Testimony of Jerry Berman
Executive Director
Center for Democracy & Technology

before the
Senate Select Committee on Intelligence

on
Legislative Measures to Improve America's Counter-Terrorism Programs

September 24, 2001

Summary

Mr. Chairman, Mr. Vice-Chairman, members of the Committee, thank you for the opportunity to testify at this hearing on the momentous question of improving our nation's defenses against terrorism in a manner consistent with our fundamental Constitutional liberties.

The Center for Democracy and Technology is a non-profit, public interest organization dedicated to promoting civil liberties and democratic values for the new digital communications media. Our core goals include enhancing privacy protections and preserving the open architecture of the Internet. Among other activities, CDT coordinates the Digital Privacy and Security Working Group (DPSWG), a forum for more than 50 computer, communications, and public interest organizations, companies and associations working on information privacy and security issues.

CDT joins the nation in grief and anger over the devastating loss of life resulting from the September 11 terrorist hijackings and attacks against the World Trade Center and the Pentagon. Like many, our relatively small staff had friends and acquaintances killed in those heinous acts. We fervently support the efforts of our government to hold accountable those who direct and support such atrocities.

It is clear that improvements need to be made in America's counter-terrorism procedures, and it appears there are many things that can be done without harming civil liberties. But we know from history that measures hastily undertaken in times of peril ­ particularly measures that weaken controls on government exercise of coercive or intrusive powers -- often infringe civil liberties without enhancing security. In the current climate, it is all the more important to act deliberately and ensure that our response is balanced and properly targeted. If we give up the constitutional freedoms fundamental to our democratic way of life, then the terrorists will have won.

In that regard, Mr. Chairman, we commend you and the Committee for holding this hearing, and taking the time to consider the legislative proposals put forth by the Administration and those you have developed. Only through the hearing process can you and the American public understand what is being proposed, how it would change current law, and whether the changes are responsive to any deficiencies that the September 11 attack may have revealed. Just as President Bush and his military advisers are taking their time in planning their response, to ensure that they hit the terrorist targets with a minimum of collateral damage, so it is incumbent upon this Congress to avoid collateral damage to the Constitution.

Comments on Chairman Graham's "Intelligence to Prevent Terrorism Act"

My testimony will focus on the electronic surveillance provisions in both Chairman Graham's "Intelligence to Prevent Terrorism Act" and the Administration's proposed "Anti-Terrorism Act of 2001." My colleague Kate Martin will focus on several other provisions in the bills that need clarification. Many provisions of the Chairman's bill appear narrowly and appropriately crafted to carefully provide desired intelligence capabilities; however I will also highlight at least one provision of the bill - Section 201 - that may have broad implications for the Internet.

As you well know, this Committee­and the current legal structure of the intelligence community­were established after Watergate both to improve intelligence and to ensure that the rights of Americans were not eroded by the vast and sometimes vague intelligence authorities that had previously existed. The legal and oversight system for intelligence sprang not just from a concern about civil liberties, but also from a concern about improving the efficacy of intelligence gathering. As such, the Committee mission demands a careful vetting of any new proposed intelligence authorities and we applaud the committee for holding these public hearings to do so.

A number of the provisions of both the Chairman's bill and the Attorney General's bill would change provision of the Foreign Intelligence Surveillance Act of 1978 (FISA). As the Committee is also well aware, FISA gave extensive authority to the intelligence community. Under it the FBI and CIA have considerable capability to conduct electronic surveillance without the high standards (such as a showing of probable cause of criminal conduct, notice, and eventual adversarial scrutiny) demanded under our domestic criminal law for wiretapping. In exchange for these significantly lowered standards allowing much greater intelligence surveillance, FISA demanded a clear separation - a wall - between electronic surveillance conducted for intelligence purposes and electronic surveillance conducted for criminal law purposes. FISA was based on a clear understanding that it would not become an back door for use of foreign intelligence surveillance in domestic criminal investigations. FISA information that was incidentally collected regarding criminal matters could be shared across this wall but the purpose of a FISA surveillance had to be intelligence. This was intended to avoid a major erosion of our constitutional rights through the lower standards of FISA surveillance.

