07/24/00 Committee on the Judiciary

APPENDIX I

THE LESSONS TO BE LEARNED FROM THE IMPLEMENTATION OF THE COMMUNICATIONS ASSITANCE TO LAW ENFORCEMENT ACT

In 1994, the Congress passed the Communications Assistance to Law Enforcement Act (CALEA). It required that the new generation of digital telephone networks be built to be surveillance-ready. At the time, law enforcement and the FBI, in particular, argued that it was necessary to preserve their existing capacity to engage in electronic communication surveillance and assured the Congress that they were only seeking to preserve the status quo and were not seeking any additional power or capacity.

The legislative history of CALEA makes clear that the Act was intended "to balance three key policies: (1) to preserve a narrowly focused capability for law enforcement agencies to carry out properly authorized intercepts; (2) to protect privacy in the face of increasingly powerful and personally revealing technologies; and (3) to avoid impeding the development of new communications services and technologies."H.R. Rep. No. 103-827, 103d Cong., 2d Sess., pt. 1, at 13 (1994).

Based on the legislative history, it is fair to say that the FBI made a bargain with the Congress that they would not use the implementation process to require telephone service providers to build in new surveillance capabilities and that it would respect the privacy of Americans.

The FBI did not keep its end of the bargain. The CALEA implementation process, which was supposed to involve only the setting of technical standards by the industry, has been highly contentious. The FBI has consistently sought greater capacity and surveillance features that did not exist in 1994. In some cases, they have sought capabilities that they specifically promised the Congress they would not seek.

Many important issues are now before the Federal Circuit Court of Appeal for the District of Columbia, where the telephone industry and the privacy community have united to contest the FBI's overreaching.

The material below details four important examples of FBI overreaching.

1. The Demand for Cellular Telephone Location Tracking

A prime example of the FBI's broken promises involves the use of cellular telephones as location tracking devices. Cellular networks have the capability of identifying the physical location of a caller, within a reasonably small range. The Congress recognized that this raised difficult Constitutional and privacy issues and sought the assurance of the FBI that CALEA would not to be used to force the cellular providers to provide law enforcement with location information.

Director Freeh willingly gave that assurance. He testified as follows:

"[Call setup information] does not include any information which might disclose the general location of a mobile facility or service, beyond that associated with the area code or exchange of the facility or service. There is no intent whatsoever, with reference to this term, to acquire anything that could properly be called "tracking" information." Joint Hearings on H.R. 4922 and S. 2375, 103d Cong. 29 (1994). (Emphasis added).

Despite that on-the-record promise to the Congress, the FBI has fought tooth and nail to include complete location tracking information in the CALEA requirements and we have now been forced to take the issue to the courts.

2. Accessing the Content of Voice Over the Internet With Only a Pen Register or Trap and Trace Order

Another important example from the CALEA implementation process -- one that foreshadowed many of the issues relating to Carnivore -- involves the issue of telephone calls made using the Internet protocol (IP) and the issue of packet switching. In this instance, the FBI has sought to turn the existing wiretap laws on their head and demand delivery of the content of a call, even when they only have a pen register or trap and trace order for call identifying or addressing information.

Traditional telephone calls are made using a single dedicated circuit. The content of the call and call identifying information, e.g. the number dialed, can be easily separated. The telephone companies can easily deliver the content and call identifying information separately.

So for example, when law enforcement only has a pen register or trap and trace order entitling it to "dialed numbers," the provider can give that information to law enforcement without disclosing any of the content of the call. Call content, of course, requires a Title III order.

Title III itself is based on the 4^th Amendment requirement of a warrant issued by a court based on a showing of probable cause of criminal activity. Such warrants are issued on a relatively high standard.

In contrast to traditional voice telephony, communications made over the Internet are split into "packets", which may travel a separate path and then are reassembled at the end of their journey. Even with voice calls made using the Internet protocol ("voice over IP"), the packets contain both addressing information and content. As a practical matter, the provider cannot separate the content from the addressing information.

