Advanced Electronic Security Company TSCM bug sweeping bugsweeps
Home Info About Us FAQ Contact Us E-mail

Communications Privacy in the Digital Age

June 1997

Interim Report:
COMMUNICATIONS PRIVACY IN THE DIGITAL AGE

Prepared by the Electronic Surveillance Task Force
OF THE DIGITAL PRIVACY AND SECURITY WORKING GROUP

Table of Contents
Introduction
Summary of Conclusions

  1. Electronic Surveillance Must Be Subject to Strong Privacy Protections
  2. II. Technological Changes Affect Privacy, Security and Law Enforcement, Posing Challenges and Offering Opportunities
    1. Five Key Developments
      1. Rapid expansion of wireless services
      2. Dramatic development of the Internet
      3. Traffic analysis provides increasingly rich source of personal information
      4. Control over technology has shifted
      5. Globalization
    2. Developments since 1986 require a strengthening of ECPA
    3. Changes in Technology Exacerbate the Constitutional Vulnerability of Records Held by Third Parties, Requiring a New Look at the Fourth Amendment-Based Rules on Government Access
  3. Technological Advancements in Surveillance
    1. Wireless services
    2. Location information
    3. E-mail and other on-line communications
    4. Remote monitoring
    5. Computer analysis
  4. Government Efforts to Expand Surveillance Capabilities: CALEA Implementation
    1. CALEA Was Premised on the Effective Enforcement of Strict Privacy Protections
    2. Development of the CALEA Legislation
    3. Law Enforcement Is Able to Take Advantage of All Advances in Technology
    4. CALEA Implementation Issues
      1. Expansion of Surveillance Capabilities
      2. Location Information
      3. Capacity Requirements
      4. Funding
      5. Public Accountability
      6. Compliance Deadlines and Reimbursement
      7. Privacy and Security
      8. CALEA Coverage
  5. Government Efforts to Control Encryption Technology
  6. Protecting Wireless Communications
  7. Amending the Wiretap Laws
    1. Excusing Violations of the Wiretap Laws
    2. Roving Wiretaps
    3. Emergency Wiretaps
    4. Review of FISA
  8. International Issues
  9. Notes


Introduction

The ongoing worldwide revolution in communications technology is fundamentally changing the way people conduct their business and private lives. These changes are producing challenges for privacy, communications security and law enforcement (and national security) and are stretching the limits of existing legal rules. Striking the proper balance among privacy, security and law enforcement interests in the electronic realm has always been a complex endeavor. Rapid changes in communications technology require the periodic reexamination of privacy and communications security protections and law enforcement capabilities. It is time again for such a review.

The Digital Privacy and Security Working Group is a diverse forum of over 50 computer, communications, and public interest organizations working to develop and implement policies that protect personal privacy and network security on the expanding and rapidly changing global information infrastructure. (DPSWG membership is listed in Appendix A.) Originally formed in 1986, the DPSWG has played a critical role on several major communications privacy and security issues, including the enactment of the Electronic Communications Privacy Act of 1986 ("ECPA"), the effort to ensure that legislation adopted in 1994 to preserve law enforcement access to communications (the Communications Assistance for Law Enforcement Act, "CALEA") included privacy protections and public accountability mechanisms and was narrowly tailored so as not to impede the deployment of new technology, and the on-going debate over government control of encryption.

This report addresses the privacy and security issues raised by new communications and computer technologies and the needs of law enforcement. The report is "interim" because the technologies themselves continue to change so rapidly, because Administration policy continues to develop, and because a number of the issues merit further study or more detailed exposition.

The report's structure is as follows: Section I summarizes briefly the federal wiretap laws. Sections II and III address some of the broad implications for privacy, security, and law enforcement of ongoing developments in communications technology, including the dramatic growth of the Internet and wireless communications. Sections IV through VIII address specific issues: implementation of CALEA (Section IV); government efforts to control encryption (Section V); protection of wireless communications (Section VI); revisions, including those sought by the Administration, in the laws governing wiretaps, pen registers and trap and trace devices (Section VII); and emerging issues concerning law enforcement cooperation and privacy protection in the international arena (Section VIII).

In preparing this report, we recognized the importance of the law enforcement interests at stake. Members of the surveillance task force met with representatives of the Department of Justice and the Federal Bureau of Investigation. In all of our recommendations, we sought to be responsive to law enforcement's legitimate needs.

The focus of this report is limited to questions involving government access to communications and stored electronic data. The report does not address the important questions that concern the relationships between employers and employees or between businesses and customers.

The report was prepared by the DPSWG electronic surveillance task force, including James X. Dempsey and Jerry Berman, co-chairs; Joel Bernstein; Emilio Cividanes; Geoff Feiss; Wallace Henderson; Kate Martin; Lynn McNulty; and Ronald Plesser.

Drafts of this report were made available to all DPSWG member companies and organizations. A number of DPSWG members made comments, all of which were incorporated. However, not all members of DPSWG share all the views and concerns expressed in the report.

The report has been endorsed by the following organizations, representing a broad cross-section of DPSWG:

Cellular Telecommunications Industry Association
Center for Democracy and Technology
Center for National Security Studies
Commercial Internet eXchange Association
Competitive Telecommunications Association
Electronic Messaging Association
United States Telephone Association



Summary of Conclusions

Electronic Communications Privacy

Communications privacy is a bedrock constitutional principle, and electronic communications must be protected through strong privacy legislation implement-ing the Fourth Amendment's requirements. As technologies evolve, it is periodically necessary to review the effectiveness of statutory privacy protections. Such a review should consider the overall balance between the technical and legal capabilities of government and the technical and legal status of privacy and com-munications security protections. Piecemeal amendments to the surveillance laws in response only to government concerns will inappropriately upset the balance.


New Communications Media Require New Rules

The digital communications technologies combine wireless and wireline systems seamlessly. They merge voice, data, and images. They are flexible and decentralized; networked and global; open and interactive. They place choices and control in the hands of users. They eliminate distinctions between what is kept in the home and what is stored with third parties. Their economics are characterized by competition and innovation. The explosion in the amount of information transmitted and stored electronically and the emergence of a form of online existence for both businesses and individuals have produced a qualitative change in the nature of communications and, accordingly, in the amount and nature of the information that is exposed to intrusion, interception and misuse.

New technologies enhance the ability of law enforcement to intercept and analyze communications and track individuals. Many of these enhancements are coming about without government intervention, as the unintended consequences of market-driven changes in technology. Existing law allows law enforcement to take advantage of these developments and requires telecommunications companies to cooperate by providing technical assistance, subject to government reimburse-ment. As technology enhances surveillance capabilities, the legal standards for government use of these new technologies must adequately protect privacy.


Transactional and Signaling Data

On the Internet, which has developed in ways unforeseen when ECPA was enacted in 1986, transactional data has emerged as a hybrid form of data, somewhere between addressing information and content, and is increasingly revealing of personal patterns of association. CALEA set a higher standard for access to transactional data regarding electronic communications; Congress should examine how the new standard is working.

In a similar development in the area of voice communications, advanced signaling systems have also blurred the distinction between call-identifying information and call content. The standards for governmental access to signaling data (under what are known as "pen registers" and "trap and trace devices") should be amended to require a judge to find, based on a showing by the government, that the information sought is relevant and material to an ongoing criminal investigation.

In light of the growing significance of transactional and signaling data, Congress should examine more generally the implications of government access to and analysis of all forms of such information for subscriber profiling purposes.

One type of transactional data, namely real-time location information generated in wireless telephone systems that enables simultaneous tracking of cellular and other wireless phone users, implicates such serious privacy interests that Congress should clarify the law by requiring a warrant based on a showing of probable cause for nonconsensual governmental access to such information when obtained on a real-time, tracking basis.


CALEA Implementation

Law enforcement has had certain problems preserving its communications surveillance capability in the face of rapidly developing technology and services. In 1994, Congress wrestled with this issue. Initially, the FBI sought what would have amounted to de facto licensing authority over the development and deployment of new technology. DPSWG members argued that, if any legislation was enacted, it should be narrowly crafted to address law enforcement's demonstrated needs while also protecting privacy and the innovation and competitiveness that have fueled the digital revolution. After hearings and consultations with industry, privacy groups, and law enforcement, Congress rejected the broad approach originally proposed by the Executive Branch. Instead, with the unreserved support of the FBI, Congress enacted legislation (CALEA) that established minimum functional requirements intended to preserve but not expand law enforcement access to communications, and deferred to industry to develop implementing solutions.

The FBI now appears to be trying to rewrite this legislative record, by claiming that CALEA requires surveillance capacities that go beyond the status quo. For example, the FBI is wrongly claiming that CALEA requires cellular and other wireless providers to install a location tracking capability. The FBI is also claiming that CALEA mandates interception of certain conference calls after the target has dropped off the conversation, and delivery of a signaling channel that includes detailed information about the status of both the target of an investigation and persons with whom the target communicates. Standards-setting bodies should reject efforts to broadly interpret the CALEA standards.

To date, neither the government capacity requirements nor the industry standards for implementing CALEA have been finalized. In terms of capacity, the FBI's notice of January 14, 1997 is subject to conflicting interpretations. The FBI has only informally corrected its earlier suggestions that the requirements projected for each county or service area must be applied at every switching facility or by every carrier serving the region, either of which interpretations would produce surveillance capacity that bears no reasonable relationship to historical surveillance needs. Delays in resolving disputes between industry and the FBI over how broadly to interpret CALEA's capability requirements have resulted in unforeseen delay in the issuance of industry standards. The FBI in effect acknowledges in its March 1997 implementation plan that, given standard industry processes for modifying equipment and services, compliance with the CALEA deadlines is not "reasonably achievable."


Wireless Communications

Statutory protections for wireless communications, and prohibitions against wireless scanning, should be strengthened. The protections of ECPA should be extended unambiguously to wireless data communications. As noted above, Congress should clarify the law by requiring a warrant based on a showing of probable cause for nonconsensual real-time governmental access to wireless telephone tracking information.


Encryption Policy

Strong encryption, widely available and regularly used, will enhance computer and communications security and prevent crime. On balance, the crime prevention benefits of strong encryption outweigh the impediments it poses to law enforcement practices. Full realization of the Internet's economic, personal, and democratizing potential is being delayed, and the competitiveness of American computer hardware and software companies is being hurt, by policies of the U.S. government that prohibit the export abroad -- and thereby inhibit the widespread use in the U.S. -- of strong encryption that is already available overseas. The Clinton Administration's various proposals for government-regulated key escrow, key recovery, or "key management" systems have all been unworkable. The latest proposal, while described as voluntary, is coercive. It seeks to promote a form of key recovery that is too complex, too cumbersome, too costly and too vulnerable to obtain widespread acceptance. In contrast, user-driven developments are leading, without governmental intervention, to the emergence of key escrow, key recovery and other trusted third party decryption arrangements that will accommodate law enforcement's basic needs with respect to stored data in certain cases. As market-driven key escrow or data recovery systems develop, law enforcement agencies will be seeking access to such voluntarily escrowed encryption keys or decryption assistance. Accordingly, statutory protections should be established, requiring a court order based on a showing of specific need as the minimum for government access.


