Testimony of James X. Dempsey
Senior Staff Counsel
Center for Democracy and Technology
Subcommittee on the Constitution
House Judiciary Committee
September 6, 2000
Mr. Chairman and members of the Subcommittee, thank you for convening this important hearing. I am pleased to testify on behalf of the Center for Democracy and Technology [ * ] in support of the three privacy-enhancing bills that are the subject of this hearing.
These three bills, H.R. 5018, H.R. 4987, and H.R. 4098, are part of the answer to one of the major concerns of the American public today -- the loss of privacy in the face of new technology. These bills address some of the most egregious and unjustifiable weaknesses in our privacy laws. Yet at the same time, these are modest bills. Wisely, they do not purport to tackle all the privacy issues that face our society today. They address some glaring deficiencies in current law, leaving some harder issues for resolution later. In contrast, the Administration has a very complicated bill that covers some of the same ground, but also goes much farther and has buried in it some provisions that would severely erode privacy. The Administration bill is clearly not ready for Congressional consideration at this time. Given the controversy over Carnivore, and given the overwhelming public sense that government surveillance needs to restrained, not expanded, and that privacy needs to be protected, not eroded, we urge the Subcommittee to focus on these narrow bills.
Also, it must be stressed that nothing in the three bills under consideration today will deny law enforcement agencies the tools they need to fight crime and defend the national security. No law enforcement agency will be prohibited by these bills from locating a criminal suspect or monitoring a terrorist's email. In fact, these bills do not prohibit any form of monitoring - all they will do is to set clear and strong privacy guidelines for use of electronic surveillance techniques and require public reporting of surveillance statistics as the foundation of oversight and accountability.
Two of these bills (5018 and 4987) address Fourth Amendment privacy issues - the rules for government monitoring of electronic communications. They will make important improvements in the enforcement of the Constitutional guarantee against unreasonable searches and seizures. I will deal with these two bills together, for their complementary provisions could easily be combined. The third bill deals with a somewhat different, often ignored issue, privacy in the workplace, and I will explain our support for it separately.
|H.R. 5018, Electronic Communications Privacy Act of 2000
H.R. 4987, Digital Privacy Act of 2000
These two bills address the fact that our privacy laws have become outdated in the face of two developments: the continually growing surveillance potential of communications and computer technologies, and the federal government's expanding use of electronic monitoring and data collection techniques of all kinds. To an important extent, these bills are a response to this Subcommittee's ground-breaking hearing last April on the Fourth Amendment and the Internet. At that hearing, I joined a diverse panel of witnesses from civil liberties organizations, industry and academia who testified that our privacy laws needed to be updated to keep pace with technological change. I pointed out, and several witnesses agreed, that far more information than ever before is available to the government under minimal or inadequate legal standards. The panel agreed that it was time for Congress to strengthen the privacy laws to restore a balance between government surveillance and personal privacy, to build user trust and confidence in these economically vital new media, and to afford both law enforcement agencies and online service providers the clear guidance they deserve. http://www.house.gov/judiciary/con0406.htm.
Last month, this Subcommittee held an equally important hearing on the FBI's Carnivore monitoring program, which specifically illustrated how much information law enforcement claims it is entitled to access under the low, rubber-stamp standard of the pen register statute. http://www.house.gov/judiciary/con07241.htm
It is not necessary today to repeat the details of those earlier hearings; they provide ample support for the two bills before the Subcommittee today. It is sufficient to note that the privacy laws underwent their last major update in 1986 with enactment of the Electronic Communications Privacy Act -- well before email, cellular phones, and the World Wide Web became the fixtures of business and personal lives that they are today.
Reporting requirement: The main provision of H.R. 5018 amends section 2703 of Title 18 to require the compilation and publication of annual reports on the extent of government monitoring of private email. This is a long-needed provision, for the information covered is crucial to Congressional and public oversight. In order to evaluate the propriety and usefulness of government surveillance, it is first necessary to understand the extent and consequences of government monitoring, and we cannot do that without some basic facts.