The FBI's solution to this problem has been to insist that they be provided with the entire set of packets, even when they only have a pen register or trap and trace order. Once again they ask us to trust them--in this case to only examine the addressing information and to discard the content. That issue is now before the Court of Appeals and we have every confidence that the Court will not allow the FBI to get content without a Constitutionally mandated Title III order.

3. Demanding Excessive Capacity

Since law enforcement surveillance activity obviously varies from region to region, CALEA requires the FBI to issue notice of its capacity requirements for each geographic area, so that carriers know how much capacity to install. In October 1995, the FBI issued its first proposed capacity notice. On its face, it seemed to require companies in major cities to install a surveillance capacity that would allow simultaneous monitoring of up to 1% of customer lines in service. This proposal was roundly criticized as excessive and the FBI withdrew it.

In January 1997, the FBI issued a second notice, using a new methodology based on past activity. However, this second notice was also deficient in three ways:

The FBI exaggerated law enforcement's past experience. The Bureau collected data, consisting of combined federal, state and local law enforcement surveillance activity for each county or service area nationwide, between 1993 and 1995. From this data, the FBI determined the 24-hour peak of surveillance activity for each switch, over the course of the 26 month survey period. From switch to switch, these peaks did not occur on the same day, but the FBI added them together to obtain a hypothetical county-wide "peak," which the notice requires companies to meet as if the surveillances occurred all on the same day.

The second notice and some of the FBI's informal comments about it have seemed to imply that each and every carrier serving a particular area would have to install capacity sufficient to meet the total surveillance needs for that region, even if the carrier only served a portion of the customers in the area. Even broader interpretations of the notice, which the FBI has been forced to informally disavow would require carriers to install in each switch a capacity sufficient to meet the requirements projected for an entire county or multi-county service area. Under either of these interpretations, the requirements of the second notice would require industry to install capacity unrelated to historical surveillance activity, costing taxpayers many millions of dollars in unnecessary reimbursement.

The second notice draws no distinction between the capacity required to intercept call content and the capacity required to access dialed number information, even though CALEA requires a distinction between interceptions of call content and interceptions of call-identifying information through pen registers or trap and trace devices. The FBI indicates that 90% of all surveillances involve access only to dialed number information, not call content. The distinction is important for privacy because the capacity to intercept call content is more intrusive (and may be more expensive) than the capacity to intercept call-identifying information. Congress wanted companies to use technology that limited the amount of information provided to law enforcement under pen register and trap and trace authority. The second notice ignores that intent.

4. Demanding Access to Digits Dialed After a Call is Connected

Callers using current telephone technology such as voice mail often enter additional touch-tone digits after having "dialed" to make the connection to the original called party. For example, many people access banking information by phone using their touch tone key pad. The FBI has been insisting that carriers provide to a law enforcement agency with only a pen register order not only the original call-identifying digits but also all non-call-identifying digits subsequently entered. This requirement is unlawful because it violates CALEA's instructions and violates Title III. It sacrifices privacy to expand law enforcement authority by requiring easy access to so-called "post-cut-through dialed digits" without regard to whether the digits are part of a call's contents.

Conclusion

The CALEA implementation process has been dominated by the FBI's pattern of making claims that go beyond the boundaries of the law and their exploitation of new technology to garner more communications information under lesser standards.

Indeed, the whole history of the CALEA implementation process demonstrates why we should not be so quick to accept the FBI's assurances that it will strictly adhere to the Constitution and the relevant statutes. The FBI has demonstrated that it has very expansive notions of what it is entitled to intercept and when it is entitled to those intercepts. The decisions made by the FBI and its Carnivore box are for all, and intents and purposes are secret and beyond review. Carnivore gives the FBI far too much discretion and creates far too great a risk that they will burst through the envelope of the 4^th Amendment and the Congressionally imposed restraints.