Amendments to the Wiretap Laws

Proposals to amend the wiretap laws must be carefully scrutinized, and any amendments adopted must be narrowly crafted to ensure that they do not erode privacy protections. The Administration proposal to weaken the statutory suppression rule for communications seized in violation of the wiretap law's protections would seriously erode existing protections against abuse of the right to be protected from unreasonable searches and seizures. The law enforcement interests asserted as justification for the Administration's proposals on roving taps and emergency wiretap authority can be satisfied with changes significantly more modest than those proposed by the Administration. Other, privacy-enhancing amendments to the wiretap laws would protect against abuse but would not curtail legitimate law enforcement access.


International Issues

The U.S. government has been actively encouraging international bodies to adopt surveillance standards for telecommunications equipment and services. Congress should develop rules addressing the implications for communications privacy of increasing international law enforcement cooperation. In particular, to regulate any assistance provided to foreign governments seeking access to escrowed keys or decryption assistance in the United States, and to prevent the disclosure of decryption keys or decryption assistance to foreign governments that do not respect privacy and other human rights or provide due process, Congress should adopt statutory rules that include strict court order standards. Congress should also consider the extension of statutory court order requirements to the interception overseas by the U.S. government of electronic communications for use in U.S. criminal investigations.


I. Electronic Surveillance Must be Subject to Strong Privacy Protections

In very important ways, electronic surveillance has always posed greater threats to privacy than the physical searches and seizures that the Fourth Amendment was originally intended to cover. Accordingly, special attention must be paid to the maintenance of strong privacy protections in the electronic field. For one thing, electronic surveillance is almost inherently indiscriminate, raising concerns about compliance with the requirement of particularity in the Fourth Amendment and posing the risk of general searches. For another, the usefulness of electronic surveillance depends on lack of notice to the suspect. In the execution of the traditional search warrant, an announcement of authority and purpose ("knock and notice") is required so that the person whose privacy is being invaded can observe any violation in the scope or conduct of the search and immediately seek a judicial order to halt or remedy any violations. In addition, electronic surveillance involves an on-going intrusion in a protected sphere, unlike the traditional search warrant, which authorizes only one intrusion, not a series or a continuous surveillance. Officers must execute a traditional search warrant with dispatch, not over a prolonged period of time; if they do not find what they were looking for in a home or office, they must leave promptly and must obtain a separate order if they wish to return to search again. Electronic surveillance, in contrast, may go on around-the-clock for days or months.

In 1967, in the Berger and Katz cases, the Supreme Court ruled that electronic surveillance was a search and seizure covered by the privacy protections of the Fourth Amendment. 1

In Berger, the Court condemned lengthy, continuous or indiscriminate electronic surveillances, but in Katz, it indicated that a short surveillance, narrowly-focused on interception of a few conversations, was constitutionally acceptable if approved by a judge in advance. Responding to the Supreme Court's opinions and the arguments of law enforcement that wiretapping was a vital weapon in the efforts against organized crime, Congress in 1968 authorized law enforcement wiretapping under a system of protections that were intended to compensate for the uniquely intrusive aspects of electronic surveillance.2 The wiretap provisions were Title III of the Omnibus Crime Control and Safe Streets Act of 1968, so the wiretap law is still referred to sometimes as "Title III."

The legislation Congress enacted had the following components: the content of wire communications could be seized by the government in criminal cases pursuant to a court order issued upon a finding of probable cause; wiretapping was otherwise outlawed; wiretapping would be permitted only for specified crimes; it would be authorized only as a last resort, when other investigative techniques would not work; surveillance would be carried out in such a way as to minimize the interception of innocent conversations; notice would be provided after the investigation had been concluded; and there would be an opportunity prior to introduction of the evidence at any trial for an adversarial challenge to both the adequacy of the probable cause and the conduct of the wiretap. (In 1978, Congress authorized wiretapping in national security cases through another statute, the Foreign Intelligence Surveillance Act, which was intended to be used only in foreign intelligence and counter-intelligence cases and therefore did not offer some of the protections required under Title III. 50 U.S.C. 1801 et seq.) States may authorize wiretapping under restrictions at least as strict as the federal law.3

Whenever they discuss wiretapping, law enforcement officials stress that electronic surveillance is rightly subject to stringent privacy protections: that wiretaps are available only for the most serious cases; that authorization to conduct a tap is sought only when all other investigative techniques have failed; that applications are subject to rigorous judicial scrutiny; that wiretaps are conducted in such a manner as to minimize the interception of innocent conversations; and that parties whose conversations are intercepted are entitled to obtain after-the-fact judicial review of the authorization and conduct of wiretaps.

There has long been criticism, however, that the protections of Title III are not working as intended and that components of the privacy scheme have been watered down. Those who are concerned with the adequacy of current protections point to the following:

(1) Wiretapping is no longer confined to violent and major crimes. The list of crimes for which wiretapping is permitted has expanded steadily -- from the original 26 in 1968 to 95 in 1996. The original list was largely limited to espionage and treason, violent crimes, and offenses typically associated with organized crime. The list has been so expanded that wiretapping is now authorized for cases involving false statements on passport applications and loan applications or involving "any depredation" against any property of the United States. Further expansions are promoted in response to each new law enforcement concern that receives legislative attention. Wiretapping is used only rarely in cases involving homicide, kidnapping, or terrorism. In 1994, 76% of wiretaps nationwide were in drug cases.

(2) Judicial authorization has not served as an effective regulator on the use of electronic surveillance. For seven years in row, 1989 through 1995, no judge, state or federal, denied a single government request for wiretapping. (In that period, judges approved 6,598 wiretap orders in criminal cases.) Judges have no discretion to deny applications for pen registers and trap and trace devices; the law states that a judge must approve any application signed by an Assistant United States Attorney.

(3) The courts authorize electronic surveillance even when law enforcement agencies have not exhausted all other reasonably available techniques.

(4) The minimization requirement has not been strictly enforced. The courts have excused the monitoring of innocent conversations, especially in drug cases.

(5) Defendants' after-the-fact challenges to the authorization or conduct of surveillance are rarely sustained.

(6) The average length of intercepts and the average number of calls intercepted per wiretap has increased steadily, raising again the specter of general searches.

(7) The Foreign Intelligence Surveillance Act (FISA) court in its entire 17-year history has never turned down a government electronic surveillance request. In 1996, the court issued a record 839 orders, up 20% from the prior year. Meanwhile, FISA has been used increasingly in criminal cases and was recently amended for use in secret deportation proceedings.

These are important issues that deserve to be examined by Congress. They must be taken into account in the consideration of any proposals by the Administration or individual Members to further expand the scope of, or weaken the privacy protection standards in, the wiretap laws.


II. Technological Changes Affect Privacy, Security and Law Enforcement, Posing Challenges and Offering Opportunities

That the individual shall have full protection in person and in property is a principle as old as the common law; but it has been found necessary from time to time to define anew the exact nature and extent of such protection. Brandeis & Warren, "The Right to Privacy," 4 Harvard L. Rev. 193 (1890).
The tremendous scientific and technological developments that have taken place in the last century have made possible today the widespread use and abuse of electronic surveillance techniques. . . . Both proponents and opponents of wiretapping and electronic surveillance agree that the present state of the law in this area is extremely unsatisfactory and that the Congress should act to clarify the resulting confusion. "Omnibus Crime Control and Safe Streets Act," Report of the Senate Judiciary Committee, 90th Cong., 2d Sess., S. Rpt. 1097 (1968) at 67.
[L]egal protection against the unreasonable use of newer surveillance techniques has not kept pace with technology. "Electronic Communications Privacy Act of 1986," Report of the House Judiciary Committee, 99th Cong., 2d Sess., H. Rpt. 99-647 (1986) at 18.
Telecommunications, of course, did not stand still after 1986. Indeed, the pace of change in technology and in the structure of the telecommunications industry accelerated and continues to accelerate. "Telecommunications Carrier Assistance to the Government," Report of the House Judiciary Committee, 103rd Cong., 2d Sess., H. Rpt. 103-827, Part 1 (1994) at 12.

The uses of new technologies are always outpacing the law, often in ways that threaten privacy, but also in ways that enhance privacy. 4 Consequently, Congress has been required periodically to examine the legal framework for protecting privacy and security while ensuring that law enforcement has the necessary and appropriate capabilities. It did so in 1986 with the adoption of the Electronic Communications Privacy Act. It did so again in 1994 when it responded to law enforcement concerns about the impact of new technologies by enacting CALEA (discussed below in section IV).


A. Five Key Developments

Five broad technological developments have profoundly challenged the assumptions made by Congress in 1968 when it first established the rules for electronic surveillance, and in 1986 when it reaffirmed those assumptions:

(1) The rapid expansion of wireless services -- which are increasingly used not just by the wealthy and in business applications, but by ordinary citizens and for personal conversations -- has made electronic communication almost totally flexible and constantly available. The number of wireless customers has gone from 92,000 in 1984 to 46 million today. Moreover, wireless transmission is no longer important only for voice communication, but is becoming increasingly important for data transfer. Wireless modems, wireless faxes, wireless PBXs (private branch exchanges, or switchboards), and wireless local area networks are linking computers and transferring data that could include proprietary information, medical records, and financial data. Wireless links are increasingly serving as gateways to the global information infrastructure.

Policy Implications: Theincreasing use of wireless communications services, the seamless integration of wireless and wireline networks, and the importance of wireless data links heighten the urgency of ensuring the privacy and security of wireless communications, in terms of both strong legal prohibitions against unauthorized interception and strict legal standards for governmental access to wireless communications and associated transactional data.

(2) The dramatic development of the Internet has transformed all over again methods of gathering, processing and sharing of information, which had already been transformed by the computer itself. In 1981, fewer than 300 computers were linked to the Internet. In 1986, when ECPA was enacted, there were probably 50,000. By June 1996, there were over 9.4 million host computers worldwide linked to the Internet; including users who connect to the Internet via modem, some 40 million people worldwide can and do access the enormously flexible Internet communications medium. In commercial terms, networking has had enormous implications. The average number of electronic point-of-sale transactions in the United States went from 38 per day in 1985 to 1.2 million per day in 1993.

The Internet is not like the telephone system, or the mail, or mass media. The Internet combines a much broader range of functions, serving not only the one-on-one functions of the telephone and the mail but also the information functions of TV, newspapers and the library; the artistic functions of a movie theater and a museum; the political functions of a town meeting hall; the marketing and shopping functions of a mall; and the social, even romantic functions of a nightclub or coffee house. US Senate hearings have been broadcast live over the Internet. People begin romantic relationships through the Internet. Grassroots groups across the political spectrum use the Internet to inform, organize and galvanize. Barriers to participation are low: anyone with a computer and a modem can be a publisher. Of course, like any communications medium, the Internet is also used in connection with a range of criminal conduct, and the networked nature of the system makes computers connected to it inherently vulnerable to criminal and other attacks.