As we read the Chairman's bill, we applaud what appears to be the committee's intent to maintain that distinction between intelligence authorities and domestic law enforcement provisions. We are particularly pleased to see that the Chairman's bill does not appear to intended a rewriting of the FISA authorities. As described below, however, we believe that the Attorney General's bill does not reflect this deeper understanding and would eviscerate the FISA principles, allowing foreign intelligence surveillance standards to be used in criminal investigations. (See, e.g., Administration Bill, Sections 151-157) Thus, while we have concerns about some specific provisions, we believe the Chairman's bill is far more narrowly crafted, and more appropriately targeted to the situation at hand.

First and foremost, we note with approval Section 204's attempt to make it clear that the FBI could conduct both a Title III criminal wiretap and a FISA wiretap, intercepting the same communications for different purposes. If done properly, this is a more direct and appropriate approach to allow criminal investigations and intelligence investigations to go forward side-by-side. We need to explore with the committee the specific language of the section, but if it tracks the intent expressed in the section-by-section analysis, we believe it is an appropriate approach.

Section 202, regarding the duration of certain FISA surveillance authorities, raises some concerns. FISA electronic surveillances of persons are already granted for periods three times longer than Title III surveillances. Under 202, the duration of surveillance before any judicial oversight would be extended from 90 days to one year. In the case of physical searches, the period would be extended from 45 days to one year. Courts have only turned down one FISA application in the 22-year history of the statute's use. Judicial review, after 45 or 90 days, hardly seems overly burdensome; if surveillance should continue a judge will surely - given the history of discretion in these matters - renew the order. The risk of this provision is that unproductive surveillance could continue for long periods of time without any judicial oversight.

Section 203, the assistance section, may also merit more careful drafting. To the extent, as indicated in the section-by-section analysis, it is only requiring additional assistance from service providers that cannot be identified in advance, we believe it is a measured response. However, we believe the language should be reviewed with staff to ensure that it is not granting new surveillance authorities.

Section 201 raises concerns and is one area where we should not legislate quickly in this complex field of electronic surveillance law. Frankly, we find the language to be very ambiguous and potentially very broad. It must undergo further discussion and more careful drafting.

As drafted, the provision would exclude from the definition of "electronic surveillance" any "instruction or signal" sent to a computer - if it was not a communication to another person, or was not for lawful information retrieval - thereby exempting such information from the reduced standards of FISA. As we read the interaction of Title III and FISA, this would allow the interception of such signals with no judicial oversight.

While apparently intended to allow interception of communications "from a hacker, located abroad" the provision also sweeps in a broad class of otherwise protected communications. It would appear to include, for example:

• commands sent remotely to a home security system;
• reminders being sent to an online calendar or alarm clock system;
• stock trade commands sent to an electronic trading system;
• programs or files being sent (not retrieved) to a computer system;

or any other commands one sends to one's own computer, Palm Pilot, or wireless phone. All of these sensitive communications, in which there is both a reasonable expectation of privacy and a warrant would be required for law enforcement purposes, could now be obtained under FISA and without judicial oversight.

It is also unclear how the provision could be applied in practice. In a packet-switched data interception environment like the Internet, it is difficult if not impossible to know in many cases which packets to be intercepted contain an "instruction or signal" for a computer and are not for information retrieval, and which contain information that should require a judicial order. In many, if not in most, cases it will only be possible to see whether this provision applied after the communication is intercepted, read, and analyzed. Thus, if this provision is to be used it would appear to create a license for interception of numerous communications that would ultimately be discarded after they are read and analyzed.

Section 201 would appear to create a giant hole in the FISA electronic surveillance requirements and would allow the interception of numerous personal communication without judicial oversight. It is in serious need of redrafting at the very least; if its goal is to allow interception of hackers attacking a computer, it seems better addressed by provisions that would allow target computer owners to consent to the interception of attacks on their computers.

We recommend that this section be deleted or substantially clarified.