In 1968, when Congress adopted Title III, the wiretap law, it recognized the importance of oversight. It required the Administrative Office (AO) of the United States Courts to compile and publish annually a report on wiretap activity. 18 USC 2519. These reports, which come out around April of each year and which are now available on the AO Web site, offer a wealth of information to Congress, civil liberties organizations, the media and the public. They have shown a steady increase in the number of wiretaps yearly, in the average length of wiretaps, in the number of conversations intercepted per tap, and in the number of persons whose conversations are intercepted per tap. Interestingly, they have shown a significant decrease in the percentage of incriminating conversations per tap.
In 1986, when Congress adopted the Electronic Communications Privacy Act (ECPA), Congress brought real-time interception of email under Title III, so that interception of email is reported under the Title III reporting provisions of section 2519. However, ECPA created an entirely new chapter 121 for government access to email and other electronic communications "in storage." 18 USC 2701 et seq. Section 2703 is the main section setting out the standards for government access to electronic communications in storage. However, Congress did not include a reporting requirement in the stored records chapter.
Access to email under section 2703 does not require many of the strict legal protections of Title III. (The Justice Department has recently proposed lowering the standard for access to some email, certainly not what the American public wants.) And technically, it is often far easier to seize a person's email while it is neatly stored on the server of an ISP than to intercept it in real-time under Title III. Therefore, it turns out, most of the time when the government wants to seize email, it does so not under Title III, but under section 2703. And therefore, no data is ever collected on the amount of email seizures that the government performs, and there is no opportunity for Congressional or public oversight of email surveillance.
Recently, a reporter for USA Today.com, Will Rodger, took the initiative and went out to the local courthouse in Loudon County, Virginia, and searched by hand through the court records. America Online has its headquarters in Loudon County, so government investigators from around the country serve their warrants there to obtain email and other information on AOL customers. Will Rodger found that the number of warrants seeking citizens' online data has soared during the past several years. In 1997, AOL was served with 33 search warrants. That number jumped to 167 in 1998 and 301 in 1999, an increase of more than 800% since 1997. A copy of the Will Rodger story is attached to my testimony.
This kind of journalism is what the First Amendment is all about, but it shouldn't take a reporter culling through local court filings to inform Congress and the public of government actions affecting the privacy of American citizens. And AOL is only one ISP. The records of government seizure of email from other service providers lie in other courthouses around the country. It is time to create a systematic way of compiling this information, so that the same type of oversight can be accorded to email that is now given to telephone conversations.
Section 3 of H.R. 5018 remedies that problem by requiring the compilation and publishing of basic information on the activity of federal, state and local agencies in seizing email and other customer records. The provision is based directly on the reporting requirements of Title III, 18 USC 2519. It assigns to the Administrative Office the coordinating role.
I would note that one change is needed in the bill to address what must be an unintended oversight: in the bill as introduced, the reporting requirement, in what would be a new subparagraph (g)(1), refers only to orders issued under subsection (d) of 2703. This is too narrow, since subsection (d) of 2703 only covers government access to addressing data. Government access to the text of email is covered by subsections (a) and (b) of 2703 and that is the more important category of seizures for which we need reporting. Therefore, the words "under subsection (d)" in lines 16-17 on page 2 need to be changed to "under this section."
Section 2 of H.R. 4987 has a similar goal, but the reporting requirements of H.R. 5018 are more comprehensive in that, like the wiretap law, they require prosecutors to report on the results of seizures of email. We are most likely to get the most useful information by combining reports from the courts with reports from investigators, which is what H.R. 5018 would do. For this reason, we prefer the language of section 3 of H.R. 5018 over the language of section 2 of H.R. 4987.
Barring use of illegally seized email: H.R. 5018 would address a second omission in ECPA, by bringing electronic communications within the scope of the statutory suppression rule of Title III, 18 USC 2515. When Congress adopted Title III in 1968, it established certain protections for interception of communications that went beyond normal Fourth Amendment requirements, to compensate for the fact that contemporaneous notice was not provided and to otherwise address the uniquely intrusive nature of electronic surveillance. Congress then established a statutory suppression rule, to exclude evidence seized in material violation of those protections, which is section 2515. But in 1986, when Congress added the word "electronic" to most of the provisions of Title III, it did not do so in section 2515. Section 2 of H.R. 5018 will take the long-overdue step of closing this gap. I note that this is a step supported by the Administration, and also found in H.R. 4987. H.R. 5018 takes an additional step and adds a reference to stored electronic communications disclosed in violation of chapter 121, so it will extend the statutory suppression rule to illegal seizures of email in violation of chapter 121. This is especially important since it is conceivable that the government would argue that there are no Fourth Amendment protections in email, only the statutory protections of ECPA, so it is important to have some consequences for violation of those statutory protections. So in this respect, section 2 of H.R. 5018 is preferable to section 3 of H.R. 4987.