Policy Implications: The dramatic development of the Internet as a networked global communications medium and the expansion in the range of transactions that occur on-line have produced a qualitative change in the nature of communications and, accordingly, in the nature and amount of the information that is exposed to intrusion, interception and misuse. The Internet is an intentionally open system of linked computers, and therefore is inherently insecure. Strong encryption, widely available and unencumbered by complex and expensive government dictates, is necessary if the commercial, personal and democratizing potential of the Internet is to be realized.

(3) Signaling information has become an increasingly rich source of information about habits of association and commerce. While Congress in 1968 and again in 1986 assumed that there were two categories of data -- content (which would receive the highest protection) and a category of minimally revealing dialing or routing information -- transactional data has evolved into a third, hybrid type providing detailed information about a person's habits of association and commerce. Yet this "profiling" data was totally unprotected until 1986 and has since been subject only to the most minimal protection. On the Internet, this data gives a rich picture of a person's life. In a similar development in the area of voice communications, advanced signaling systems have also blurred the distinction between call-identifying information and call content, requiring high standards for governmental access. In some cellular and other wireless telephone systems, this signaling data includes location information, which if accessed by law enforcement without strict controls, would turn wireless phones into tracking devices.

Policy Implications: Law enforcement is increasingly turning to transactional or signaling data as a source of investigative importance. Some of this data, such as location data collected on a real-time basis, is so personally revealing that it should be protected by the probable cause warrant standard.

(4) Control over technology has shifted away from the hands of government and a few monopolies. Telephony itself, as a result of the Telecommunications Act of 1996 and other factors, is now characterized by competition and rapid innovation, producing an environment with many new products, services and features, and many new service providers. State-of-the-art encryption technology is no longer subject to government monopoly. The Internet was designed from the outset as a decentralized, redundant, self-maintaining medium for rapid transmission of information without direct human involvement, and has evolved to a state of unprecedented openness. Yet the Executive Branch is trying, in its encryption policy and under CALEA, to control communications technology and shape its growth in ways that increase the government's surveillance powers.

Policy Implications: Users can now affirmatively choose encryption technology that will enhance their privacy and protect the security of their data against criminals.

Government efforts to control the development of technology become harder to sustain in light of the technology's dispersion. While such efforts are unlikely to succeed in controlling the technology in the ways that the government intends, they do pose the threat of extending the power of government beyond traditional capabilities and can easily impede the innovativeness and injure the competitiveness of businesses.

(5) The globalization of communications technology is breaking down national borders. One of the great strengths of the Internet is that it can be as easy to send an e-mail message to New York as to Nairobi. The information infrastructure is now global, as are the markets for telecommunications products and services.

Policy Implications: On the one hand, the irrelevance of borders means that government controls over information and technology become harder to maintain. On the other hand, enforceable privacy protections have not yet emerged for the global information infrastructure. It has been said that, on the Internet, the Bill of Rights is a local ordinance. This means that the US Constitution offers little privacy protection against foreign government surveillance of US citizens whose Internet communications regularly cross international borders. For both the Internet and traditional telephony, new rules need to be developed to govern US surveillance abroad and the increasing extent of joint international operations, which currently take place in a legal no-man's-land.


B. Developments since 1986 require a strengthening of ECPA.

Congress attempted to respond to the emergence of wireless services and the digital era with the adoption of the Electronic Communications Privacy Act of 1986 ("ECPA"). Title III had been limited to voice communications, whether face-to-face or over a wire. ECPA extended Title III to wireless voice communications and to electronic communications of a non-voice nature, such as e-mail or other computer-to-computer transmissions. Thereby, ECPA made it a crime to knowingly intercept wireless communications and e-mail, but authorized law enforcement to do so with a warrant issued on probable cause. 18 U.S.C. 2701-2703. ECPA also set up rules for the use of pen registers and trap and trace devices, 18 U.S.C. 3121-3127, and set rules for law enforcement access to information identifying a subscriber to an electronic communications service, 18 U.S.C. 2703(c). ECPA also eased certain procedural requirements for interception of wire communications by federal law enforcement officers.

In drafting ECPA, however, Congress did not reexamine the most basic assumption that underpinned Title III in 1968: that capture of electronic communications was not an unreasonable intrusion if there was stringent ex parte judicial review before the fact, minimization during a search, and equally stringent adversarial review after the investigation had been completed. These rules were developed in a monopolistic, wire-based, voice-centered, one-on-one environment. Some of them, such as the minimization rule, are not readily applicable to non-voice communications.5 Moreover, much has changed in the use of communications technology since the basic scheme of the wiretap laws was laid down in 1968 and even since it was reaffirmed in 1986. In fundamental ways, the Internet is not like the telephone system or the mail system. The development of a form of on-line existence in "cyberspace" was only barely anticipated in 1986. As a result of the digital revolution and attendant changes in the use of technology, to intercept all a person's electronic communications means a lot more today than it did in 1968 or 1986. New rules may be needed.

In many ways, ECPA has proven to be a durable statute, but technology has evolved in ways not even contemplated when ECPA was enacted. These developments call for an examination of the effectiveness and coverage of ECPA. As one step in this direction, CALEA set a higher standard for access to transactional data regarding electronic communications; Congress should examine how the new standard is working. 18 U.S.C. 2703(c). A similar development has occurred in the area of voice communications, as advanced signaling systems have blurred the distinction between call identifying information and call content. Currently, the standards for governmental access to signaling data under what are known as "pen registers" and "trap and trace devices" require a court order, but the statute puts the judge in a purely ministerial role: the sole function of the judge is to determine whether the signature of an Assistant United States Attorney is on the application. 18 U.S.C. 3123(a). Instead, the standard should require the judge to find, based on a showing by the government, that the information sought is relevant and material to an ongoing criminal investigation, giving some meaning to judicial oversight.


C. Changes in Technology Exacerbate the Constitutional Vulnerability of Records Held by Third Parties, Requiring a New Look at the Fourth Amendment-Based Rules On Government Access.

The profound changes that are occurring in communications and computer technology challenge a set of assumptions about the degree of protection from governmental access one is justified to expect with respect to records held by third parties. Our focus here is on the rules for government access to communications and transactional information, rules that have their source in the Fourth Amendment to the Constitution. Other issues related to how information is collected, retained, used, and exchanged in the employment and business contexts must be addressed under the concept of fair information practices; such questions are not addressed in this interim report.

In 1976, in US v. Miller, 428 U.S. 435, the Supreme Court ruled that individuals had no constitutionally protected privacy interest in business records that were held by a third party. Miller involved checks held by a bank, and the rationale of the case assumed a world of paper records, yet the holding in its broadest implications has been applied unquestioningly to the electronic world. There have been efforts of varying success at the federal and state level to develop statutory rules for governmental access to special categories of personal records held by third parties, such as bank records, video rental records, library records, or medical records. These efforts have been limited in scope, each category of records being treated separately.

Moreover, records privacy issues have been approached without adequate attention to the developments in communications technology that we discuss here. It is widely recognized that there has been an exponential growth in the volume and variety of information that is now stored in networked systems. However, there has been little focus on the communicative, associational nature of records created in an online environment. In an era when people work for "virtual companies" and conduct personal, political and business lives in "cyberspace," the distinction between the communication of information and the storage of information is increasingly blurred. Furthermore, public key encryption may radically change the legal notion of what is a reasonable expectation of privacy. The growth of online commerce, politics and relationships; the shift to distributed, networked computing; the growth of the World Wide Web as an information source; and the ready ability to encrypt records stored with third parties call into question the application to the Internet of concepts developed for governmental access to business records in a relatively static, paper-based environment.

In this report, we make no specific recommendations for changes in the rules on governmental access to records held by third parties. ECPA itself addressed the question of governmental access to e-mail and to associated transactional records, and CALEA sought to increase the standard for governmental access to transactional records. Congress should examine how well the ECPA/CALEA standard is working.

Congress should also consider how the lines have been drawn between records entitled to full Fourth Amendment protection and records that fall outside the protection of the Fourth Amendment. There are now essentially three legal regimes for access to electronic data: (i) the traditional Fourth Amendment standard, for records stored on an individual's hard drive or floppy disks; (ii) the Title III-ECPA standard, for records in transmission; and (iii) a third, the scope of which is probably unclear, for records stored on a remote server, such as the research paper (or the diary) of a student stored on a university server or the records (including the personal correspondence) of an employee stored on the server of the employer. As the third category of records expands because people find it more convenient to store records remotely, the legal ambiguity grows more significant. Are the records stored on such a server accessible by mere subpoena? Are they covered by the "remote computing" provisions of ECPA, 18 U.S.C. 2703? If the records were seized from the individual's hard drive or floppies using a warrant or subpoena, contemporaneous notice would be required. If the records were seized in transmission, a court order would be required, but the interception could proceed secretly. If the records were seized from a third party, notice might be delayed.

Do these distinctions make sense any more? Conceptions of the Fourth Amendment developed in a 20th century world of paper records may not be applicable to 21st century technologies where many of our most important records are not "papers" in our "houses," but are "bytes" stored electronically and accessed remotely at "virtual" locations.


III. Technological Advancements in Surveillance

"In the long term, digital telephone technology will enhance the FBI's ability to collect, share and analyze information. Many of these enhancements will come without any FBI development effort, driven by consumer demand." 6

It is clear that the FBI's prediction, made in 1991, is coming true. While Section IV examines Congress' response to FBI concerns that new technology is making electronic surveillance harder, in this section of the report, we examine some of the ways in which new communications and computer technologies provide substantial advantages to law enforcement.


1. Wireless Services.

In a host of circumstances where in the past persons would have used pay phones or not made a call at all, they now use cellular or other wireless phones, which are readily tapped at central switches. (It is normally far easier to identify a target's wireless service provider than it is to predict which pay phone he or she will use.) Proportionately more wireless phones are tapped by law enforcement than traditional wireline phones.7 Indeed, law enforcement has been so quick to utilize this capability that in some urban areas cellular companies had been unable to accommodate simultaneously all of the law enforcement agencies seeking to tap cellular phones from mobile telephone switching offices, and had to install additional capacity. (This expansion of cellular wiretap capacity was begun before CALEA.)


