiretap reports of data regarding government acquisition of stored data, such as email. Without such a requirement it is virtually impossible to obtain a comprehensive picture of the current extent of electronic surveillance. Moreover, since government increasingly is seeking to obtain information regarding email it is only appropriate to expand the reporting requirements accordingly.

The Subcommittee might also consider expanding the reporting requirements regarding the use of pen registers and trap and trace devices. Although the Attorney General is required pursuant to 18 U.S.C. § 3126 to report annually to Congress on the raw number of pen register and trap and trace devices applied for by DOJ, the reports include none of the details that must be included in the annual wiretap report, nor is the report to Congress included in the wiretap report. In addition, where new, sophisticated technologies, such as Carnivore, are used to implement pen registers, that fact should be reported and highlighted in the annual report. Such information is important to ensure accountability, since Carnivore can be modified while it is in use to intercept far more information than could ever be authorized by a pen register order. Another possible requirement would be to notify the target of the investigation after the order has expired and before any information may be used at trial, as currently required under 18 U.S.C. §  2518(9) for Title III interceptions.

H.R. 5018 and H.R. 4987 also would create a stricter standard for the issuance of orders authorizing the use of pen registers and trap and trace devices. In contrast to the current certification of "relevance" to an ongoing criminal investigation, Section 4 of H.R. 5018 and Section 4 of H.R. 4987 would require a showing of factual evidence before an order may be issued. In this regard, I think the proposed language of H.R. 5018 is superior because it requires a showing of "specific and articulable facts [that] reasonably indicate that a crime has been, is being, or will be committed, and information likely to be obtained by such installation and use is relevant to an investigation of that crime." This evidentiary requirement tracks the current standard for a court order authorizing the acquisition of stored electronic data under 18 U.S.C. § 2703(d).

Other provisions of H.R. 4987, which are not contained in H.R. 5018, would enhance privacy protections and I think are worthy of serious consideration. Section 5 of H.R. 4987 would expand from 6 months to one year the period that stored data would be considered in short term storage. This would mean that requests to acquire the contents of such data would be required to be supported by a warrant rather than a court order. In addition, Section 6 of H.R. 4987 would require a court order in order to obtain the physical location of a telecommunication subscriber. Such court order would be issued only upon a showing of probable cause to believe that the equipment has been or will be used to commit a felony.

The history of electronic surveillance law in the United States has involved a continuing effort to reconcile the needs of law enforcement with the Fourth Amendment imperative of protecting individual privacy. In my opinion, the proposals contained in H.R. 5018 and H.R. 4987 would help restore the balance between legitimate law enforcement interests and the need to protect the privacy of U.S. citizens.

1. ¹/ In addition, pursuant to the disclosure requirements of House Rule XI, clause 2(g)(4), I note that I have received no federal grants, contracts or subcontracts during the current or preceding two fiscal years relating to the subject of my testimony.

2. ²/ Administrative Office of the U.S. Courts, 1999 Wiretap Report at 5 (May 2000). The Report is required to be compiled annually pursuant to 18 U.S.C. § 2519.

3. ³/ Id. at Table 7.

4. ⁴/ Id. at 10.

5. ⁵/ 18 U.S.C. § 3123(a). By contrast, an order to intercept the content of electronic communications requires a showing of probable cause that the target has committed a specified felony. 18 U.S.C. §§ 2516, 2518. The request for such an order must state with particularity information regarding the facts relied upon by the applicant, the crime at issue, the individuals suspected of committing the offense, and the type of communications to be intercepted.

6. ⁶/ United States Telecom Ass'n. v. FCC, 2000 WL 1059852 *12, citing 47 U.S.C. § 1006(b)(2).

7. ⁷/ FTP ("File Transfer Protocol") is they typical method for uploading or downloading files on the Internet. Such files may contain computer programs, graphics, sounds or text. Generally, to log onto an FTP server the user must use an account name and a password. See Preston Gralla, How the Internet Works at 178-181 (1999).