Enhanced Privacy Protections in the Pen Register Statute: Section 4 of H.R. 5018 and section 4 of H.R. 4987 address another defect in existing privacy protections under another electronic surveillance law, namely the lack of adequate privacy safeguards in the pen register and trap and trace statute, 18 USC 3121 et seq. Pen registers and trap and trace devices collect information identifying calls -- in the case of telephone calls this consists of the numbers dialed on outgoing calls and the number of origin of incoming calls. In ECPA, Congress required a court order for use of a pen register or trap and trace device, but the standard Congress set was ludicrous: the court is required to approve every request by a government official claiming that use of the pen register is "relevant to an ongoing investigation." The judge is a mere rubber stamp.
There is widespread agreement that this standard does not offer any meaningful privacy protection. The Administration supports giving some teeth to the standard. H.R. 5018 and H.R. 4987 are both intended, we believe, to improve the privacy protection accorded to pen register information by requiring the government to actually demonstrate, and the approving judge to actually find, that the information sought is relevant to a criminal investigation.
Section 4 of H.R. 4987 would amend the pen register and trap and trace statute to require a finding that the factual evidence underpinning the government's application for a surveillance order "reasonably indicates that a crime has been, is being, or will be committed, and information likely to be obtained by such installation and use [of the pen register or trap and trace device] is relevant to the investigation of that crime." The reasonable indication standard is a low standard, but at the same time is a very practical and well tested standard. In fact, the reasonable indication standard is the standard used in the Justice Department's guidelines for criminal and terrorist investigations. See "The Attorney General's Guidelines on General Crimes, Racketeering Enterprise, and Domestic Security/Terrorism Investigations," reprinted in FBI Domestic Security Guidelines: Oversight Hearings before the Subcomm. on Civil and Constitutional Rights of the House Comm. on the Judiciary, 98th Cong, 67 (1985). The reasonable indication standard was adopted by Ronald Reagan's Attorney General, William French Smith, in 1983 and reaffirmed by Attorney General Thornburgh in 1989. It has sufficed for all DOJ investigations ever since. So it is the appropriate standard for a judicial finding of justification for use of a pen register or trap and trace device. Pen registers could still be used at the earliest stages of an investigation, but they could not be used for fishing expeditions.
We note that the amendment in section 4 of H.R. 5018, which we think has the same basic intent, does not accomplish this purpose as well. H.R. 5018 would raise the standard to reasonable indication, but only with respect to email addresses. First, we think it is unwise in this context to be so technology specific. Singling out email addresses leaves open the question of many other types of Internet addressing information, such as URLs (Uniform Resource Locators, the addresses we use on the World Wide Web). Moreover, H.R. 5018 jumps into the middle of a much larger and yet unresolved debate about the extent to which the pen register statute is appropriate for the Internet at all. At this point, we have not even had a full debate on whether the pen register statute should apply to the Internet and if so what information should be collected and what the standard should be. For these reasons, we prefer section 4 of H.R. 4987 over section 4 of H.R. 5018.
Finally, H.R. 4987 addresses an issue of vital concern to the 60 or 70 million Americans who carry wireless phones with them -- the government's ability to turn those cell phones into tracking devices without the knowledge or consent of the user. Everybody agrees that the police, ambulance crews and firefighters need to locate people calling 911 on a wireless phone. The recent case of a kidnapping victim in Northern Virginia who was located and rescued through use of her cell phone when she called 911 is a perfect example of an extremely positive tracking feature. But cell phones also can be used to find a person who is not calling 911, but just making an ordinary call. Recently, the District of Columbia Court of Appeals held that this ability to locate the cell site at the beginning and end of a call is a requirement under the Communications Assistance for Law Enforcement Act. United States Telecomm Assoc. v. United States, No. 99-1442 (D.C. Cir Aug. 15, 2000). Some if not many cell phone systems have a more intrusive capability, and can be used to track a person's movements without her knowledge or consent whenever the phone is turned on, whether or not she is even making and receiving calls.