2. Location information.

In the course of processing calls, many wireless communications systems collect information about the cell site (or the sector within a cell site) of the person making or receiving a call. Systems may even locate a cellular phone merely while it is turned on, even if it is not handling a call. The technology is proceeding in the direction of providing more precise location information, a trend that has been boosted by the rulings of the Federal Communications Commission in the "E911" (enhanced 911) proceeding, which requires service providers to develop a locator capability for medical emergency and rescue purposes.8 This information can be obtained by law enforcement. If it is a record collected and stored as part of the billing process, it can be obtained under current law by a mere subpoena. In 1994, again before CALEA, three of the four manufacturers of cellular switches had developed the software capability to deliver location information to law enforcement immediately upon call completion.9


3. E-mail and other on-line communications.

E-mail is in some respects easier to intercept than regular mail. Indeed, since e-mail messages are often stored with a service provider for a period of time before they are read by the intended recipient (and even sometimes after they are read), e-mail is less transient than telephone calls and thus more vulnerable to interception. Law enforcement can intercept a person's other Internet activity in real time, usually by monitoring the phone line that serves as most people's connection to the Net. This allows law enforcement, when it chooses to do so, to obtain an extraordinary window into a person's life. More readily, e-mail messages can be obtained from the host computer of the service provider; this is the method more commonly used by law enforcement to access e-mail.


4. Remote monitoring.

Technology has freed law enforcement intercepts of the constraints of geography. Agents monitoring wiretaps do not have to sit hunched in vans outside the target's house. Instead, the intercepted communications can be transported hundreds or thousands of miles to a monitoring facility at a law enforcement office. It is now common in investigations spanning multiple jurisdictions to establish a single monitoring plant and transmit there in real time all intercepted conversations to be monitored, minimized, and recorded. (The courts have held that a single federal judge can issue wiretap orders for telephones anywhere in the country, so long as the personnel listening to the conversations work in the judge's jurisdiction.10) The Drug Enforcement Agency has taken this concept one step further. As the Washington Post reported in November,11 the DEA forwards intercepts from many different investigations to a central facility in Utah, where they are monitored, transcribed and translated by military personnel.


5. Computer analysis.

As noted above, law enforcement has recognized the informational richness of signaling and transactional information. Computer analysis is key to law enforcement exploitation of this data. Computers have made it possible for law enforcement agencies to analyze far more easily vast amounts of information about personal communications patterns. Pen registers, which recorded the numbers dialed on a particular phone line, have been superseded by multiline dialed number recorders and these in turn have been computerized, allowing agencies to automatically search for revealing patterns of calls. The DEA has developed an integrated system called TOLLS that will electronically load telephone call data from dialed number recorders into a mainframe system for matching and analysis. Yet further developments may be around the corner. Voice recognition technology, for example, would free law enforcement from the most labor intensive aspects of monitoring conversations.

Existing rules allow law enforcement to take full advantage of these enhancements. Since 1970, the federal wiretap statute has required telephone companies, services providers and all others to provide all technical assistance to law enforcement agencies seeking to carry out authorized interceptions. 18 U.S.C. 2815(4).


IV. Government Efforts to Expand Surveillance Capabilities: CALEA Implementation

While developments in technology mean that electronic surveillance can collect far more personal information, and while some developments make surveillance easier in some respects, the Federal Bureau of Investigation in recent years has been concerned that technological developments make law enforcement interception more difficult in other respects. These difficulties are often encompassed by the term "digital telephony," although digital transmission itself is not really the problem. In hearings in 1994, the FBI cited a variety of concerns, some of which existed in analog systems: problems intercepting calls rerouted through call forwarding, or the inability to identify the destination of a call when a customer used a speed dialing feature. The FBI anticipated increasing trouble in covertly isolating the communication stream associated with a particular target as multiplexed transmission technologies and fiber cables replaced the paired copper wires that traditionally had been associated uniquely with each customer.

Congress responded to these technological developments by enacting the Communications Assistance for Law Enforcement Act of 1994, Pub. L. 103-414 ("CALEA," sometimes referred to as the "digital telephony" legislation). CALEA required telephone companies to ensure that new technologies (and some old technologies) did not impede law enforcement interception of communications. The legislation was intended to preserve the status quo in terms of government surveillance, without expanding government capabilities. Congress stressed that the requirements of CALEA should be narrowly interpreted.

However, law enforcement has attempted to broadly interpret the require-ments of CALEA to mandate a nationwide capability in excess of traditional interception practices. The most notable and most troubling aspect of this is the FBI effort to use CALEA, in contravention of explicit assurances during the drafting process, to require cellular phone companies and other wireless service providers to have a location tracking capability built into their systems for law enforcement purposes. The FBI is also claiming, for example, that CALEA mandates interception of certain conference calls after the targeted facility has been dropped from the conversation, thus continuing the surveillance against parties and facilities for which no judicial approval was granted. In terms of signaling information, the FBI has argued that CALEA requires the configuration and delivery of a signaling channel that includes detailed message notifications about the targeted facility whether or not there is a call in progress and about facilities not identified in the surveillance order. Furthermore, published reports quote FBI officials as stating that they will soon seek additional authority over the design of telecommunications systems.12


A. CALEA Was Premised on the Effective Enforcement of Strict Privacy Protections

CALEA was based on the dual premise that the laws authorizing electronic surveillance have strict legal requirements to protect privacy and that those standards are strictly enforced by the courts. In the absence of such strict legal requirements -- if they are weakened legislatively or if they are not enforced by the courts -- then the premise of CALEA falters and the legislation becomes far more threatening, requiring as it did the ubiquitous adoption of features in the nation's telephone systems to ensure ready government access.

Already the Justice Department has successfully won Congressional repeal of one of the privacy enhancements adopted in CALEA with the intent of balancing privacy concerns with law enforcement needs (the provision extending ECPA to wireless data transfers). In addition, in the anti-terrorism law, Congress created exemptions from the carefully crafted privacy protection standards of the Foreign Intelligence Surveillance Act. Further, the Justice Department continues to pursue other amendments that would loosen the privacy standards of the wiretap laws by weakening the sanctions against illegal wiretapping and making it easier to obtain roving tap and warrantless tap authority.

Some clarifications in the wiretap laws may be warranted. But it would undermine one of the foundations of CALEA if those changes weakened the existing privacy protections, or if those protections are not working as intended to limit investigative agency discretion. Unless Title III and FISA constitute meaningful privacy legislation, in light of judicial interpretation and continuing technological developments, the foundation of CALEA will be eroded.


B. Development of the CALEA Legislation

In the Bush Administration, the Justice Department brought to Congress legislation that would have created de facto licensing authority over the development and deployment of new communications technology. DPSWG members worked to ensure that any legislation would be narrowly crafted to address identified problems while also providing for public accountability and protecting privacy and the innovation and competitiveness that have fueled the digital revolution. After hearings and consultations with industry, privacy groups, and law enforcement, Congress rejected the broad approach originally proposed by the FBI. Instead, with the strong support of the FBI, Congress enacted a CALEA that established minimum functional requirements intended to preserve but not expand law enforcement access to communications, and deferred to industry to develop solutions.

CALEA was intended to preserve the status quo in terms of law enforcement surveillance. CALEA requires telephone companies to design (and in some cases retrofit) their networks to ensure that law enforcement agencies can carry out electronic surveillance on advanced digital equipment and services. It imposes on "telecommunications carriers" four requirements, pertaining to (1) the interception of call content; (2) the interception of call-identifying information; (3) the delivery to law enforcement of intercepted call content and call-identifying information; and (4) the security of intercept operations and the privacy and security of communications not authorized to be intercepted. Manufacturers are required to make available, "on a reasonably timely basis and at a reasonable charge," such features or modifications as are necessary to permit carriers to comply with CALEA capability and capacity requirements.

Congress intended that, in the first instance, common carriers and equipment manufacturers, not government agencies, would develop publicly the details for implementation of these assistance requirements. Congress expected that this approach would temper law enforcement demands with considerations of cost, competitiveness, innovation, security and privacy. Even if industry failed to produce a standard or if the FBI had concerns about the standard, the legislation gave to the Federal Communications Commission, not the FBI, the authority to develop an appropriate standard.

Now, the FBI appears to be trying to rewrite the legislative record, by claiming that CALEA requires surveillance capabilities and capacities that go beyond the status quo. Instead of proceeding promptly to implement a narrow set of requirements -- requirements that would preserve the status quo and be largely achievable within currently deployed systems -- the FBI is claiming that CALEA mandates as a baseline the installation of many advanced capabilities that go far beyond traditional wiretap capabilities.


C. Law Enforcement Is Able to Take Advantage of All Advances in Technology

In considering the FBI's claims for enhanced capabilities, it is important to recognize the difference between what CALEA mandated as a minimum national standard for law enforcement access versus the expansions in surveillance capability that were coming about as a result of market-driven technological developments. Before CALEA, some changes in telecommunications technology were making law enforcement surveillance harder, while other changes were making surveillance easier or more productive. CALEA was intended to "preserve the status quo" by ensuring that technological developments did not erode law enforcement access to call content and identifying information. Congress did not intend to impede the development of technology that makes surveillance easier or more fruitful, nor did it intend to deny law enforcement the authority to take advantage of those developments (such as the availability of location information in cellular systems).13

Congress left intact the existing authority under 18 U.S.C. 2518(4), which authorizes law enforcement to take advantage of all technological developments enhancing surveillance capability and requires companies to make available whatever capability they have and to provide special assistance on a case-by-case basis, with compensation. But Congress most assuredly did not mandate the nationwide ubiquitous installation of such enhanced capabilities. Instead, Congress mandated the nationwide availability only of certain minimum features, based upon its understanding of past practices as described in the CALEA hearings and based upon the FBI's description in the CALEA hearings of what its needs were.


D. CALEA Implementation Issues

In broad respects, CALEA is working as Congress intended: The FBI published in the Federal Register a capacity notice that was widely criticized and withdrawn. The FBI has now published a second capacity notice with much more data, 62 Fed. Reg. 1902 (Jan. 14, 1997), but that second notice also raises serious questions, which the Bureau must address in finalizing the capacity requirements. Meanwhile, in terms of capability, industry bodies have drafted "safe harbor" technical standards, to provide the detail necessary to translate CALEA's broad functional requirements into network and equipment specifications. In this standards process, the FBI had extensive input, articulating law enforcement's desires and pushing hard for an expansive reading of the requirements. The industry standards associations, while striving to understand and accommodate law enforcement's interests, adhered to Congress' intent that the CALEA requirements be narrowly interpreted.

We are concerned, however, that the FBI is continuing to press for surveillance features that would expand the government's electronic surveillance capability beyond its current reach, in contravention of the clear intent of CALEA, with implications for privacy and at potentially great cost to industry and/or taxpayers. These expansive demands by the FBI have introduced delay and uncertainty into the CALEA implementation process.

In March 1997, the FBI submitted to Congress an "implementation plan" which glosses over these problems and creates the misleading impression that the CALEA implementation process is running smoothly.14 A response by industry and privacy advocates to the plan is attached to this report as Appendix B. [Part I] [Part II]

If there has been one overall flaw in the process so far, it has been the failure to set priorities. Perhaps due to an understandable concern on the part of law enforcement that it has only one chance now to build surveillance features into the design process, the FBI has adopted the posture that it has to have everything immediately. The objective of preserving law enforcement's surveillance access would be better served by a public process of setting priorities that will give adequate attention to the protection of privacy interests.