STATEMENT

BARRY STEINHARDT

ASSOCIATE DIRECTOR

AMERICAN CIVIL LIBERTIES UNION

THE FOURTH AMENDMENT AND

CARNIVORE

BEFORE THE

HOUSE JUDICIARY COMMITTEE

SUBCOMMITTEE ON THE CONSTITUTION

July 24, 2000

Chairman Canady, Ranking Member Watt and members of the Subcommittee:

I am pleased to testify before you today on behalf of the American Civil Liberties Union about the Fourth Amendment to the U.S. Constitution and the FBI's Carnivore System. The ACLU is a nationwide, nonprofit, nonpartisan organization consisting of over 275,000 members dedicated to preserving the principles of freedom set forth in the Bill of Rights. Neither the ACLU nor myself has received any funding from the federal government in the past two years.

On April 6, my colleague, ACLU Legislative Counsel Gregory Nojeim, testified before this Subcommittee on the more general subject of the Internet and the Fourth Amendment. In his testimony, Mr. Nojeim offered a detailed analysis of the myriad ways in which the new technologies threaten to undermine the values of the Fourth Amendment. He emphasized that the existing laws related to the Government's interception of our communications need to be updated to reflect the new technological developments and he offered a number of concrete proposals.

My testimony this afternoon will focus more narrowly on the Carnivore system and on the recent proposals made by the Clinton Administration concerning electronic surveillance. I will not repeat our earlier testimony, but I will refer to a number of the relevant points that Mr. Nojeim made in April.

Carnivore Does Damage to the 4^th Amendment and ECPA

Before turning to Carnivore itself, let me try to put the current controversy in some historical context. Wiretapping and electronic surveillance (hereinafter I will generally refer to "wiretapping" to cover both traditional telephone tapping and newer methods of electronic surveillance) are a growing practice in this country and is already at record levels. In 1995 and 1996, for the first time in history, the federal government placed more wiretaps than all of the states combined.

In the last reporting period, the Clinton Administration conducted more wiretaps in one year than ever in history, and the number of "roving wiretaps" (wiretaps of any phone a target might use, without specifying a particular phone) nearly doubled.

Perhaps most ominously, more and more innocent conversations are being intercepted. According to the Government's own records, when Title III first went into effect 30 years ago, approximately 50% of all of the conversations intercepted contained what law enforcement regarded as "incriminating" information. In the mid to late 1990's, the percentage of "incriminating conversations plummeted to less than 20%. In other words, more than 80% of all intercepted communications are, by the government's own standards, innocent. Last year, approximately 2 million innocent conversations were intercepted in law enforcement electronic surveillance.

Both trends - more and more intercepts and more and more innocent conversations being intercepted--are likely to accelerate because of the advent of digital communications. The interception of "old fashioned" analog telephone conversations is very labor intensive and consequently costly. A law enforcement agent must actually listen to all or part of the conversation. Digital communications, especially those that are textual such as e-mail, offer law enforcement the opportunity to intercept and process much greater volumes of communications. Much of the initial evaluation and processing of the communication can be done by computers that are relatively cheap and easy to operate.

The consequence is that law enforcement will be sorely tempted to access an ever-increasing number of communications. With increased numbers and less precision in the targeting, the percentage of innocent communications accessed by law enforcement is likely to grow.

Moreover, digital files kept on computers and transferred over the Internet represent a treasure trove of information for law enforcement. The demand to search those files and intercept them in transmission is likely to grow and will further accelerate the trend of increased surveillance.

Carnivore is a dramatic example of this new digital reality and the opportunity for increased surveillance.

The Carnivore system --essentially a computer running specialized software-- is attached directly to an Internet Service Provider's (ISP) network. Carnivore is attached either when law enforcement has a court order under the Electronic Communications Privacy Act (ECPA) permitting it to intercept in real time the contents of the electronic communications of a specific individual, or a trap and trace or pen register order allowing it to obtain the "numbers" related to communications from or to a specified target.

But unlike the operation of a traditional pen register, trap and trace device, or wiretap of a conventional phone line, Carnivore gives the FBI access to all traffic over the ISP's network, not just the communications to or from a particular target. Carnivore, which is capable of analyzing millions of messages per second, purportedly retains only the messages of the specified target, although this process takes place without scrutiny of either the ISP or a court.