Yet what is the standard for government to access location information -- what legal justification does it take for the government to turn your cell phone into a tracking device? Bizarrely, nobody knows. CALEA says what the standard isn't -- it says that that location information cannot be obtained under a mere pen register -- but it doesn't say what the standard is. 47 USC 1002(a)(2). The FBI has claimed at times that 18 USC 2703(d) can be used to compel disclosure of real-time location information, but all of section 2703 clearly applies only to stored records, not to real-time interception. So we have an strange situation - there is a powerful surveillance technology in the hands of the government and the standard for utilizing it is unclear.
Section 6 H.R. 4987 addresses this gap with a simple and clear standard: the government should be able to turn a cell phone into a tracking device only on a showing of probable cause. This is the proper standard, for people carry their cell phones into places where they have a reasonable expectation of privacy. Section 6 also includes an exception for consent. Therefore, nothing in the bill affects the use of location information to locate people who are calling 911, since they are consenting to be found by the mere act of calling the government and asking for assistance. (The Office of Legal Counsel at the Justice Department already has an opinion to that effect.) Nor, it must be stressed, would the bill in any way deny the government the ability to track suspected drug traffickers, kidnappers, or terrorists. It would establish an appropriate standard for use of this highly sensitive technique.
To summarize, we would urge that H.R. 5018 and H.R. 4987 be melded as follows:
Administration proposal: I would like to briefly comment on the bill the Administration has sent to the Hill. The Administration draft is very complicated. It contains probably 80 different "cut-and-bite" amendments to the electronic surveillance statutes. It is very tedious to figure out what each of these means. We have not yet finished parsing them all. We know that the bill includes some privacy improvements, including some reflected in H.R. 5018. But it also includes other provisions weakening privacy. I will highlight just one. Section 4(b)(7) of the Administration bill will amend 18 USC 2703 to allow an ISP to disclose to the government the contents of communications and subscriber information (and a telephone company to disclose subscriber identifying information and toll records) whenever the service provider reasonably believes that an emergency involving immediate danger of death or serious physical injury to any person justifies the disclosure. In support of this, the DOJ cites what sounds like a compelling case where a threat against someone's life has been received, but upon reflection, the justification for this type of procedure evaporates. There is no similar exception to the Fourth Amendment; in the most serious emergency situations a warrant is required. In fact, the Federal Rules allow for search warrant to be applied for and issued over the telephone. The Rule in fact allows the judge to direct the agent to sign the judge's name on the warrant. Such procedures are available under 2703. This Administration proposal allows the government to go to any service provider (ISP or telephone company) and claim that there is a life-threatening emergency. Hearing that, any ISP is permitted to disclose any communication and a telephone company is permitted to disclose months of toll records and any other stored information they have. This is really a return to the days when law enforcement officers would ask for all kinds of information and telephone companies and banks and credit card companies would provide it with no subpoena or warrant or court order. It is a huge exception to ECPA and one that is ripe for abuse and collusion.
|H.R.4908, the Notice of Electronic Monitoring Act
H.R. 4908, introduced in the House by Chairman Canady and Rep. Barr, is the simplest and most modest of bills, yet it addresses one of the most common and least appreciated forms of electronic surveillance - secret monitoring in the workplace. The bill merely requires employers to tell their employees in advance what types of monitoring they will be subject to. Yet this alone will go a long way to restoring to workers their sense of dignity, which is a large part of the concept of privacy. It is also likely that the mere requirement to give notice will rein in the more intrusive forms of workplace monitoring, as employers will find that some practices cannot withstand even the simple act of open disclosure and acknowledgment.
This bill is necessary because the same computer and communications technology that has reshaped our workplaces, spawning the information economy and improving the productivity of workers, can be used for surreptitious monitoring. Indeed, workplace monitoring has become rampant. More than 73 percent of large U.S. firms monitor the email, computer files, and phone calls of their workers, twice as many as reported doing so in 1997, according to an April 2000 survey by the American Management Association. http://www.amanet.org/research/stats.htm. In many instances, the monitoring technology is installed and used without warning.
