Testimony of James X. Dempsey
Senior Staff Counsel
Center for Democracy and Technology
Subcommittee on the Constitution of the House Judiciary Committee
April 6, 2000
Mr. Chairman and Subcommittee Members, thank you for calling this hearing and affording CDT the opportunity to testify about Fourth Amendment protections in cyberspace. Our nation is at a point where revolutionary changes in communications and computer technology have outpaced the privacy protections in our laws. Far more information than ever before is available to the government under minimal or inadequate legal standards. It is time for Congress to strengthen the privacy laws to restore a balance between government surveillance and personal privacy, to build user trust and confidence in these economically vital new media, and to afford both law enforcement agencies and online service providers the clear guidance they deserve.
The Center for Democracy and Technology is a non-profit, public interest organization dedicated to promoting civil liberties and democratic values on the Internet. Our core goals include ensuring that the Constitution's protections extend to the Internet and other digital information technologies. CDT also coordinates the Digital Privacy and Security Working Group (DPSWG), a forum for more than 50 computer, communications, and public interest organizations, companies and associations working on information privacy and security issues.
The Internet is a wonderfully transformative medium. Consequently, it has become a necessity in most workplaces and a fixture in most schools and libraries. According to a December 1999 Harris poll, 56% of American adults are online, 6 times higher than 4 years ago. But as more and more of our lives are conducted online and more and more personal information is transmitted and stored electronically, the result has been a massive increase in the amount of sensitive data available to government investigators.
While the Justice Department frequently emphasizes the ways in which digital technologies pose new challenges to law enforcement, the fact is that, on balance, the digital revolution has been a boon to government surveillance and collection of information. The FBI estimates that over the next decade, given planned improvements in the digital collection and analysis of communications, the number of wiretaps will increase 300 per cent. Computer files are a rich source of evidence: in a single case last year, the FBI seized enough computer evidence to nearly fill the Library of Congress twice. As most people sense with growing unease, everywhere we go on the Internet we leave digital fingerprints, which can be tracked by marketers and government agencies alike. The FBI in its budget request for FY 2001 seeks additional funds to "data mine" these public and private sources of digital information for their intelligence value. Yet the computer and communications privacy laws were last updated in 1986.
Recently, following a series of hacker attacks on e-commerce web sites, the Justice Department has proposed changes to the electronic surveillance laws to enhance law enforcement authorities. (In fact, the changes are not directly responsive to the recent attacks, but have been on the Justice Department's agenda for some time.) But surely, before enacting any enhancements to government power, we should ensure that current laws adequately protect privacy. As I will explain, the standards for government access to information are not high enough to protect the privacy of ordinary citizens. We must tighten the standards for government surveillance and access to information. CDT is prepared to work with the Congress and the Justice Department to flesh out the needed privacy enhancements, and to convene DPSWG as a forum for building consensus.
Background: Fourth Amendment Privacy Principles
To understand how far current privacy protections diverge from the principles of the Constitution, we should start with the protections accorded by the Fourth Amendment. If the government wants access to your papers or effects in your home or office, it has to meet a high standard:
The Supreme Court held in 1967 that wiretapping is a search and seizure and that telephone conversations are entitled to protection under the Fourth Amendment. Katz v. United States, 389 U.S. 347 (1967), Berger v. New York, 388 U.S. 41 (1967). Congress responded by adopting Title III of the Omnibus Crime Control and Safe Streets Act of 1968, requiring a court order based on a finding of probable cause to intercept wire or oral (i.e., face-to-face) communications. 18 U.S.C. §2510 et seq. However, Congress did not require the contemporaneous notice normally accorded at the time of a search and seizure. This was a fateful decision, but, the government argued, to give contemporaneous notice would defeat the effectiveness of the surveillance technique. In part to make up for the absence of notice, and recognizing the other uniquely intrusive aspects of wiretapping, Congress added to Title III requirements that go beyond the protections of the Fourth Amendment. These additional protections included: permitting the use wiretaps only for investigations of a short list of very serious crimes; requiring high level Justice Department approval before court authorization can be sought; requiring law enforcement agencies to exhaust other, less intrusive techniques before turning to eavesdropping; directing them to minimize the interception of innocent conversations; providing for periodic judicial oversight of the progress of a wiretap; establishing a statutory suppression rule; and requiring detailed annual reports to be published on the number and nature of wiretaps.
Over time, though, many of these additional protections have been substantially watered down. The list of crimes has been expanded, from the initial 26 to nearly 100 today and more are added every Congress. Minimization is rarely enforced by the courts. The exhaustion requirement has been weakened. Evidence is rarely excluded for violations of the statute. Almost every year, the number of wiretaps goes up - 12% in 1998 alone. Judicial denials are rare - only 3 in the last 10 years. The average duration of wiretaps has doubled since 1988. So even in the world of plain old telephone service we have seen an erosion of privacy protections. The fragility of these standards is even more disconcerting when paired with the FBI's "Digital Storm" plans for digital collection, voice recognition and key word searching, which will reduce if not eliminate the practical constraints that have up to now limited the volume of information that the government can intercept.
