04/06/00 Committee on the Judiciary

Executive Director of the

Internet Alliance

www.internetalliance.org

Before the

Judiciary Committee,

Subcommittee on the Constitution

U.S. House of Representatives

April 6, 2000

Mr. Chairman, Mr. Ranking Member, members of the Subcommittee, I am Jeff B. Richards, Executive Director of the Internet Alliance. Since its founding in 1982 as the Videotex Industry Association, the Internet Alliance (IA) has been the only trade association to address online Internet issues from a consumer Internet online company perspective. Through public policy, advocacy, consumer outreach and strategic alliances, the IA is building the trust and confidence necessary for the Internet to become the global mass-market medium of this century. The Internet Alliance’s 70-plus members represent more than ninety percent of consumer access to the Internet in the United States. Since May of 1999, the Internet Alliance has been a separate subsidiary of the Direct Marketing Association, bringing the resources of a 4,500-member organization to bear on Internet issues and their resolution.

Our mission is to increase consumer trust and confidence in the Internet by promoting good business practices, public education initiatives, enforcement of existing laws protecting consumers, and the development of a legal framework governing the Internet that will provide at the same time predictability and efficiency, security and freedom to innovate. Because of our business point of view coupled with our focus on improving the Internet experience for consumers, we feel well qualified to provide the Committee input and advice on its questions on the application to the Internet of the Fourth Amendment of the U.S. Constitution.

We also possess the unique viewpoint of a trade association with an established record of cooperation with law enforcement. IA’s Law Enforcement and Security Council brings together senior security officials of key IA members to bridge the gaps between industry and federal, state, and international law enforcement agencies. It benefits from IA’s unique presence—in the fifty states, Washington and abroad—to increase its knowledge and leverage. We have an excellent, constructive relationship with representatives of various levels of law enforcement. We believe the government’s most pressing duty in protecting consumers on the Internet is to enforce existing laws, and we support additional appropriations for federal agencies to increase the number and competency of investigative and prosecutorial personnel, and to provide them with state-of-the art technology.

In addressing the subject of this hearing, let me first observe that while the Internet has experienced an unbelievable expansion of functionality and usage in less than a decade, its ability to attract the tens of millions who do not currently use it, and its continued ability to evolve in beneficial ways, is not at all assured. Indeed, there is a significant risk this new tool will fail to become the universal medium of the twenty-first century, that it will fail to deliver on its promise to revolutionize business and shopping practices, to enrich and extend education, to expand interpersonal communication and enable instant worldwide publication of ideas and creative content, in short, that it will fail to fully empower individuals through the unprecedented and virtually unlimited ability to make truly personal choices over what to learn, whom to talk to, where to visit, what to say. The condition for this outcome is the Internet’s failure to satisfy the needs and desires of the ordinary user.

Many factors affect consumer satisfaction, but we are convinced none is presently more important to the public than the security of personal information transmitted online or stored by technologies which are accessible online. As with other public concerns, this one did not arise with the emergence of the Internet. It is simply the reflection in a new environment of the overriding value our nation places on individual freedom, and of our recognition that in securing individual freedom, one of our most vital principles has been limiting government access to confidential information.

That principle is embodied in the Fourth Amendment’s prohibition against unbridled searches and seizures by government. This limitation remains a cherished part of our legal structure, even though it sometimes thwarts government’s attempts to identify criminals or to gather the evidence necessary to convict them. In other words, we value freedom enough that we’re willing to tolerate some degree of crime to secure it. It is this balancing of security and freedom which produces the age-old tension the Subcommittee has noted. None of us want to live in anarchy and lawlessness, but neither have we been willing to submit to the kinds of authoritarian rule which has sometimes prospered elsewhere by promising a no-holds-barred attack on crime.

I make this point because it is relevant to today’s discussion. Clearly Congress has already placed great emphasis on implementing the Fourth Amendment’s protections online. The signal example is the enactment of the Electronic Communications Privacy Act (ECPA). In ECPA, Congress established rules and procedures by which law enforcement could have access to an individual’s electronic communications and records. These limits on government parallel the approaches traditionally taken in the "bricks and mortar" world: requirements, in various settings, for warrants, judicial orders and subpoenas before those in possession of data can be required to share them with law enforcement.

