STATEMENT OF JAMES X. DEMPSEY
SENIOR STAFF COUNSEL
CENTER FOR DEMOCRACY AND TECHNOLOGY
SUBCOMMITTEE ON TELECOMMUNICATIONS, TRADE,
AND CONSUMER PROTECTION
HOUSE COMMITTEE ON COMMERCE
WIRELESS PRIVACY ENHANCEMENT ACT OF 1999
WIRELESS COMMUNICATIONS AND PUBLIC SAFETY ENHANCEMENT ACT OF 1999
FEBRUARY 3, 1999
Mr. Chairman and Members of the Subcommittee, my name is Jim Dempsey. I am senior staff counsel at the Center for Democracy and Technology. The Center is pleased to have this opportunity to testify before the Subcommittee on one of the critical civil liberties issues of our time: the protection of privacy in the new communications media, which enhance our lives in so many ways and hold such potential for promoting freedom, but at the same time pose obvious risks to privacy.
The Center for Democracy and Technology is an independent, non-profit public interest policy organization in Washington, DC. The Centers mission is to develop and implement public policies that protect and advance individual liberty and democratic values in the new digital media. We believe that the privacy challenges presented by these new technologies can best be addressed through a combination of technology tools, sound industry practices, and enforceable legal baselines.
Today, the Subcommittee has before it two bills that advance the protection of privacy in modest ways. These bills also highlight some of the broader privacy issues that the Subcommittee should address as the term progresses.
The essence of our message is that privacy must be protected from the outset of the design of any communications or information system and must be a component of any legislation setting policy for telecommunications and electronic commerce. Unfortunately, this lesson has still not been learned. We have recently seen the Intel Corporation proudly announce its powerful new Pentium III processor only to face a firestorm of public criticism, including threats of a consumer boycott, because the processor included an ID number that could be used to track browsing, reading, purchasing and other activities on the Internet. Meanwhile, under the 1994 Communications Assistance for Law Enforcement Act ("CALEA"), the FBI is seeking to impose on the telecommunications industry surveillance features, including wireless phone tracking, that would do for the telephone system what we and others fear the Pentium III would do for the Internet. So far, in violation of CALEA, the Federal Communications Commission has tentatively agreed with the location surveillance demand and others.
As the Subcommittee advances the two bills before it today, it should also address what is happening at the FCC under CALEA. The tens of millions of Americans who use wireless phones do not want them turned into tracking devices that can be turned on and off by the government. In CALEA, Congress made it clear that wireless phones should not be turned into location devices for surveillance purposes. The FCC is ignoring that clear Congressional directive, and is basically proposing to rewrite CALEA. The objectives of E911 service can be achieved fully without creating a tracking capability outside the control of the users.
Mr. Chairman, we urge you to make the 106th Congress the "Privacy Congress." We believe it has the potential to become just that. The American public is more sensitive to privacy than ever before. Just as the Subcommittee last Congress made privacy a component of the E911 bill, privacy should be a component of every e-commerce and telecommunications bill you take up in the coming months, ranging from digital signatures to CALEA. The challenge is not an either/or choice between government regulation versus "self-regulation," but rather to develop enforceable solutions that combine a spectrum of measures ranging from privacy-enhancing technologies, to industry codes of practice, private remedies, government enforcement of baseline protections that incorporate fair information practices and address abuses, and a balanced approach to governmental surveillance premised on a narrowly-focused surveillance capability and strict limits for governmental access.
I. Ongoing Developments in Telecommunications Increase the Urgency of Ensuring the Privacy and Security of Wireless Communications
Advancements in telecommunications technology have conferred tremendous benefits on the American public and on individuals worldwide. The number of subscribers of wireless services continues to rise, as wireless technologies have become woven into peoples lives. At the same time, the American public is deeply concerned that such advancements threaten to overwhelm the cherished right of privacy. The threats arise from both governmental and private surveillance.
For the past thirty years, Congress has recognized that it must ensure that the laws protecting privacy keep pace with the changing uses of technology. From 1968, when it first enacted the wiretap law known as Title III, through enactment of the Electronic Communications Privacy Act ("ECPA") in 1986, to the Communications Assistance for Law Enforcement Act of 1994 ("CALEA"), Congress has sought to balance three goals: (1) to provide strong legal protections for electronic communications, (2) to afford law enforcement a narrowly-focused and carefully limited authority to carry out electronic surveillance in serious cases, and (3) to encourage the development and widespread availability of new technologies.