Carnivore permits access to the e-mail of every customer of an ISP and the e-mail of every person who communicates with them. Carnivore is roughly equivalent to a wiretap capable of accessing the contents of the conversations of all of the phone company's customers, with the "assurance" that the FBI will record only conversations of the specified target. This "trust us, we are the Government" approach is the antithesis of the procedures required under our wiretapping laws. Those laws authorize limited electronic surveillance of the communications of specified persons, usually conducted by means of specified communications devices. These laws reflect 4^th Amendment values of limited searches aimed at particular targets when there is good cause to suspect them of criminal activity.

They place on the provider of the communications medium the responsibility to separate the communications of persons authorized to be intercepted from other communications. Law enforcement is required to "minimize" its interception of non-incriminating communications of a target of a wiretap order. Carnivore is not a minimization tool. Instead, Carnivore maximizes law enforcement access to the communications of non-targets.

In essence, Carnivore is a black box into which flows all of the service provider's communications traffic. The service provider knows what goes in, but it has no way of knowing what the FBI takes out.

Indeed it is hard to imagine how the operation of Carnivore can be squared with either the 4^th Amendment or ECPA, which was adopted to implement the 4^th Amendment in the context of electronic surveillance. The very premise of the 4^th Amendment is that searches should be narrow and targeted so as to avoid intrusion into the privacy of persons who are not suspected of engaging in crime. The 4^th Amendment was adopted to protect the "houses, papers and effects" of Americans against the sort of general searches conducted by the British colonial powers that permitted the search of everyone and everything in their path.

In recognition of this, ECPA requires the Government to specify the person who is the target of the investigation; the crimes under investigation and the particular system from which the communications are to be accessed. I think it is fair to say that the Congress never contemplated or authorized a wiretapping scheme that accessed everyone's communications; that had the potential to access an unlimited number of communications, only a small fraction of which involved criminal activity; and that targeted an entire communications network, rather than a particular person's communications.

In his prior testimony to your subcommittee, Robert Corn-Revere described the experience of his client, an ISP later publicly identified as EarthLink, that was required to install Carnivore when presented with a trap and trace order. The particular case he described involved a trap and trace order. He detailed his client's concerns that a trap and trace order in the context of the Internet revealed information that Congress did not contemplate when it authorized their limited use.

In the traditional telephone context, those orders reveal nothing more than the numbers dialed to or from a single telephone line. In the Internet context, these orders and certainly Carnivore, likely involve ascertaining the suspect's e-mail address, as well as header information that may provide information regarding the content of the communication. He described his client's frustration at not knowing what information law enforcement was collecting and whether it was actually limited to that allowed by a trap and trace order.

He also described his client's willingness and ability to cooperate with law enforcement and law enforcement's rejection of an offer to provide them the communications traffic authorized by the order without having to use Carnivore.

In his prior testimony and other testimony you will hear today, it is clear that the ISP community is willing and able to cooperate with law enforcement and to provide it with the targeted communications information to which it is entitled under a court order. You will hear testimony that the ISP's can give the FBI what it is entitled to without resorting to the use of Carnivore. You will also hear testimony that the ISP's fear both for their subscriber's privacy and the security of their networks. Introducing a device like Carnivore into an ISP's network creates both a potential security hole and the possibility of the sort of service degradation and interruption that Mr. Corn-Revere's client experienced.

In recognition of the multiple dangers of Carnivore and how little the public, service providers or even the Congress knows about its capabilities or operations. The ACLU has filed a Freedom of Information Act request with the FBI that asks for all documents describing Carnivore's operation, including the source code for its software. We believe that the only way to understand Carnivore's capabilities is to subject the computer code to examination by experts genuinely independent of the FBI. A carefully controlled and rehearsed demonstration by the FBI is not likely to reveal Carnivore's full capabilities and potential uses.

The FBI insists it will only record the communications to which it is entitled. The FBI asks you to take an enormous leap of faith that they will stay strictly within the confines of the law. They ask you to trust them with unsupervised access to the entire stream of communications over an ISP's network, which can amount to literally millions of innocent communications of non-targets of any interception order.

If you accept this premise, you reject the 4^th Amendment. It is built on the opposite premise: that the Executive cannot be trusted with carte blanche authority when it conducts a search.