In particular, we have identified the following concerns:


1. Expansion of Surveillance Capabilities

The FBI is arguing that CALEA mandates surveillance features that would expand the government's electronic surveillance capability beyond current capabilities, contrary to the intent of CALEA, at great cost to telecommunications companies and/or taxpayers and in some cases with adverse impact on privacy. Perhaps the most troubling of these is the FBI's claim that CALEA mandates cellular and other wireless telephone companies to provide location information on wireless telephone users.

Another capability sought by the FBI is the ability to monitor all conversations during a conference call initiated by a targeted facility, even if the targeted facility is on hold or has hung up from the call.15 Not only is it unclear that such a capability is mandated by CALEA, but it is questionable whether law enforcement has authority under the particularity requirement of the Fourth Amendment and Title III to intercept communications involving only non-targeted facilities just because a targeted facility initiated a conference call.

Much of the controversy hinges on the definition of the CALEA term "call-identifying information." The plain language of CALEA and the legislative history indicate that "call-identifying information" means the numbers dialed by a subscriber to direct a communication, or other signaling information that serves the same call routing purpose as the dialed digits. This includes the switch-based information equivalent to a seven or ten digit phone number that directs a call when a voice dialing or speed dialing feature is used. The term probably also includes information indicating that the party under surveillance has terminated a call by hanging up.

However, the FBI has argued that this term includes location-related information (cell site/sector), including "location-related updates during calls," as well as detailed "call progress" tones relating to both the target of the investigation and persons with whom the target communicates, including: party join/hold messages during three-way calls that indicate when a party who is not the target of the surveillance drops off a three-way call; voice message waiting tones to notify the government when a surveillance target has a voice mail waiting; and feature status messages that notify the government in real time when a surveillance target changes his or her mix of service features.

The FBI's view of CALEA is embodied in a document known as the Electronic Surveillance Interface (ESI). It includes numerous features that go beyond the status quo, and that have no support in CALEA or the legislative history. This effort by the FBI to broadly interpret CALEA to expand law enforcement's capabilities contravenes the clear intent of Congress, as expressed by both House and Senate Judiciary Committees: "The Committee expects industry, law enforcement and the FCC to narrowly interpret the requirements."16 There is a concern that the FBI will seek to dominate the industry balloting process to argue that any standard short of the ESI is deficient.17


2. Location Information

The FBI has been trying to use CALEA to expand its surveillance powers by requiring cellular and other wireless systems to provide location and location update information. Industry is prepared to provide location information whenever it is reasonably available. The dispute has concerned whether location tracking capabilities must be built into wireless systems as a CALEA mandate.

It is clear that Congress did not intend to impose geographic location information as a CALEA requirement with respect to cellular or other wireless systems. Early in 1994, the FBI expressly assured the Congress that CALEA did not mandate provision of location information, and as the negotiations over legislative language progressed no one ever said that any of the changes made were intended to bring location information within the scope of CALEA requirements. (If the FBI or the sponsors ever were to have said that, the negotiations would have ended, as concerns with "location tracking" were a major impediment to enactment of the legislation.) The FBI put location information off the table at an early stage and it stayed off. Specifically, no one indicated that a change in terminology from "call setup information" in an earlier draft to "call-identifying information" in the enacted law was intended to make location information a legislative mandate.

The FBI attempts to expand the definition of call-identifying information by reference to a proviso in the call-identifying requirement, which is the only mention of location information in CALEA itself. Under that provision, carriers are prohibited from giving location information to law enforcement under a pen register or trap and trace authorization. This restriction emerged because, as Congress was advised during the CALEA hearings, location information was already available in some cellular systems and would continue to be available even without a statutory mandate. In response to privacy concerns, Congress included in CALEA the provision that requires carriers to ensure that location information is not provided to law enforcement under the minimal standard for a pen register or trap and trace device. This express prohibition against providing location information in some cases cannot be turned into an implied requirement to provide it in other, unspecified cases, especially given the FBI's express and never retracted assurances on the record that location information was not mandated by CALEA and Congress' injunction that the CALEA requirements must be narrowly interpreted


3. Capacity Requirements

In October 1995, the FBI issued a notice of capacity requirements that failed to include information expressly required under CALEA, namely the projected number of intercepts that law enforcement expected to perform in the future and the geographic areas where those intercepts were expected to occur. The notice was roundly criticized by industry and civil liberties advocates and was withdrawn by the FBI.

On January 14, 1997, the FBI issued a new capacity notice, with the actual number of projected intercepts for each county or service area in the country, and released its baseline data.

For many areas of the country, the FBI methodology in the second notice overstates the historical baseline activity in the following way: The Bureau compiled data, consisting of combined federal, state and local law enforcement surveillance activity for each county or service area nationwide, between 1993 and 1995. From this data, the FBI determined the 24-hour peak of surveillance activity for each switch, over the course of the 26 month survey period. From switch to switch, these peaks did not occur on the same day, let alone "simultaneously," but the FBI added them together to obtain a county-wide or service area-wide "peak" which the notice requires companies to meet as if the surveillances occurred all on the same day.

Moreover, the notice and some of the FBI's informal comments about it have seemed to imply that each carrier operating in a county or service area would have to meet the full county-wide requirement, even if the carrier only served a portion of the customers in the area. Even broader interpretations of the notice, which the FBI has informally disavowed,18 would require carriers to install in each switch a capacity sufficient to meet the requirements projected for an entire county or multi-county service area. Under either of these interpretations, the requirements of the second notice would require industry to install capacity unrelated to historical surveillance activity, costing taxpayers many millions of dollars in unnecessary reimbursement.

The FBI should confirm the narrow reading of the notice on the record and should provide carriers and the public clear criteria for translating the numbers of intercepts into carrier-by-carrier, switch-by-switch obligations. The FBI should reaffirm that it intends to reimburse carriers for all capacity upgrades.


4. Funding

Funds for reimbursing carriers for modifications to existing facilities were not appropriated until the fiscal year that began on October 1, 1996, and none of the funds can be released until the FBI meets certain reporting requirements established by Congress. In an effort to satisfy these requirements, the FBI has transmitted to the Congress an "implementation plan." As explained in Appendix B, the FBI plan is seriously misleading and demonstrates the need for close Congressional oversight of the expenditure of CALEA implementation funds.


5. Public Accountability

While the FBI has now gone a long way towards disclosing information relating to implementation of CALEA's capacity requirements, we are concerned about the lack of a formal means for disclosing publicly information on the government's interpretation of the capability requirements. Last year, the FBI issued a document, known as the Electronic Surveillance Interface (ESI), that detailed how the FBI interpreted one of CALEA's four requirements: the delivery of intercepted call content and identifying information to law enforcement. The document was originally circulated only to telephone companies and manufacturers, under a non-disclosure agreement, so privacy and other public interest organizations were not authorized to receive it. (On an unauthorized basis, the document has received wider circulation.) The FBI circulated to select recipients a legal memorandum analyzing the call-identifying requirement of the legislation. There has been no other documentation defining how the FBI interprets the call content requirement of the statute.

Meanwhile, the FBI is trying to require carriers to enter into "cooperative agreements" with it, asserting that only by signing a cooperative agreement can a carrier be reimbursed. In addition to offering the FBI an avenue to impose on carriers terms and conditions not mandated by CALEA, the cooperative agreements would remove the CALEA implementation process out of the public eye and into the realm of contract negotiation.

CALEA's goal of accountability is also undermined to the extent that the costs of CALEA compliance are shifted to the telephone companies: the less that the costs of retrofitting equipment are subject to reimbursement, the less are they subject to the control and public oversight of the Congressional appropriations process.


6. Compliance Deadlines and Reimbursement

The effective date of the CALEA capability requirements is October 25, 1998, four years after the date of enactment. (Different rules apply to compliance with the capacity requirements.) CALEA provides that network facilities deployed on or before January 1, 1995 are deemed to be in compliance with the Act until they are replaced, significantly upgraded or otherwise undergo major modification. CALEA sec. 108(c)(3), 47 U.S.C. 1007(c)(3). Congress assumed that, as such facilities were replaced, significantly upgraded or underwent major modification, they could be brought into compliance with CALEA at minimal expense. (The government can secure immediate compliance before the equipment is replaced or upgraded if it pays for retrofitting.)

However, Congress recognized that it might be difficult to retrofit equipment deployed after January 1, 1995. Therefore, it specified that equipment deployed after January 1, 1995 had to be rendered compliant at industry expense only if compliance was "reasonably achievable." CALEA established a proceeding at the FCC to determine whether compliance is "reasonably achievable" with respect to any equipment, facility, or service installed or deployed after January 1, 1995. It is not clear, however, that an FCC proceeding is the only mechanism to make that determination. CALEA could be read as allowing the Attorney General, in the absence of an FCC proceeding, to determine that compliance is not reasonably achievable. (The Attorney General could not, however, overrule the FCC, deciding that compliance was reasonably achievable if the FCC found it was not).

Telephone company networks have changed far more rapidly than Congress anticipated as recently as 1994, when CALEA was being drafted. The Telecommunications Reform Act of 1996 accelerated the pace at which new features and new technologies, not to mention entirely new service providers, are entering the market. Already, companies comprising the United States Telephone Association report that since January 1, 1995 they have replaced, upgraded or modified software and/or hardware in over 50%, and possibly up to 75%, of their networks.

Meanwhile, however, despite good faith efforts by both law enforcement and industry, the adoption of industry standards and the issuance of capacity requirements have lagged as industry and the FBI have made efforts to resolve disputes over whether surveillance capabilities and capacities urged by the FBI exceed the parameters of CALEA.

Consequently, deployment of "CALEA-compliant" technology is as impractical today as it was the day CALEA was enacted. Given the delay in developing industry standards and the lack of a finalized capacity notice, it has been impossible for companies to ensure that upgrades and modifications made, and new equipment installed, after January 1, 1995 are "CALEA-compliant" in the view of the FBI.

Indeed, in its implementation plan submitted to Congress in March 1997, the FBI essentially admitted that the October 1998 deadline cannot be met with respect to equipment installed or substantially modified after January 1, 1995. The implementation plan notes that standard industry business practices throughout the telecommunications industry require a 6 month systems engineering process followed by a 12 month engineering development process, before systems deployment can begin. As the FBI notes, systems engineering cannot begin until requirements are determined. The earliest that requirements will be available, in the form of the industry standard, is the second quarter of 1997.19 Therefore, even under the FBI's view, solutions will not be available for installation in carriers' networks until the very end of 1998, at the earliest.