ECPA was based on the principle that privacy is good for both consumers and business. People will not use communications technologies they do not trust. By extending clear privacy protections to e-mail and cellular telephone conversations, ECPA boosted user confidence in those communications technologies when they were in their infancy, contributing to the dramatic success they have both experienced.
When it enacted ECPA in 1986, Congress knew that it would have to return to the law of communications privacy periodically, as technology continued changing. Some small privacy enhancements were made in CALEA in 1994. Now, given ongoing developments in the realm of wireless communications and the Internet, we are at another juncture that requires another careful examination of the adequacy of privacy protection legislation: Cellular and other wireless telephones have become commonplace and are now widely used by ordinary citizens. Moreover, wireless transmission is no longer important only for voice communications. Wireless modems, wireless faxes, and wireless local area networks are linking computers and transferring data of a highly sensitive nature, including proprietary information, medical records, and financial data. Wireless links are becoming more and more important as gateways to the global information network. The Internet itself has blossomed since 1986 in ways that the drafters of ECPA never imagined.
The ongoing development of telecommunications networks that are increasingly integrated, global, decentralized and wireless heightens the urgency of ensuring the privacy and security of wireless communications. Some of the needed changes fall outside the jurisdiction of this Committee, but we would like to mention them briefly to give a sense of the context. First, ECPA should be clarified to make it clear that wireless transfers of data are protected to the same extent as wireless voice communications. Second, the legal scheme of the wiretap laws, as amended by ECPA, should be expanded so that the US government has to obtain a court order when engaging abroad in surveillance of US citizens for criminal investigative purposes. Currently, the protections of the US Constitution offer little privacy assurance to US citizens whose communications cross international borders, and the protections of the wiretapping laws do not apply to eavesdropping from points abroad. Third, as networking expands and more and more records are kept outside the home, the protections rooted in the Fourth Amendment need to be extended so that records stored on networks receive the same protection as records held inside the home or office. Fourth, and this is a matter within this Committees jurisdiction, individuals must be assured control over their personal data, through a combination of technology tools, industry best practices and enforceable legal standards incorporating fair information practices.
II. Wireless Communications and Public Safety Enhancement Act: Location Information Requires Privacy Protection
As a result of the new technology, more and more sensitive personal information is being transmitted over the airways and online. At the same time, the new technology generates an increasingly rich store of transactional data. Each time you log onto the Internet, each time you use the telephone, you leave behind digital fingerprints -- the transactional records which, in real-time or stored and aggregated, provide a profile of your whereabouts, your activities, your interests, and your associations. Consumers and other users of the new communications technologies want control over this information. Limits on its use are essential if consumers are to have confidence in electronic commerce and digital communications. A central principle of fair information practices is that information generated in the course of one transaction should not be used for other purposes without the clear consent of the person to whom the information pertains.
E911 is a perfect example. The ability to use wireless phones to contact police, fire or ambulance services in the case of an emergency is an obvious attraction of wireless phones, and it is appropriate for the Congress and the FCC to promote development of a nationwide wireless 911 system. Locating wireless phone users calling in emergency cases is appropriately part of such a system. Obviously, 911 callers want to be found by the emergency services, and quickly. Yet the tens of millions of wireless phone users do not want their phones to become tracking devices that they do not control. People carry these phones with them as they go about their daily lives. More than the wireline phone, the wireless phone tends to be directly associated with one individual. When a call is made on a wireline phone, it means that somebody is at the location, but it is not apparent who. When a call is made on a wireless phone, it is almost always the individual subscriber. In this way, wireless phone location information is far more revealing than the fact that a street address is associated with a wireline phone number. So we need to have strict rules governing use of this information.
Wisely, Mr. Markey and the Chairman have included privacy protection in the Wireless Communications and Public Safety Enhancement Act (H.R. 3844 in the 105th Congress). The provision builds on the CPNI (Customer Proprietary Network Information) protections of section 222 of the Communications Act, 47 U.S.C. 222, which are strong and consistent with fair information practices. Any effort to move forward with E911 should have these privacy standards built in. Strict coverage of location information is essential to public confidence in the wireless 911 system.