Comments on Administration Proposals

The Administration's Anti-Terrorism Act of 2001 goes far beyond the measured response of this committee. It would expand federal government authorities, including the authorities of the intelligence agencies, to conduct electronic surveillance and otherwise collect information on US citizens. Some of the changes are quite fundamental. The bill includes numerous, complex provisions extending the surveillance laws (while raising many questions about how they will be implemented) and altering the long-standing distinction between criminal investigations and foreign intelligence investigations. Many of the changes are not related to security concerns raised by the September 11 terrorist attacks. Many are not limited to terrorism cases, but relate to criminal investigations. Some have been proposed by the Justice Department before, and some have even been rejected by Congressional committees.

In terms of the issues within the jurisdiction of this Committee, these are our top concerns:

• Section 153. Foreign Intelligence Information. Allows the FBI to collect evidence for criminal cases under the looser standards of foreign intelligence investigations -- an end-run around the relatively stringent requirements for wiretaps in criminal cases and a breach of the understanding that led to enactment of FISA.
• Section 155. Pen Register and Trap and Trace Authority. Eliminates the only meaningful statutory control that exists on use of pen registers and trap and trace devices in intelligence cases.
• Section 156. Business records. Allows access to any business records upon the demand of an FBI agent, with no judicial review or oversight.
• Sec. 157. Miscellaneous national-security authorities - Amends several key privacy laws, allowing much greater access to banking, credit, and other consumer records in counter-intelligence investigations, with no judicial review at all.

A more detailed analysis of the Administration's bill follows below. Once again, we appreciate and commend this Committee's efforts to gather public input and to hold this hearing today. We hope the Committee will move forward with those provisions of its bill and the Administration's bill that are non-controversial and responsive to the tragic attacks of September 11, but will defer on the other more complex and divisive provisions that we have identified. We look forward to working with the Committee and staff to craft an appropriate response at this perilous moment in our country's history, and to avoid a rush to judgement on legislation that could ultimately imperil both freedom and security.

Extended Analysis of Administration Bill

The Administration's bill has two kinds of provisions that give rise to concerns: those that would lower the standards for government surveillance and those that address the difficult question of information sharing.

In terms of collection standards, our law enforcement and intelligence agencies already have broad authority to monitor all kinds of communications, including email. Both the criminal wiretap statute and the Foreign Intelligence Surveillance Act already cover terrorism. For some time, it has been recognized that those standards need to strengthen the standards for government surveillance. We see no justification for the changes proposed in the Administration bill that weaken those standards. We are particularly opposed to changes that would eliminate the judicial review that can be the most important protection against abuse.

The Foreign Intelligence Surveillance Act allows the FBI to conduct electronic surveillance and secret physical searches in the US, including surveillance of US citizens, in international terrorism investigations. FISA also authorizes court orders for access to certain business records. As you know, the standards under FISA are much lower than the standards for criminal wiretaps, and in return, the surveillance is supposed to be focused on the collection of intelligence, not criminal evidence. The FISA court, which last year approved more than 1000 surveillance requests, has denied only one request in its 22 year history.

Distinct from the Administration's unsupportable desire to avoid judicial controls on its authority, perhaps the central and most important problem facing the Congress is the question of information sharing. For many years, this has been recognized as a very difficult question; it is one that will be especially difficult to resolve satisfactorily given the pressure-cooker atmosphere of this time. We want to work out a balanced solution. But it cannot be done by wiping away all rules and barriers. Any solution needs to preserve the fundamental proposition that the CIA and other intelligence agencies should not collect information on US citizens in the US.

• Sec 103. Authorized Disclosure
  Allows disclosure of information obtained from wiretaps with any executive branch official. This is clearly too broad, especially in light of the vague language in 18 USC 2517 that allows sharing when appropriate to the proper performance of the duties of the official making or receiving the disclosure. The issue of greatest concern to us is that the CIA and other intelligence agencies would begin compiling files on US persons. This provision should be narrowed, so that it authorizes disclosures to personnel with intelligence, protective, public health or safety, or immigration duties, to the extent that such disclosure is related to proper performance of the official duties of the officer receiving the disclosure, and with the proviso that nothing therein authorizes any change in the existing authorities of any intelligence agency. (Rather than amending the definition section of Title III, it might be better to build these concepts directly into section 2517.)
   