We recognize that Congress was serious about the CALEA deadlines. On the other hand, Congress wove throughout CALEA the concept of reasonableness. Congress intended that reimbursement would be available for retrofitting equipment installed after January 1, 1995 if compliance was not reasonably achievable. It should now be clear that, so long as the FBI insists on interpreting CALEA as imposing mandates that go beyond the status quo, compliance is not "reasonably achievable" for facilities, features and services deployed after January 1, 1995, until the standards and the technology to meet them are available. The industry standard has now been drafted and is undergoing balloting, through June 24. The test for determining when compliance is reasonable should be based on when the concept of CALEA-compliance is settled through the standards process, when "real" capacity numbers are known, and when the technology is reasonably available, taking deployment needs into account. Until then, equipment upgraded or deployed after January 1, 1995 should be deemed in compliance (unless the Attorney General agrees to reimburse carriers for modifications). We note that a challenge by the FBI to the industry standard currently in its final stages would further delay implementation.

We also note in this regard that there is no crisis in law enforcement access to new technologies. There is no common carrier technology or system in service that is "untappable." Every year, despite the introduction of new digital technologies and equipment, the number of wiretaps successfully executed goes up. Indeed, the industry knows of not a single case in which it was impossible to carry out a wiretap order. The type of problems that have arisen have involved situations where law enforcement can intercept some but not all of a target's communications. One example is forwarded calls.20 But this is a problem that has existed for 20 years. Problems have been encountered in some cellular systems, but they have concerned primarily the capacity of cellular switches to accommodate multiple simultaneous taps; cellular switches are readily tapped and capacity problems were being addressed even before CALEA was enacted.


7. Privacy and Security

Congressional attention needs to be given to whether the implementation process has adequately addressed the requirement in Section 103(a)(4) that CALEA implementation decisions be made in a way that protects the privacy and security of communications not authorized to be intercepted, and the requirement in Section 105 that carriers ensure that any interception within their switching premises be activated only in compliance with a court order and with the affirmative intervention of an individual officer or employee of the carrier. Attention also needs to be given to law enforcement compliance with the new language in the pen register and trap and trace section, 18 U.S.C. 3121(c), requiring the use of reasonably available technology that limits pen registers and trap and trace devices to the collection only of "dialing and signaling information used in call processing." In its capacity notice, the FBI did not draw a distinction between capacity for call content interceptions and capacity for pen registers and trap and trace devices, seemingly requiring the same type of capacity for both, even though 90% of law enforcement intercepts are of the later, less intrusive type.


8. CALEA Coverage

For a decade, the government has had clear authority to intercept E-mail and other on-line services. Because there was no problem intercepting E-mail, CALEA did not require Internet service providers to design their systems to satisfy law enforcement requirements. Instead, CALEA requires the providers of telephone service to meet CALEA standards, and law enforcement will intercept whatever traverses the telephone line, including e-mail or other Internet services. The evidence so far is that this approach was correct, and FBI officials have indicated to the DPSWG electronic surveillance task force that they are satisfied with the coverage of CALEA, focusing on the public switched network. Generally, it appears that there are no "untappable" communications services available or under development. However, we continue to hear expressions of concern that the FBI wishes to revisit the scope of CALEA coverage.

In addition, there continue to be concerns on the part of the local exchange operators that the FBI is focusing solely on them and is ignoring the competitive access providers and other new entrants, even though such competitors are clearly within the definition of "telecommunications carrier."


V. Government Efforts to Control Encryption Technology

Illegal electronic intrusion into computer networks is a rapidly escalating crime problem. White collar criminals, economic espionage agents, organized crime groups, foreign intelligence agents, and terrorist groups have been identified as "electronic intruders" responsible for penetrations of American computer networks. It is estimated that the Pentagon's computers are subject to hackers' attempts 250,000 times a year. The United States Government relies upon the National Information Infrastructure (NII) for the efficient, uninterrupted flow of electronic information for air traffic control, military communications, energy distribution, public safety, and other essential government programs and services. Intelligence and industry forecasts indicate the United States is just beginning to realize the potentially damaging effects and extent of the computer crime problem. U.S. Department of Justice, Federal Bureau of Investigation, "FY 1998 Authorization and Budget Request for the Congress," at A-3 (1997).
[O]n balance, the advantages of more widespread use of cryptography outweigh the disadvantages. National Research Council, "Cryptography's Role in Securing the Information Society," 300 (1996) ("NRC Report").

Newer communications media are inherently insecure. Wireless telephones have great advantages in convenience compared with wireline counterparts. Yet, since wireless phones transmit over the airwaves, eavesdropping is easier not only for curious neighbors but also for burglars identifying potential targets and industrial spies stealing trade secrets. Similarly, decentralized computer networks such as the Internet have low barriers to entry, are much less expensive, are more robust and can be used to accomplish a far greater variety of tasks than the proprietary networks of the past, but, again, at the expense of intrinsic security. The vulnerabilities of the national and global information infrastructures have been recognized not only by the FBI, but also by the Defense Science Board Task Force on Information Warfare-Defense21 and by President Clinton in creating the Commission on Critical Infrastructure Protection.22

Given these inherent vulnerabilities, widespread use of encryption to protect communications and stored data is essential to prevent fraud and other forms of crime in the digital age. At the same time, encryption poses challenges to law enforcement and national security agencies, which have raised the specter of criminal suspects' undecipherable stored information or voice communications. We agree with the NRC that, on balance, the security-enhancing, crime-preventing benefits of encryption outweigh the impediments to law enforcement.

The current debate over control of encryption technology is in some ways a conflict between two competing models of security, (i) one in which private individuals, businesses and governments choose from a variety of encryption options to protect their security, and (ii) the other, in which the federal government assumes primary responsibility for protecting personal and business as well as governmental security through government-promoted weaknesses in encryption technology. The centralized model of security based on government-controlled encryption weaknesses is incompatible with certain defining characteristics of the digital communications revolution: decentralization, competition, globalization, and the dynamics of decreasing cost and increasing computing power that have put more control and more choices in the hands of end users.

While there are law enforcement equities on both sides of the encryption issue, the privacy and commercial benefits of encryption are unchallenged, and ultimately dispositive.23 The Executive Branch's various efforts to impose a centralized model of security on a decentralized medium have delayed full realization of the Internet's economic, personal and democratizing potential and have hurt the competitiveness of American computer companies by prohibiting the export abroad -- and thereby inhibiting the use in the U.S. -- of strong encryption that is already available overseas.

We note the following:

(1) The vulnerabilities of unencrypted computer files and electronic communications (because of the open, decentralized, interconnected nature of the medium) are well-documented, and are acknowledged by the government. The losses to date from inadequate system security are enormous. In one series of transactions in 1994, an international group of criminals penetrated Citicorp's computerized electronic transfer system and moved about $12 million from legitimate customer accounts into their own accounts in banks around the world. The National Research Council recently concluded: "Of all the information vulnerabilities facing U.S. companies internationally, electronic vulnerabilities appear to be the most significant." NRC Report, supra, at 31.

(2) The application of encryption technology is still evolving, rapidly. The market is still developing mechanisms for verifying digital identities and handling keys. The fact that the technology and its applications are still undergoing rapid development, driven by user needs, is further evidence that government controls should be viewed skeptically, for government controls are most likely to have the effect of stifling the development of viable solutions.

(3) In the four years since the Clipper Chip was introduced, the market has rejected all government proposals to control encryption technology. Proposals for government agencies to serve as key escrow agents involve a level of vulnerability that is unacceptable to business and individual users. Other approaches that depend upon government licensing or "registration" of escrow agents or other forms of government control of decryption mechanisms (including proposals to require key recovery features as a condition of receiving public key certificates) are also not viable. The type of ubiquitous, near-instantaneous key escrow, key recovery, or key management "infrastructure" sought by the U.S. government is so complex, so vulnerable, so expensive and/or so cumbersome -- so fundamentally at odds with user needs -- that it will not by accepted by users. (If an encryption system is expensive or cumbersome, it will not be widely used.)

(4) There is no policy option that can prevent criminals from using strong encryption. Strong non-escrowed encryption is and will continue to be available to the committed. There are currently over 500 encryption products available worldwide. Even under the current regime of tight export controls, law enforcement has encountered strong encryption in the hands of criminals.

(5) While it is clear that most businesses and individuals will not trust the government or government-dictated private structures to hold their keys, many believe that under some encryption applications, particularly those involving stored data, some users are interested in securing a means to recover their encrypted data if they lose their own key. (We see less incentive for development of key escrow for transmissions.) Market-based efforts to address this problem -- responses to user needs -- are resulting in a range of "key escrow," "key recovery," or "trusted third party" systems for decryption assistance. These are quite different from the systems proposed by the Administration under its legislative proposal, which is voluntary in name only.

(6) Regardless of the use of encryption, law enforcement will be able to satisfy many of its needs. In many cases (e.g., suspects communicating with their banks or engaging in credit card transactions, or other on-line commercial transactions) there will be plaintext of messages and data readily available to the government by subpoena or other legal process. In other cases, the user-driven, user-controlled data-recovery or key escrow procedures will satisfy the government's basic access needs for stored data.

(7) If user-driven systems for key escrow, data recovery or decryption assistance gain market acceptance, government attempts to access such keys or decryption assistance will raise important privacy interests. There is a need for legislation setting clear privacy standards for government access to keys and decryption assistance held by second or third parties, standards that prohibit escrow agents from providing keys or decryption assistance except in conformity with a court order issued upon a finding of probable cause and a showing that there is no feasible alternative of obtaining the plaintext, and requiring minimization in the use of the key or assistance. (However, combining such privacy protections with maintenance of export controls or with other policies intended to coerce users to escrow their keys is not a valid approach; it merely perpetuates the harmful policy.)

The Center for Democracy and Technology, the coordinator of DPSWG, has organized a study of key escrow by some of the world's leading authorities in encryption and computer security. The purpose of the study is to examine the technical and operational aspects of the Administration's proposal for "key management." The report of the experts on their findings has been issued and is available at http://www.crypto.com/key_study/.


VI. Protecting Wireless Communications

By extending the privacy protections of Title III to certain wireless telephone conversations with enactment of ECPA in 1986, Congress sought to balance three goals: (1) to provide strong legal protections for specified wireless communications, (2) to afford law enforcement a carefully limited authority to intercept wireless communications in serious cases, and (3) to encourage the development and widespread availability of wireless communications technologies. When it enacted ECPA, Congress knew that it would have to return to the law of communications privacy periodically, as technology continued changing. As we indicate throughout this report, we are now, due to a series of developments, at a juncture that requires a careful examination of the adequacy of privacy protection legislation.

Some of these developments have occurred in the realm of wireless communications: Wireless telephones have become commonplace and are now widely used by more than 46 million ordinary citizens. Moreover, wireless transmission is no longer important only for voice communication, but is becoming increasingly important for data transfer and as the gateway to the global information infrastructure. Wireless modems, wireless faxes, wireless PBXs (private branch exchanges, or switchboards), and wireless local area networks are linking computers and transferring data that could include proprietary information, medical records, and financial data. Wireless links are becoming more and more important as access points to the global information network.