In the last year, software has become more advanced, enabling companies to automatically record, filter and sort every word of every email that employees type. See Lisa Guernsey, You've Got Inappropriate Mail; Monitoring of Office E-Mail Is Increasing, New York Times, Apr. 5, 2000, C1. The power of the technology is quite impressive: Cameo, an e-mail monitoring system developed by MicroData Group Inc., is able to search for words and key phrases in documents, and can scan up to 50,000 messages per hour. One workplace monitoring software program is even called "Little Brother" by its developer. http://www.kansmen.com/products/lb/index.htm.
H.R. 4908 has a simple response: employers should tell their employees in advance what type of monitoring they will be subject to. To demonstrate the narrow focus of the bill, let me summarize its provisions. The bill requires employers to give to their employees prior notice of electronic monitoring of wire, oral or electronic communications or other computer usage. The bill does not apply to ordinary visual supervision -- it applies only to monitoring by electronic means. It covers surveillance techniques such as keystroke monitoring, listening in on telephone calls, hidden microphones to pick up conversations, and programs to monitor email or Web surfing. Notice must be given before the first instance of monitoring -- when the employee is hired or during the first day on the job or when the monitoring practice is first instituted -- and then once again annually as a reminder. Notice must also be given before an employer implements a material change in its monitoring practices.
The notice must specify the form of communication or computer usage that will be monitored; the means by which monitoring will be accomplished; the kinds of information that will be obtained through such monitoring; the frequency of monitoring; and how information obtained by such monitoring will be used. The notice must be clear and conspicuous. It can be provided in an employee manual, so long as it is not buried. It can be provided on a computer screen, for example, when an employee logs on.
There are some reasonable exceptions: Employers can monitor without notice when they reasonably believe that a particular employee is engaged in conduct that significantly violates the rights of the employer or another person.
The bill establishes significant but not onerous civil damages: $5,000 liquidated damages per violation, but the bill caps the damages at 20,000 per employee and $500,000 per employer. This means for example, that if an employer had violated the act with respect to thousands of employees, it damages would still be limited to $500,000. This is significant, but can hardly be called oppressive for large companies. There are no criminal penalties.
Employers have a justified interest in monitoring their employees and H.R. 4908 would not interfere with any above board employer practice. The bill does not give employees the right to refuse to be monitored -- by accepting and continuing employment, an employee consents to the form of monitoring. The bill does not create due process rights for employees to content disciplinary or promotional decisions. The bill's notice requirement is merely a matter of sound management practice. Indeed, the American Management Association, a leading management development organization with approximately 70,000 individual members and 10,000 corporate members, recommends that employers give clear notice of electronic monitoring practices. http://www.amanet.org/research/specials/elecmont.htm
As I noted earlier, the bill does not address all the issues raised by workplace monitoring. It is often said that there are four components of privacy or fair information practices: notice, choice, access and security. H.R. 4908 addresses only the first of these. The bill recognizes that the workplace is different in some respects and that the four components of privacy do not apply there in the same way they do, for example, in the consumer context. It may be that the other elements of privacy need to be addressed in union negotiations or through other avenues. For now though, it should be clear that the notice issue is a pressing one and can be addressed by Congress without limiting employers' authority to supervise and discipline their workers.
We believe there is one oversight in the drafting of the bill that should be addressed, and that has to do with monitoring in the workplace through the use of hidden video cameras. As the bill is currently drafted, it does not cover video cameras that do not pick up sound. Yet there have been some truly egregious cases of employers using hidden cameras to secretly spy on their employees. Consider the following cases from the ACLU's web site: A few years ago, postal workers in New York City were horrified to discover that management had installed video cameras in the restroom stalls. Female workers at a large Northeastern department store discovered a hidden video camera installed in an empty office space that was commonly used as a changing room. Waiters in a large Boston hotel were secretly videotaped dressing and undressing in their locker room. http://www.aclu.org/library/pbr2.html
With the changes we have outlined above, the three bills before the Subcommittee today constitute a modest improvement in privacy protections without in any way denying the government any investigative tools. There are other steps that need to be taken in the future:
*. The Center for Democracy and Technology is a non-profit, public interest organization dedicated to promoting civil liberties and democratic values on the Internet. Our core goals include ensuring that the Constitution�s protections extend to the Internet and other new media. CDT also coordinates the Digital Privacy and Security Working Group (DPSWG), a forum for more than 50 computer, communications, and public interest organizations, companies, and associations working on information privacy and security issue.