• Sec. 105. Use of Wiretap Information from Foreign Governments.
  Allows use of surveillance information from foreign governments, even if it was seized in a manner that would have violated the Fourth Amendment. Section 105 makes surveillance information collected about Americans by foreign governments (so long as U.S. officials did not participate in the interception) admissible in U.S. courts even if such interceptions would have been illegal in the U.S. Such a provision is ripe for abuse and provides unhealthy incentives for more widespread foreign surveillance of U.S. individuals.
   
• Sec. 151. Period of Orders of Electronic Surveillance of Non-United States Persons Under Foreign Intelligence Surveillance.
  Allows secret searches and electronic surveillance for up to one year without judicial supervision. Under current law, the FISA Court can order a wiretap of a "non-US person" for a period of 90 days, after which the government must report to the court on the progress of the surveillance and justify the need for further surveillance. The court can authorize physical searches for up to 45 days. The amendment would extend both time frames to one year, meaning that after the government's initial ex parte showing there would be no judicial review for one year. We think this is too long. We recommend that the current time frames be retained for the initial approval. (After all, they are already far longer than the 30 days for which criminal wiretaps, including criminal wiretaps in terrorism cases, can be approved.) If, after 90- days of electronic surveillance or 45 days of physical searches, the government can show a continuing justification for the surveillance or search authority, then we would agree that the court could authorize a longer surveillance. We would recommend one year for electronic surveillance, 180 days for physical searches (thus preserving the current law's recognition that physical searches are more problematic than electronic searches and need to be authorized for shorter periods of time).
   
• Section 152 Multi-Point Authority.
  Allows roving taps, including against US citizens, in foreign intelligence cases with no limits ­ ignoring the Constitution's requirement that the place to be searched must be "particularly described." This section purports to afford the FBI "roving tap" authority for intelligence investigations similar to what already exists for criminal investigations. See 18 USC 2518(11). A roving tap allows the government to intercept whatever phone or email account a suspect uses, even if the government cannot specify it in advance. Roving tap authority is constitutionally suspect, at best, since it runs counter to the Fourth Amendment's requirement that any search order "particularly describe the place to be searched." However, the proposed language places no limitation on the exercise of the roving tap authority and offers the FBI no guidance for its exercise. The proposed change merely authorizes the court to issue to any "person" an order commanding them to cooperate with a surveillance request by the government. If roving tap authority is supposed to focus on the targeted person, not on the telephone instrument, then the intercept authority should be limited to the target ­ it should only allow interception of communications to which the target of the surveillance is a party. Such limitations are absent from this proposal.
   
• Section 153. Foreign Intelligence Information
  Allows the FBI to collect evidence for criminal cases under the looser standards of foreign intelligence investigations -- an end-run around the relatively stringent requirements for wiretaps in Title III. This section, which merely changes the word "the" to "a," would actually make a fundamental change in the structure of the wiretap laws. It would permit the government to use the more lenient FISA procedures in criminal investigations which have any counter-intelligence purposes and would destroy the distinctions which justified granting different standards under FISA in the first place. Under existing law, FISA can be used only if foreign intelligence gathering is "the" purpose of the surveillance. The proposed provision would permit FISA's use if this is "a" purpose, even if the primary purpose was to gather evidence for a criminal prosecution. This is an extraordinary change in the law which has no justification.
   
• Section 154. Foreign Intelligence Information Sharing
  With no standards, permits the sharing of grand jury information, Title III wiretap information, and any other "foreign intelligence information" acquired in a criminal case with many different federal officials not involved in law enforcement. This is a sweeping change in the law. "Foreign intelligence information" is not defined. The provision places no limits on the purpose for which the information may be shared, and no limit on its reuse or redisclosure. It requires no showing of need and includes no standard of supervisory review or approval. As written, a criminal investigator could share with White House staff information collected about foreign policy critics of the Administration. The provision, at the very least, should be drastically curtailed.
   