We note that this bill does not address the question of governmental access for investigative purposes. The standard for law enforcement access has to be strict as well. Because location information is so sensitive, and because people carry their wireless phones with them as they go abut their daily lives and go places where they have a reasonable expectation of privacy, we believe the standard should be a full probable cause standard of the Fourth Amendment. This is probably not an issue within the jurisdiction of this Committee, but it would be a missed opportunity to let this bill get enacted without addressing the question of government access. (We note that Senator Leahy has proposed legislation making law enforcement access to wireless location data subject to a full probable cause standard.)
With grave concern, we urge the Committee to take note that the FCC in its CALEA proceeding has tentatively concluded, incorrectly, that wireless location information is a CALEA mandate, in essence placing on carriers a double mandate and in the process probably unfairly tilting towards a network solution to the 911 location requirements. Wireless location under CALEA should be treated completely separately from location information for E911 purposes. Congress made it clear in CALEA that it did not intend to require location information for surveillance purposes. The Commissions tentative decision in the CALEA proceeding to require location information be built into wireless systems for surveillance purposes, not subject to user control, finds no support in the plain meaning of CALEA and is flatly contrary to the legislative history. In this and other ways, the Commission has tentatively sided with the FBIs expansive reading of the CALEA mandates, jeopardizing the privacy balance that Congress intended to achieve in that Act and imposing unnecessary costs on the carriers and ultimately on the public who will pay the bill, either as taxpayers or as ratepayers. This is something the Subcommittee should address as the 911 bill moves forward, or on another vehicle that addresses CALEA questions. It may require an amendment to CALEA to reemphasize Congress intent that location information for surveillance purposes is not a CALEA mandate.
III. The Wireless Privacy Enhancement Act The Privacy of Wireless Communications Is Entitled to Strong Legal Protection
In the current environment of global communications networks increasingly dependent on wireless links, it is a serious invasion of privacy to eavesdrop on cellular and other wireless telephone conversations. Cellular eavesdroppers are invading the privacy not only of the person who is using a cellular phone, but also of anybody else who is on the conversation using an ordinary landline telephone.
Given the growth of wireless services, it is clear that Congress made the right decision in 1986 when it determined that intentionally intercepting cellular phone conversations should be a federal crime. Congress clearly has the authority to protect communications transmitted over the airwaves, and it did so with respect to cellular telephone conversations in ECPA, extending to the then-fledgling cellular telephone industry the same privacy protections that had applied to traditional wireline services.
However, ever since wireless phones first appeared, there has been an electronic cat and mouse game between wireless phone users and those who find it amusing to eavesdrop, or find criminal opportunity in eavesdropping, on wireless phone conversations. ECPA made it a crime to manufacture, sell, assemble, possess or advertise any device that is "primarily useful" for the interception of wireless telephone conversations, 18 U.S.C. 2512, and Section 302 of the Communications Act prohibited the manufacture, sale or use of nonconforming scanning devices, 47 U.S.C. 302a. Nonetheless, manufacturers, retailers and individuals have taken a very narrow view of this law, and consequently scanners are widely available still that intercept cellular telephones. The PCS spectrum isnt even covered by Section 302(d) of the Communications Act. For these reason, we believe that Congress should close the ambiguities and gaps in the scanner law.
The Wireless Privacy Enhancement Act (H.R. 2369 in the 105th Congress), was passed by the House last Congress, and deserves to be reenacted this year. We believe that the main purpose of the bill is to clarify and further restrict the ability of private citizens to obtain equipment that can be used for eavesdropping on wireless phones. We urge the Subcommittee to ensure that the language is appropriately narrow, and does not cover legitimate equipment and conduct. On one specific point, it is not clear that the language concerning "divulgence, publication, or utilization" is necessary in the amendment to Section 705(e)(3) and (4) of the Communications Act. We also hope that the Judiciary Committee eliminates the "primarily useful" ambiguity from 18 U.S.C. 2512.
IV. While Legal Protections Are Important, They Are Not Enough to Ensure Privacy Privacy and Security Must Be Ensured Through Technical Means
The criminal law, however, is a limited remedy. Practically speaking, law enforcement agencies will never devote substantial resources to the investigation of eavesdropping cases. Even with H.R. 2369 on the books, there will still be people who obtain or manufacture devices to eavesdrop on wireless phones. Therefore, the focus needs to be on manufacture and design of equipment to be less readily subject to being intercepted. This is, of course, mainly not a matter for legislation. The onus falls on industry to deploy strong encryption throughout the networks. I would note that in 1997, after the Subcommittees last hearing on this issue, independent cryptographers broke the proprietary encryption technology used in millions of GSM (Global System for Mobile communications) phones nationwide, illustrating the dangers of insufficiently robust, proprietary encryption.