In the network of networks that comprises the telecommunications "system" of today and the future, it is no longer appropriate to look at wireless telephone systems as distinct from wireline systems or to look at the telephone system as separate from the Internet. We are seeing a merger of voice, data, and visual communication, carried interoperably over both wireless and wireline channels.

In this context of a global communications network increasingly dependent on wireless links, it is a serious invasion of privacy to eavesdrop on wireless telephone conversations. Wireless eavesdroppers are invading the privacy not only of the person who is using a wireless phone, but also of anybody else who is on the conversation using an ordinary landline telephone. As wireless telephones become more ubiquitous, scanning threatens the privacy of all telephone users.

In light of these developments, we have the following recommendations:

  • The privacy protections of ECPA should be extended unambiguously to wireless data transfers. At a time when wireless local area networks are proliferating and wireless data transmissions could be used for everything from proprietary data to medical records, the law should be perfectly clear that wireless data transfers are protected to the same extent as wireless voice communications.

    The status of legal protection for wireless data transfers has a confused history, leaving it unclear whether they are currently protected by ECPA. An earlier industry and privacy task force concluded in 1991 that wireless transfers of data might not be covered by ECPA, and recommended that coverage be extended.24 In 1994, in CALEA and with the support of the Administration, Congress passed a provision making it clear that the privacy of wireless data transfers was protected by ECPA. CALEA, Section 203, amending 18 U.S.C. 2510(16). But less than two years later, in the anti-terrorism act of 1996, Congress repealed the provision on the basis of the Justice Department's claim that the 1994 amendment was inappropriately overbroad. Pub. L. 104-132, Section 731.25 Acceptable statutory language should be found to clear up the confusion and make unambiguous the extension of ECPA to wireless data.


  • ECPA made it a crime to manufacture, sell, assemble, possess or advertise any device that is "primarily useful" for the interception of wireless telephone conversations. 18 U.S.C. 2512. Unfortunately, the effectiveness of this provision is quite limited, since it is difficult to prove that a device capable of intercepting cellular and a range of other frequencies is "primarily useful" for prohibited interceptions. Congress should consider deleting the word "primarily," at least as it affects manufacture, sale, assembly, and advertisement.


  • The manufacture and import of scanners equipped or readily alterable to receive transmissions in frequencies assigned to the "domestic cellular radio telecommunications service" are prohibited under Section 302(d) of the Communications Act, 47 U.S.C. 302a(d). However, since the enactment of this provision, a new category of services called "commercial mobile radio services" has been created, into which cellular, as well as additional mobile services at different frequency ranges, such as personal communications systems (PCS), have been added. The law does not appear to prohibit manufacture and import of devices equipped to scan these frequencies. Congress should extend the section 302 prohibition to the parts of the spectrum used for PCS and other wireless telephone communications.


  • Congress should also consider requiring manufacturers to harden the electronics of scanners to make modification harder and amending Section 302 to make it clear that "manufacture" includes modification.


  • Wireless telephone systems are developing the capability to provide more refined location information on wireless phone users. Nonconsensual government monitoring of location through a wireless phone implicates privacy interests.26 Since wireless telephones are regularly carried into places where a person has a reasonable expectation of privacy, Congress should clarify the law by requiring a warrant based on a showing of probable cause for nonconsensual governmental access to real-time wireless telephone location information.


VII. Amending the Wiretap Laws

For the past quarter century, the law of this nation regarding electronic surveillance has sought to balance the interests of privacy and law enforcement. In 1968, the Senate report on Title III stated explicitly that the legislation "has as its dual purpose (1) protecting the privacy of wire and oral communications and (2) delineating on a uniform basis the circumstances and conditions under which the interception of wire and oral communications may be authorized." As telecommunications technology continued to change, Congress was again required to respond legislatively to preserve the balance between privacy and law enforcement, by enacting the Electronic Communications Privacy Act of 1986. CALEA again sought to preserve that balance, while adding to the balance a third factor: supporting the development of new telecommunications services and technologies.

Unfortunately, this balance among the interests of law enforcement, privacy and technological innovation came under challenge in the 104th Congress. As noted above, the Justice Department sought and obtained repeal of one of the privacy protections that were adopted in CALEA. In addition, the carefully crafted procedures of FISA were made inapplicable to certain deportation proceedings. Further, the President sought in his terrorism legislation a series of other changes in the wiretap laws that would have: (a) weakened the sanctions against illegal government wiretapping; (b) weakened the standards for so-called "roving taps;" and (c) expanded the availability of warrantless taps in "emergency" situations. While these other changes were ultimately rejected, they were considered and debated without attention to counterbalancing proposals to enhance privacy.

The changes in the wiretap laws sought by the Clinton Administration may be considered again in the 105th Congress. In July 1996, the Department of Justice submitted to Congress a report recommending 8 amendments to the federal electronic surveillance laws, including a major change in the statute's exclusionary rule, a loosening of the standard for "roving taps," and additional authority for emergency wiretaps without judicial approval. The report stated that "several other proposed amendments are under consideration by the Department, . . . [which] are expected to be submitted to Congress at a later time."

Significantly, the Justice Department report was able to identify only one revision to the wiretap laws that would have enabled law enforcement authorities to better fulfill their responsibilities. This was the addition of an additional predicate offense for use of wiretapping, namely, 18 U.S.C. 842, involving manufacturing, dealing in, and importing explosive materials without a license and the unlawful distribution of explosive materials.

If amendments to the wiretap laws are to be considered, then it must be in the context that gives equal weight to an examination of issues from a privacy perspective, including the adequacy of the minimization rule and the need to clarify the requirement that law enforcement exhaust other techniques before seeking an interception order.


1. Excusing Violations of the Wiretap Laws

The Administration has proposed amending Title III to allow courts to receive evidence obtained in violation of the law. Although sometimes described as a good faith exception, the Administration proposal requires a person to prove "bad faith" on the part of the government, a usually impossible undertaking. The proposal is not limited to situations where law enforcement officers relied on a technically defective warrant. The proposal would apply to all of the provisions of the wiretap law, including those governing the conduct of the government after the warrant is issued. Thus, it would remove the only real incentive against violating such central protections as the minimization and evidence preservation rules. As noted above, the secretive, on-going, and potentially general nature of electronic searches make them problematic constitutionally, but it has been considered that the special requirements imposed by Title III resolve any Fourth Amendment doubts. The Administration proposal would render those special statutory protections largely meaningless.

The justification for the Administration proposal is unclear. The Supreme Court has already held that the statutory suppression or exclusion rule in Title III is not to be applied to technical violations. United States v. Giordano, 416 U.S. 505 (1974).

When Congress adopted Title III, it concluded that the provision the Administration proposes to amend was "an integral part of the system of limitations designed to protect privacy." Omnibus Crime Control and Safe Streets Act, S. Rpt. no. 1097, 90th Cong., 2d Sess. (1968) at p. 96. The Administration proposal would seriously undermine the protections against abuse of the right to be protected against unreasonable searches and seizures.


2. Roving Wiretaps

The Justice Department has proposed loosening the standard for so-called roving or multi-point wiretaps. Roving taps -- taps placed on a phone line other than the line subscribed to by the target of a surveillance order -- are considered especially sensitive because they often entail tapping the phone of someone who is not the subject of an investigation and not suspected of any involvement in criminal conduct. The Justice Department argues that the current statute requires the government to show the subjective intent of the subject to evade interception. The Department argues that it should be enough that the subject's actions have the objective result of thwarting interception. If Congress changes the standard for roving taps, it should add to the law an explicit prohibition against interception of the conversations of innocent third parties, so that such conversations would be outside the scope of the warrant. This conforms to stated Justice Department policy and the few lower court decisions, but it would be desirable to write the principle into the Title III statute.


3. Emergency Wiretaps

Title III allows the use of wiretapping without court approval in emergency situations involving (i) immediate danger of death or serious physical injury, (ii) threats to the national security, or (iii) organized crime. In such cases, an application for a court order must be filed within 48 hours. 18 U.S.C. 2518(7). The Administration has recommended expanding this emergency authority to include terrorism cases that do not involve an immediate danger of injury or threat to the national security.

More appropriate than the Administration's proposed change would be a careful reexamination of the Title III emergency exception itself. The emergency exception was enacted in 1968. Now, given the pervasiveness of faxes, wireless telephones, and e-mail, it is hard to understand why it would ever be impossible or even difficult to reach a federal judge to obtain prior approval for electronic surveillance. It should be noted that in 1977 the Federal Rules of Criminal Procedure were amended to allow for telephonic submission of search warrant applications and affidavits in emergency situations, with procedures for contemporaneous recording of the oral testimony supporting probable cause. F. R. Crim. P. 41(c)(2). In addition, reference might be made to the emergency procedures under FISA, 50 U.S.C. 1805(e), written in 1979, which allow emergency taps for only 24 hours and require the notification of a FISA judge at the same time that the emergency approval is granted.


4. Review of FISA is Necessary

The Foreign Intelligence Surveillance Act, 50 U.S.C. 1801 et seq., is unique in that there is usually never any notice to the target of the surveillance, since the target is never notified unless a criminal prosecution ensues, and never therefore has an opportunity for after-the-fact adversarial review of the legality of the taps. Even if there is a criminal investigation and notice is provided, the adversarial hearing is inadequate because the target is not allowed to see the affidavit that provided the basis for the order. The increasing use of FISA intercepts in criminal cases suggests that FISA is turning out to be a bigger than expected exception to ordinary wiretap procedures. In espionage cases involving U.S. persons, long after it is clear that the subject is suspected of engaging in espionage, and long after there is adequate basis to open a criminal case and obtain a wiretap order under Title III, the FBI continues to proceed under a FISA order, maintaining that the investigation serves a dual purpose of counterintelligence and criminal investigation. This is directly contrary to the intent of FISA.


VIII. International Issues

The Internet is a global medium. One of its great strengths is the ease with which it spans the globe: information flows as effortlessly from New York to Nairobi as from one building to another in Washington, DC. Moreover, a communication from New York to Nairobi might travel through the United Kingdom and five other countries one day, but through France and five different countries the next. In this global context, it has been said, the U.S. Bill of Rights is a local ordinance, meaning that the U.S. constitutional guarantees (and the procedures of the U.S. wiretap laws) offer no privacy protection against foreign government interception of the communications of U.S. citizens that cross national borders. Further, it has been held that the U.S. wiretap statutes have no extraterritorial application. Congress should determine what are the current Justice Department practices and claims of authority in terms of electronic surveillance abroad and the introduction in U.S. courts of electronic surveillance evidence obtained abroad. Congress should consider applying the court order requirements of Title III and FISA to interceptions of communications by the U.S. government abroad for use in U.S. criminal cases.