Even if we assume that the FBI will not once again engage in spying on the First Amendment activities of Americans or other abuses of the past, recent history tells us that the FBI cannot be expected to keep its promises on communications surveillance issues. Recent history tells us that we can fully expect the FBI to push the envelope of the law and to eventually break out.

In 1994, the Congress passed the Communications Assistance to Law Enforcement Act (CALEA). CALEA was a hotly debated law. It required that the new generation of digital telephone networks be built to be surveillance-ready. At the time, law enforcement and the FBI, in particular, argued that it was necessary to preserve their existing capacity to engage in electronic communication surveillance and assured the Congress that they were only seeking to preserve the status quo and were not seeking any additional power or capacity.

In effect, a bargain was struck. In return for the requirement that the new networks be constructed to preserve then existing capabilities, the FBI and law enforcement agreed not to use the new law to force service providers to provide it with new surveillance capabilities

The FBI did not keep its end of the bargain. The CALEA implementation process, which was supposed to involve only the setting of technical standards by the industry, has been highly contentious and has been characterized by an FBI power grab. The FBI has consistently sought greater capacity and new surveillance features that did not exist in 1994. In some cases, they have sought capabilities that they specifically promised the Congress they would not seek.

Among these have been:

5. demands that cellular telephone providers build their systems to give law enforcement location tracking abilities -- despite an explicit promise by FBI Director Freeh that the FBI would not use CALEA for that purpose;

6. a demand that Internet telephony providers turn over the content of communications, even when law enforcement only has a pen register or trap and trace order; and

7. an exorbitant wiretapping capacity requirements for new network.

(Attached to my testimony as Appendix I, you will find a more detailed description of the FBI's broken promises and its elastic concept of the law).

Indeed, the whole history of the CALEA implementation process demonstrates why we should not be so quick to accept the FBI's assurances that it will strictly adhere to the Constitution and the relevant statutes. The FBI has demonstrated that it has very expansive notions of what it is entitled to intercept and when it is entitled to those intercepts. The decisions made by the FBI and its Carnivore box are for all intents and purposes secret and beyond review. Carnivore gives the FBI far too much discretion and creates far too great a risk that they will burst through the envelope of the 4^th Amendment and the Congressionally imposed restraints.

The Administration Proposals Made In Response to the Carnivore Controversy

In response to the public controversy over Carnivore, the White House has made a new set of proposals regarding "Cyber Security." The Administration has not yet offered legislative language, so it is difficult to offer a definitive comment, but White House Chief of Staff John Podesta offered the broad outlines in his July 17 remarks at the National Press Club.

While the devil will be in the details that we don't yet have, I will offer some general comments on the proposals. But first let me emphasize that the Podesta proposals are not an adequate response to the issues raised by Carnivore.

Carnivore is an unprecedented system. Never before has law enforcement installed a device, which accesses all the communications of a service provider's customers, rather than only the communications of the target. Never before has a law enforcement agency claimed that it should be granted access to all communications passing through a service provider's network based on an unsupervised promise that it will not stray beyond the confines of its authority.

The Administration's proposals simply do not address those issues. Slightly enhancing the standards for issuing pen register or ECPA orders for content does not address the issue of dragnet searches through an ISP's network. The Administration certainly does not address these problems by proposing to create the authority for nationwide pen register or trap and trace orders.

The problem with Carnivore is not limited to the standard for issuing the orders. It is the operation of a device that can trawl through millions of communications that are wholly unrelated to the target of the order.

Now, let me turn to the proposals, as we understand them. In summary, these proposals offer a few modest steps forward to protect privacy, at least two large steps backward, and miss many opportunities to address the most significant deficiencies in the current law.

Mr. Podesta announced that the Administration would support legislation to require that the same standards that apply to the real time interception of the content of telephone calls ("Title III Standards") also apply to the real time interception of electronic mail.

Mr. Nojeim made a similar proposal in his April testimony to the Subcommittee. He noted that ECPA has a number of shortcomings that need to be addressed and that in general, it is not as protective of e-mail and other electronic communications as Title III is of voice communications. For example, with regard to real time interception, only a high-ranking DOJ official can authorize an application for a wiretap order. "Any attorney for the Government" may authorize an application for an order to intercept e-mail and other electronic communications.