The Subcommittee now examines with a fine sense of timing whether technology, business models, or user activities have changed over the last few years in ways that expose gaps in laws carrying out our Constitution’s Fourth Amendment, and privacy, mandates. The subcommittee has also expressed interest in how the mandates of law are being carried out in practice. Accordingly, our response is two-fold:

First, we believe that the language of ECPA was drafted broadly enough to capture the new Internet functions that are being developed, at least to this point. In our experience, law enforcement is treating these functions as subject to ECPA restrictions.

To illustrate, let me point to the growing trend of third-party services hosting confidential consumer information for various purposes on servers or by other means. A number of companies invite individuals and groups to set up their calendars on secure servers, a convenient means of coordinating schedules by simply accessing the Internet. Likewise, others give free server space for the hosting of document files, both for backup storage and to enable group members to work together on the same document from different locations. And there are a number of sites where family photographs and other personal content can be deposited under restrictive access conditions controlled by the user or group. We believe these kinds of data are covered under ECPA.

Similarly, user travel and transactions on the Internet can generate new kinds of records, whether they be intentionally generated for a specific purpose or mere artifacts of transmission or storage. These range from navigational data to chat room and dynamic address records. While the user is often not consciously involved in their creation, we believe these records are and must be covered by ECPA.

Regardless, constitutional values continue to govern government’s law enforcement activities even with respect to activities that may not fall clearly within the terms of ECPA or of related restraints. Thus, if ways of transmitting, using or storing confidential information are developed, that are determined to be outside the coverage of ECPA, we would urge the Congress to move promptly to extend ECPA’s coverage.

However, there is one set of special circumstances that we would invite the Subcommittee to consider. Infrequently, law enforcement asks for information in situations involving an immediate threat to life or bodily harm, when it is felt that access to the information cannot wait until ECPA authorizing documents can be obtained. These requests often seek user location information based on navigational or other system data identifying the locality from which a message or transmission originates. Rather than subjecting the ISP to an unfair choice, or jeopardizing subsequent prosecution based on improperly shared information, ECPA could be amended with a limited exception for exigent circumstances, perhaps subject to the condition that applicable ECPA requirements for subpoena’s, orders, etc., are complied with as soon as practicable after the exception is invoked. Any such provision would need to be very narrowly drafted, and should provide that such information cannot be used in a criminal proceeding if the exception is invoked improperly. If the subcommittee agrees that such a provision is called for, we would be happy to work with you in crafting legislative language.

Second, we believe the current system of Fourth Amendment protections is generally working well. Major ISP’s represented by the Internet Alliance include AOL, MCI WorldCom/UUNET, Bell Atlantic, IBM, Microsoft, and Prodigy. They have in place policies and internal mechanisms limiting the sharing of personal user information with law enforcement in accordance with ECPA. However, while we cannot speak for others, our companies have had experience with some law enforcement personnel who seem to have been unaware of ECPA’s requirements. There have been cases in which more information was requested by subpoena than is permitted under the law, and in which legal request documents and even improper verbal requests were submitted to the wrong persons, such as consumer service representatives, rather than to those within the ISP structure responsible for responding to such requests.

In part for these reasons, we have strongly supported additional resources for training law enforcement in proper investigative techniques in the online environment. We testified to this effect before the Senate Appropriations Committee earlier this year. In addition, the Internet Alliance through its Law Enforcement and Security Council (LESC) is in the process of developing a basic multimedia training course for law enforcement officers, in conjunction with the Department of Justice and Interpol. The LESC is also developing a comprehensive list of company officials authorized to respond to legal requests for information, which will be accessible to law enforcement officials nationwide, and which will hopefully eliminate the problem of misdirected requests.

In conclusion, we share the Subcommittee’s commitment to ensure that the protections of the Fourth Amendment apply online as well as offline. We believe the current system of laws is generally adequate, and we believe both industry and law enforcement are doing a good job complying with the law. From our end, we have initiatives in progress to further improve the situation, and we welcome the Subcommittee’s continuing oversight to monitor the situation as the Internet continues to evolve.

Thank you. I would be glad to respond to any questions.