If commercial key escrow systems achieve acceptance in the U.S., foreign governments are likely to seek access to escrowed keys and decryption assistance, raising the question of standards to be applied when a foreign government seeks cooperation of U.S. authorities. A foreign request should have to satisfy three criteria: the foreign government should comply with the treaty and other standards normally governing the provision of U.S. legal assistance to that government; the foreign request should have to meet a standard at least as high as domestic law enforcement agencies (in our view, a U.S. court order based on a showing of legal authority to obtain the underlying communication or data and specific need for the decryption assistance); and standards should be in place that prohibit the disclosure of keys or decryption assistance for political offenses or other activity that would be protected under the U.S. First Amendment or to foreign governments that do not adhere to minimum standards of due process and privacy protection.

We note that U.S. government agencies, particularly the FBI, have also been promoting the adoption of CALEA-type standards on an international scale. In June 1993, the FBI hosted an international conference on telecommunications interception at Quantico. In 1994, the "Barrett Commission" in Australia issued a report entitled Review of the Long Term Cost Effectiveness of Telecommunications Interception, which, noting the FBI's role, supported the development of "international user requirements" as the most effective means of "international cooperation to ensure that law enforcement's needs are taken into account in the development of new technology." In 1995, the Council of the European Union adopted a set of interception requirements for telecommunications systems, similar to the requirements developed by the FBI, and urged Member States to implement the requirements with respect to systems and service providers in their own countries. Efforts were also undertaken to urge non-EU countries to adopt the requirements. In 1996, the Telecommunications Standardization Sector of the International Telecommunication Union was urged by Australia to include the EU surveillance requirements in its recommendations.

The DPSWG electronic surveillance task force is currently examining international efforts, some undertaken or supported by the U.S., that are underway to control encryption technology, particularly through the promotion of trusted third party key recovery systems that would allow for transnational governmental access.


Notes

1 Berger v. New York, 388 U.S. 41 (1967), Katz v. U.S. , 389 U.S. 347 (1967). Back

2 18 U.S.C. 2510 et seq. Back

3 As of December 31, 1995, forty jurisdictions (including the District of Columbia, Puerto Rico, and the Virgin Islands) had laws on the books authorizing wiretapping, while thirteen states (including, e.g., Arkansas, Maine, Michigan, North Carolina, South Carolina, and Tennessee) did not allow wiretapping by state and local police. Every year, about half of the states that do authorize wiretapping report not a single use of it by state and local law enforcement agencies, according to the annual Wiretap Reports of the Administrative Office of the United States Courts. In 1995, for example, over half of the states that authorized wiretapping (22 out of 40) did not utilize the technique (including, e.g., Illinois, Ohio, Oregon, Virginia, and Wisconsin). Back

4 For example, the separation of telephone communications into a signaling channel and call content channels can minimize the provision of call content information to law enforcement agencies not authorized to intercept call content. In the past, a law enforcement agency conducting a pen register interception accessed the entire customer line, including the content of conversations. Now, the carrier can provide to law enforcement executing a pen register order only the dialing information which law enforcement is authorized to intercept. Back

5 ECPA in fact did not extend all of Title III's protections to electronic communications. The court order authorizing the interception of electronic communications can be based upon suspected violations of any federal felony, rather than the limited list of crimes that can serve as a predicate for telephone interceptions. In addition, no statutory exclusionary rule applies to non-voice interceptions that violate the procedures in the law. Back

6 "FBI budget justification for FY 1992," p. 67, reprinted in "Departments of Commerce, Justice, and State, the Judiciary, and Related Agencies Appropriations for 1992," Hearings before a Subcommittee of the House Committee on Appropriations, 102nd Cong., 1st Sess., part 2 (1991) at p. 738. Back

7 Testimony of Thomas E. Wheeler, President, Cellular Telecommunications Industry Association, "Digital Telephony and Law Enforcement Access to Advanced Telecommunications Technologies and Services," Joint Hearings before the Senate Judiciary Committee and the House Judiciary Committee, 103rd Cong., 2d Sess. (1994) ("Digital Telephony Hearings") at 152. Back

8 In June 1996, the FCC adopted a Report and Order and Notice of Proposed Rulemaking in Docket 94-102, requiring wireless service providers to modify their systems within 18 months to enable them to relay to public safety authorities the cell site location of 911 callers. Further, the FCC ordered carriers to take steps over the next 5 years to deploy the capability to provide latitude and longitude information of wireless telephone callers within 125 meters. Finally, the FCC proposed requiring at the end of the 5 year period that covered carriers have the capability to locate a caller within a 40 foot radius for longitude, latitude and altitude, thereby, for example, locating the caller within a tall building.http://www.fcc.gov/Bureaus/Wireless/Orders/1996/fcc96264.txt. Back

9 Testimony of Thomas E. Wheeler, "Digital Telephony Hearings," supra, at 152-54. Back

10 United States v. Rodriguez, 968 F.2d 130, 135 (2d Cir. 1992), cert. denied, 113 S.Ct. 139, 140, 663 (1992). Back

11 Jim McGee, "Military Seeks Balance in Delicate Mission: The Drug War," Washington Post, Nov. 29, 1996, p. A1. Back

12 Richard A. Serrano, "Agencies Seek Update in Wireless Access," Los Angeles Times, Nov. 29, 1996. Back

13 Congress did intend in CALEA to raise the legal standard for access to certain categories of information, including location information that was already available in some systems and transactional data associated with e-mail. Back

14 The FBI plan can be found at http://www.cdt.org/digi_tele/CALEA_plan.html. Back

15 The matter arises as follows: A is the intercept subject. A sets up a conference call with B and C using the conference call capability provided by A's service provider. Then A puts B and C on hold (or hangs up entirely) and calls D. The FBI is seeking the delivery of both A's conversation with D and the conversation between B and C. It is not clear that there is legal authority to intercept the ongoing conversation between B and C after A has hung up. Title III, embodying the Fourth Amendment standard of particularity, requires the specification in the order of the telephone facility to be tapped and the particular conversations to be seized. The Supreme Court has held that conversations between unknown individuals using a specified telephone line could be lawfully intercepted under Title III. United States v. Kahn, 415 U.S. 143 (1973). And lower courts have upheld the roving tap authority so long as it is limited to the interception only of conversations of named subjects. No court has held that there is authority to intercept the communications of unknown persons using unspecified facilities. Back

16 "The Committee intends the assistance requirements in section 2602 to be both a floor and a ceiling. The FBI Director testified that the legislation was intended to preserve the status quo, that it was intended to provide law enforcement no more and no less access to information than it had in the past. The Committee urges against overbroad interpretation of the requirements. . . . The Committee expects industry, law enforcement and the FCC to narrowly interpret the requirements." "Telecommunications Carrier Assistance to the Government," Report of the House Judiciary Committee on H.R. 4922, Rept. 103-827, Part 1, 103rd Cong., 2d Sess. (October 4, 1994), at pp. 22-23; "The Digital Telephony Bill of 1994," Report of the Senate Judiciary Committee on S. 2375, Rept. 103-402, 103rd Cong., 2d Sess. (1994) at pp. 22-23. http://www.epic.org/privacy/wiretap/H_Rpt_103_827.txt [no longer available]. Back

17 CALEA is consistent with the general federal policy that requires agencies to use technical standards developed by voluntary consensus bodies whenever possible. National Technology Transfer Act, Sec. 12(d), Pub. L. 104-113. OMB guidelines prohibit agencies from dominating industry standards proceedings. OMB Circular No. A-119. Back

18 "'We never planned to require the industry to meet capacity requirements on a switch-by-switch basis," James Kallstrom, head of the FBI office in New York said. 'That would be crazy.'" John Markoff, "Dispute Arises over Proposal For Wiretaps," New York Times, February 15, 1997, p. 35. Back

19 The implementation plan says that systems engineering efforts "are expected to begin in the second quarter of FY 1997." The FBI must have meant second quarter of calendar 1997, since the implementation plan was filed well into the second quarter of the fiscal year and systems engineering had not yet begun. Back

20 Under standard conditions, a tap on a targeted phone does not capture calls forwarded at the switch to another location. Back

21 Report of the Defense Science Board Task Force on Information Warfare-Defense (November 1996). The Task Force recommended spending $3 billion over the next five years hardening the nation's telecommunications infrastructure against attack, noting that the Defense Information Infrastructure is largely dependent upon the commercial telecommunications system. Back

22 E.O. 13010 (July 15, 1996). http://pccip.gov [site on longer available; possibly refer to http://www.nipc.gov/ Oct. 8, 1999] The President created the Commission in response to threats that include "computer-based attacks on the information or communications components that control critical infrastrutures," such as transportation, energy and water supply, and banking and finance. Back

23 It has also been argued that there is a First Amendment right to use and export encryption. Back

24 "Final Report of the Privacy and Technology Task Force Submitted to Senator Patrick J. Leahy," reprinted in "Digital Telephony Hearings," supra, at 179, 183. Back

25 The repeal came at the behest of the Justice Department, which argued that the privacy provision was inappropriately overbroad, and included ham radio and CB radio broadcasts, which should not be privacy-protected. The Justice Department, reversing the Administration's earlier provision, argued that wireless data transfers were already protected. Rather than propose narrower language to make that clear, the Administration successfully argued for repeal of the entire provision. In the context of the many issues in the terrorism bill, this one received little attention. Back

26 In United States v. Karo, 468 U.S. 705 (1984), the Supreme Court held that the monitoring of a beeper in a private location is a search subject to the Fourth Amendment warrant requirement. The Court distinguished this from the use of a beeper to follow an object being transported on the public roads, or to monitor the general vicinity of an object, both of which had been held not to implicate the Fourth Amendment in United States v. Knotts, 460 U.S. 276 (1983). Obviously, wireless phones are carried by their users into places where there is a legitimate expectation of privacy. Wireless phone location tracking through the facilities of service providers is becoming more precise, as a result of the E911 requirements imposed by the FCC (see footnote 8 above), and as a result of technical developments that are producing smaller and smaller cell sites and cell sectors. If anything, monitoring the location of wireless phones is more intrusive than the use of a beeper. The beeper cases usually involve the attachment of the beeper to an object (often contraband or precursor chemicals for illegal drug manufacture). Unlike drums of precursor chemicals, cellular phones are often directly associated with an individual user. They implicate movements of the person going about his or her daily life and entering a variety of locations (homes, offices) where there is a legitimate expectation of privacy. The ongoing nature of such monitoring (as opposed to the tracking of a barrel of precursor chemicals from the manufacturer to the clandestine laboratory in the typical beeper case) raises much more serious privacy interests. These interests merit full Fourth Amendment protection. Back



Return To Info    Return To Home

 

ADVANCED ELECTRONIC SECURITY COMPANY bug sweeping bugsweeps
760-668-2245

Email: bugsweeps@earthlink.net

Over 30 years of specialized service
over 2,500 locations swept.
PLEASE DO NOT CONTACT US
FROM A SUSPECT TELEPHONE OR FACILITY
WHEN INQUIRING ABOUT BUG SWEEPING OR OUR
SERVICES AND SURVEYS.

Read About Us Here - Electronic Bug Sweeps bugsweeps
Read about us in
Business Week