Wiretaps can be issued only upon a showing of probable cause that one of a list of enumerated offenses has been committed; e-mail and other electronic communications can be intercepted with a court order based on probable cause issued in connection with any federal felony. Finally, the statutory exclusionary rule that encourages law enforcement to comply with the proper procedures for electronic surveillance applies only to wiretaps and bugs, not to interception of e-mail and other electronic communications.

But Mr. Podesta's suggestion does not go far enough because it does not address the far more significant differences between the rules for the real time interception and law enforcement access to electronic communications that are in "storage."

Once in storage, law enforcement access is obtained far more easily
under federal law. A search warrant based on probable cause issued by a
federal magistrate (as opposed to a court order with the protections mentioned above) is all that is required to access e-mail in storage for less than 180 days. 18 U.S.C. 2703(a). In other words, by waiting an instant until the message is delivered and "stored," the requirement of a court order with continuing judicial oversight, the statutory requirement for minimization procedures, the substantial fines and prison time for violating the statute, and the requirement that the communication be eavesdropped upon only as an investigative technique of last resort, are all avoided.

Importantly, once the e-mail has been stored with the provider for over 180 days, it can be made available to law enforcement acting with only an administrative subpoena and delayed notice to the customer, or with a warrant without notice. 18 U.S.C. 2703(b). Most importantly, such e-mail can be obtained by law enforcement acting with a court order issued based upon a showing of only "specific and articulable facts showing that there are reasonable grounds to believe" that the contents of the communication are "relevant" to an ongoing investigation. "Relevance" is a far lower threshold for a search than is "probable cause." In effect, the privacy of the contents of an e-mail message or other electronic communication diminishes just because a service provider retained the message an inordinately long time.

The Administration's proposals would be genuinely meaningful if they applied to stored e-mail the same protections which Title III applies to the interception of telephonic communications. Only by adopting this approach would e-mail truly enjoy the same legal protections as voice communications -- the goal the Administration claims it would like to achieve.

Moreover, this approach makes intuitive sense for two reasons. First, e-mail should be protected like voice communications because it is a spontaneous communication. People write in e-mail messages in the same way they speak: spontaneously. Second, the e-mail that a person receives that the person regards as most important is the e-mail that the person saves for the longest time. Ironically, that is the e-mail entitled to the least protection under the current statutory scheme.

The Administration has made two proposals with regard to pen register and trap and trace orders. First, Mr. Podesta reaffirmed the Administration's long standing proposal for nationwide orders.

The Department of Justice has previously asked that judges be given authority to issue such orders with nationwide coverage. DOJ argues that to track computer intrusions over the Internet, law enforcement officials must often seek multiple orders because electronic communications jump from computer to computer and jurisdiction to jurisdiction. However, the DOJ's request extends not only to electronic communications, but also to any communications transmitted by telephone, which do not jump from computer to computer.

We urge you to reject this request because: (i) the standard for issuing a pen register or trap and trace order must first be strengthened substantially; (ii) steps must be taken to ensure that forum-shopping for a sympathetic judge is precluded; and (iii) it is unclear exactly what information the Government is currently obtaining with the low evidentiary standard for pen registers and trap and trace devices.

The trap and trace/pen register law is, at best, a very poor fit for the Internet. The statute currently authorizes the interception of only numbers dialed to and from a telephone. On the Internet, the only times numbers are literally "dialed" by a telephone is when a user connects to an ISP using a dial up modem - a method of connection that is rapidly becoming less common. Plainly, the existing laws were not drafted with the Internet in mind.

At your April hearing, the Chairman asked Mr. Green of the Justice Department whether law enforcement was currently receiving email addresses using a pen register or trap and trace order. He replied that law enforcement regularly obtains e-mail addresses with only such orders by arguing in an ex parte proceeding "by analogy" to the pen register statute. This position -- that "letters" are "numbers" -- cannot be squared with the statute, and raises further questions about just what information can be obtained with a pen register or a trap and trace order.