After it ruled that there was an expectation of privacy in communications, the Supreme Court took a step that had serious adverse consequences for privacy: It held that personal information given to a third party loses its Fourth Amendment protection. This rule was stated first in a case involving bank records, United States v. Miller, 425 U.S. 435 (1976), but it is wide-ranging and now serves as the basis for government access to all of the records that together constitute a profile of our lives, both online and offline: credit, medical, purchasing, travel, car rental, etc. In the absence of a specific statute, these records are available to law enforcement for the asking and can be compelled with a mere subpoena issued without meaningful judicial control. The implications of this "third party record" rule are seen most recently in the Administration's proposed Cyberspace Electronic Security Act (CESA), which would allow the government to obtain encryption "keys" or other decryption information from third parties under a court order procedure that would provide neither the probable cause nor the notice protections of the Fourth Amendment.
In 1979, a third piece of the privacy scheme was put in place when the Supreme Court held that there is no constitutionally-protected privacy interest in the numbers one dials to initiate a telephone call, data collected under a device known as a pen register. Smith v. Maryland, 442 U.S. 735, 742 (1979). While the Court was careful to limit the scope of its decision, and emphasized subsequently that pen registers collect only a very narrow range of information, the view has grown up that transactional data concerning communications is not constitutionally protected. Yet, in an increasingly connected world, a recording of every telephone number dialed and the source of every call received can provide a very complete picture a profile of a person's associations, habits, contacts, interests and activities. (Extending this to email and other electronic communications can, as I explain below, be even more revealing.)
In 1986, as cellular telephones service became available and email and other computer-to-computer communications were developing, Congress recognized that the privacy law was woefully out of date. Title III anachronistically protected only wire and voice communications: it did not clearly cover wireless phone conversations or email. In response, Congress adopted the Electronic Communications Privacy Act of 1986 (ECPA). ECPA did several things: it made it clear that wireless voice communications were covered to the same degree as wireline voice communications. It extended some but not all of Title III's privacy protections to electronic communications intercepted in real-time.
ECPA also set standards for access to stored email and other electronic communications and transactional records (subscriber identifying information, logs, toll records). 18 USC § 2701 et seq. And it adopted the pen register and trap and trace statute, 18 USC § 3121 et seq., governing real-time interception of "the numbers dialed or otherwise transmitted on a telephone line." (A pen register collects the "electronic or other impulses" that identify "the numbers dialed" for outgoing calls and a trap and trace device collects "the originating number" for incoming calls.) To obtain such an order, the government need merely certify that "the information likely to be obtained is relevant to an ongoing criminal investigation." 18 USC §§ 3122-23. (There is no constitutional or statutory threshold for opening a criminal investigation.) The law states that the judge "shall" approve any request signed by a prosecutor.
ECPA did not, however, extend full Title III protections to email sitting on the server of an ISP. Instead, it set up a two-tiered rule: email in "electronic storage" with a service provider for 180 days or less may be obtained only pursuant to a search warrant, which requires a finding of probable cause, but the additional protections of Title III -- limited number of crimes, high level approval, judicial supervision -- do not apply. Email in storage for more than 180 days may be obtained with a warrant or a mere subpoena. In no case is the user entitled to contemporaneous notice. The email portions of ECPA also do not include a statutory suppression rule for government violations and do not allow for public or congressional oversight through annual reports.
Mapping the Fourth Amendment Onto Cyberspace
Remarkably, ECPA was the last significant update to the privacy standards of the electronic surveillance laws. Astonishing and unanticipated changes have occurred since then:
It is clear that the surveillance laws' protections are too weak:
The importance of these questions is heightened by the fact that transactional or addressing data for electronic communications like email and Web browsing can be much more revealing than telephone numbers dialed. First, email addresses are more personally revealing than phone numbers because email addresses are unique to individual users. Furthermore, if the pen register authority applies to URLs or the names of files transmitted under a file transfer protocol, then the addressing information can actually convey the substance or purport of a communication.
Outlining the Necessary Privacy Enhancements
To update the privacy laws, Congress could start with the following issues:
We do not need a new Fourth Amendment for cyberspace. The one we have is good enough. But we need to recognize that people are conducting more and more of their lives online. They are storing increasing amounts of sensitive data on networks. They are using technology that can paint a full profile of their personal lives. The pricetag for this technology should not include a loss of privacy. It should not be the end of the privacy debate to say that technological change takes information outside the protection of the Fourth Amendment as interpreted by the courts 25 years ago. Nor is it adequate to say that individuals are voluntarily surrendering their privacy by using new computer and communications technologies. What we need is to translate the Fourth Amendment's vision of limited government power and personal privacy to the global, decentralized, networked environment of the Internet.
House Rule XI, clause 2(g)(4) disclosure: Neither James X. Dempsey nor CDT has received any federal grant, contract, or subcontract in the current or preceding two fiscal years.