The integrated, global, decentralized communications network is vulnerable to threats that infringe on individual privacy and also threaten the critical infrastructures that are dependent on communications. The vulnerabilities of encrypted computer files and electronic communications are well-documented. Unencrypted communications are open to criminal exploitation, and the losses to date from inadequate system security are enormous. The National Research Council concluded several years ago: "Of all the information vulnerabilities facing US companies internationally, electronic vulnerabilities appear to be the most significant."
Wireless communications should not be and need not be the weak link in the integrated communications infrastructure. Strong encryption offers opportunities for enhanced security in the digital age. Widespread use of encryption to protect communications will prevent fraud and other extremely dangerous forms of crime. At the same time, encryption poses challenges to law enforcement agencies.
Unfortunately, the policies of the US government have served to inhibit the deployment of robust encryption. The Subcommittee and the Congress will have to revisit the encryption issue this year. It has become clear that the current Administration policy is not viable, from either a privacy perspective or a law enforcement/national security perspective. As a recent study issued by the Center for Strategic and International Studies concluded, "Continued reliance on limited availability of strong encryption without the development of alternative sources and means will seriously harm law enforcement and national security." It has become clear that there is no answer to the encryption issue that will guarantee the government access in all cases. The current policy of government controls on encryption will not work in the decentralized, competitive, global environment where criminals will always be able to obtain strong encryption to shield their communications. The sooner strong encryption is widely deployed in wireless systems for the rest of the population, the sooner privacy will be protected and fraudulent theft of services will be curtailed.
V. Congress Should Hold the FCC to the Fulfillment of Its Responsibilities to Protect Network Security and Privacy
It would accomplish little to outlaw handheld scanners if the wireless (and wireline) switches themselves were vulnerable to hacking and unauthorized interception. Therefore, Congress should make sure that network security is properly addressed. There is in fact a pending proceeding at the FCC on network security, under CALEA. CALEA requires carriers to design their systems to be readily tappable by law enforcement. However, the same backdoors that give law enforcement access create new vulnerabilities for hackers to exploit. Congress was concerned to ensure that the changes made to accommodate law enforcement interception in compliance with CALEA did not increase system vulnerability. Therefore, CALEA included several important security provisions. One is section 105, entitled "Systems Security and Integrity." In this provision, for the first time ever, Congress mandated that telecommunications companies "shall ensure" that interceptions within their switching systems can occur only upon the affirmative intervention of an individual officer of or employee of the carrier. Section 301 of CALEA requires the Federal Communications Commission to issue regulations governing system security. Unfortunately, the FBI has used the proceeding under Section 301 to urge the Commission to establish rules for non-technological aspects of surveillance operations, ranging from the personnel practices of carriers to their processing of surveillance orders. Meanwhile, the security concerns about the vulnerability of computerized surveillance functions that prompted Congress to enact Section 105 of CALEA are not receiving adequate attention.
Concerns with network security go beyond CALEA. The FCC has both the authority and the responsibility under section 1 of the Communications Act, 47 U.S.C. 151, to ensure the security and reliability of the nations communications networks. In the past, this Subcommittee has paid particular attention to reliability concerns in the public switched telephone network. In an increasingly decentralized and complex system, full attention to network security issues requires a broad look at the network security features available to users, including flexible and robust encryption. We urge the Subcommittee to work with the Commission on this pressing concern.
Congress should assure that current laws adequately protect privacy in light of ongoing developments in telecommunications technology. The two bills before the Subcommittee are modest steps towards that goal. The privacy protections in the Wireless Communications and Public Safety Act are critical to user confidence. In addition, we urge an amendment at an appropriate time to that bill to make it clear that government agencies can access location information for investigative purposes only pursuant to a probable cause court order. We also urge the Committee to address the question of the design mandates that are being imposed by the Commission on carriers under CALEA, especially the mandate to turn wireless phones into location devices controlled by the government. Finally, we note the failure of the FCC so far to address the network security and privacy implications of the surveillance features that are being designed into switches to comply with CALEA, and urge the Subcommittee to hold the Commission to its responsibilities.
Thank you again for the invitation to testify today. We would be happy to answer any questions, and we look forward to working with the Subcommittee to realize across the board the privacy principles reflected in these bills.