In the context of the Internet, e-mail addresses can convey far more meaning - content - than a telephone number. To begin with, as several of your witnesses in April pointed out, e-mail addresses are personal to an individual while telephone lines may be used by multiple persons. More significantly, depending on the circumstances of their capture, e-mail address can tell law enforcement a good deal about the content of the communication.

For example, forcing a web site to reveal the e-mail addresses of all of its visitors or those who accessed a particular file reveals the nature of those visitors specific interests.

Beyond e-mail addresses, there are unanswered questions about whether pen register and trap trace orders are being or can be used to obtain other sensitive information. For example, can they be used to collect the URL's (the web addresses) of sites that a target visited, the names of files that are transmitted, subject headers of email, or other transaction logs of Internet activity.

One of the real dangers of Carnivore is that it is perfectly capable of collecting such information in a surreptitious way and there is no practical check on the FBI's discretion.

In its second proposal about pen registers and trap and trace devices, the Administration suggested that judges and magistrates be given greater authority to review requests for pen registers and trap devices. Under current law, the judiciary must simply rubber stamp such requests if law enforcement certifies that they are sought as part of ongoing criminal investigation. This is a potentially useful change, although it will only be meaningful if the standard for issuing an order is itself meaningful. Mr. Podesta did not address the question of what standard should apply.

We would suggest that the judiciary must be given the authority to make an independent judgement that these orders are based on reasonable cause to
believe that the target of the order has or is about to commit a crime. Under the Administration's proposal, a judge would issue a pen register or a trap and trace order upon finding that the information to be obtained is likely "relevant" to an ongoing investigation. However, the Attorney General Guidelines on General Crimes, Racketeering Enterprise and Domestic Security/Terrorism Investigations do not permit the FBI to open an investigation in the first place unless there is a reasonable indication of criminality. If the judge is truly to have a meaningful role, the judge should ask not merely whether information is "relevant" to an ongoing investigation, but whether there is a reasonable indication of criminality in the first place.

Of equal importance, in no event should law enforcement be allowed to use trap and trace orders served on ISPs to obtain data which reveals the content of the communication.

In sum, ECPA should be amended:

1. to require that trap and trace/pen register orders should only be issued on the basis of an independent finding by a judicial officer that there is reasonable cause to believe that the target of the order has or is about to commit a crime;

2. to provide that consumers receive notice whenever the government obtains information about their Internet transactions;

3. to require specific statistical reports for pen register/trap orders for Internet communications, similar to the reports required under Title III, and

4. explicitly provide that Internet queries, e-mail subject lines, URL's of sites visited and other information which provides more than the equivalent of a dialed number, such an IP number are content, which cannot be disclosed without a probable cause order.

Congress should not even consider allowing nationwide pen register or trap and trace orders until those reforms are enacted and tested in the real world.

Finally, Mr. Podesta discussed the issue of the interception of electronic communications made using a cable modem. He suggested that such communications be subject to interception under the same circumstances as applies to the wiretapping of telephones or the real time interception of e-mail.

The Cable Act provides that law enforcement may only get access to subscriber records under a process that involves prior notice to the subject. Title III and ECPA do not provide prior notice or an opportunity to contest for the target of the wiretap. In other words, the Cable Act, assuming that it rather than ECPA governs the interception of electronic communications by law enforcement, provides the subscriber with more protection. This is a proposed roll back of rights that Congress should reject. If Congress acts on this proposal to harmonize the standards, it would do well to harmonize them at the more protective level.

ECPA does need to be strengthened as we have suggested. The standards for interception of all e-mail and other electronic communications, including stored communications, need to be brought up to at least the standards of Title III. Far more exacting scrutiny needs to be made of requests for pen register and trap and trace orders. The trap and trace law needs to be clarified so that such orders served on ISPs do not de facto authorize the surveillance of content.

Perhaps even more pressing is the need for the Congress to send a clear message about systems like Carnivore. The Congress should amend ECPA to clarify its intent to ensure that under no circumstances may law enforcement require an Internet Service Provider to provide the Government with access to subscriber communications that do not involve the target of an order.