• Section 155. Pen Register and Trap and Trace Authority
  Eliminates the only meaningful statutory control that exists on use of pen register and trap and trace devices in intelligence cases. The law currently requires a showing that the person being surveilled is a foreign power, an agent of a foreign power or an individual engaged in international terrorism or clandestine intelligence activities. This amendment would eliminate that standard and permit the use of FISA for pen registers whenever the government claimed that it was relevant to an ongoing intelligence investigation. Contrary to the DOJ's assertion in its section-by-section, this is not the same as the standard for pen registers in criminal cases. There, the surveillance must be relevant to an ongoing criminal investigation, which is moored to the criminal law. There is no similar constraint on foreign intelligence investigations, since they can be opened in the absence of any suspicion of criminal conduct. This provision ignores the fact that the government was granted the special rules of FISA only for situations that involved intelligence gathering about foreign powers.
   
• Section 156. Business records
  Allows access to any business records upon the demand of an FBI agent, with no judicial review or oversight. Traditionally, the FBI had no ability to compel disclosure of information in intelligence investigations. The compulsory authorities were limited to criminal cases, where the open, adversarial nature of the system offered protections against abuse. For example, in criminal cases, including international terrorism cases, the FBI can obtain grand jury subpoenas, under the supervision of the prosecutor and the court, where the information is relevant to a criminal investigation. The FBI has no ability to invoke the power of the grand jury in intelligence investigations, since those investigations are conducted without regard to any suspicion of criminal activity. In 1998, in an expansion of intelligence powers, FISA was amended to give the FBI a new means to compel disclosure of records from airlines, bus companies, car rental companies and hotels: Congress created a procedure allowing the FBI to go to any FISA judge or to a magistrate. The FBI had only to specify that the records sought were for a foreign intelligence or international terrorism investigation and that there were specific and articulable facts giving reason to believe that the person to whom the records pertain is an agent of a foreign power. This is not a burdensome procedure, but it brought the compulsory process under some judicial control. The Administration's bill would repeal the 1998 changes and permit the use of "administrative subpoenas" rather than an application to a court to get any business records under FISA. An administrative subpoena is a piece of paper signed by an FBI agent. There is no judicial review, no standard of justification, no oversight. Particularly in intelligence investigations, which are not even limited by the scope of the criminal law and in which there is no involvement of the US Attorney's Office, FBI agents should not have such unreviewable discretion to compel disclosure of personal information.
   
• Sec. 157. Miscellaneous national-security authorities
  Allows much greater access to banking, credit, and other consumer records in counter-intelligence investigations. Current provisions of law allow the federal government to obtain sensitive banking, credit, and other consumer records under the relaxed and secretive oversight of FISA - but only when there are "specific and articulable" facts showing that the target consumer is "a foreign power or the agent of a foreign power." Section 157 would eliminate these essential requirement, mandating disclosure of this sensitive consumer data simply if an FBI official certifies that they are needed for a counterintelligence investigation (and with an ex parte court order for access to credit reports). Section 157 would eliminate the "agent of a foreign power" standard in­
  • The Fair Credit Reporting Act, allowing access to records from consumer reporting agencies (including the names of all financial institutions where accounts are held, all past addresses and employers, and credit reports);
  • the Financial Right to Privacy Act, broadly allowing access to financial records; and
  • the Electronic Communications Privacy Act, allowing access to telephone and toll billing records, and, newly added, all "electronic communication transactional records."

  As such, the Section would greatly increase access to the personal information of consumers or groups who are not agents of foreign powers. And in each case access the institutions granting access to consumer information would be prohibited from disclosing that information or records had been obtained.

  
   
• Section 158. Disclosure of educational records
  Amends the law protecting education records to permit access to them. While this might be justified in terrorism cases, the provision covers all cases involving "national security" and is far too sweeping.
   
• Section 159. Presidential Authority.
  Does not appear to permit judicial challenge to seizure of property. At the very least, there must be such opportunity. A second provision allows the use of secret evidence. Use of such evidence, if ever permitted, must be on a much higher standard than that the information is properly classified, as provided here. The government must be required to persuade a court that the disclosure to the party would result in imminent and serious harm and the court must require the government to provide sanitized information to the party.