Electronic Frontier Foundation


Testimony of

Jerry J. Berman, Policy Director
Electronic Frontier Foundation

before the

United States House Of Representatives
Committee on Energy and Commerce 
Subcommittee On Telecommunications and Finance

Hearing on 

Digital Telephony Legislation (H.R. 4922)



September 13, 1994

Chairman Markey and Members of the Subcommittee:

	I want to thank you for the opportunity to testify today on the 
recently introduced Digital Telephony bill (H.R. 4922, S. 2375).  Over 
the past several years under the leadership of Chairman Markey, 
Representatives Fields, Boucher, and others, the Subcommittee has 
demonstrated knowledge, sensitivity, and vision in crafting our nation's 
telecommunications policy.  I am pleased that the Subcommittee has 
chosen to apply its experience and expertise to the extraordinarily 
complex issues posed by the Digital Telephony legislation.
	The Electronic Frontier Foundation (EFF) is a public interest 
membership organization dedicated to achieving the democratic potential 
of new communications and computer technology and works to protect civil 
liberties in new digital environments.  EFF also coordinates the Digital 
Privacy and Security Working Group (DPSWG), a coalition of more than 50 
computer, communications, and public interest organizations and 
associations working on communications privacy issues.  I am testifying 
today, however, only on behalf of EFF.
	Since 1992, the Electronic Frontier Foundation has opposed a 
series of FBI Digital Telephony proposals, each of which would have 
forced communications companies to install wiretap capability into every 
communications network. However, earlier this year, when it became 
apparent that some version of the bill would pass the Congress, Senator 
Patrick Leahy and Representative Don Edwards asked EFF, along with 
computer and communications industry groups, to participate in a process 
that would yield a narrow bill that both met law enforcement needs and 
had strong privacy protections.  The result of that process is the bill 
before us today. 
	EFF remains deeply troubled by the prospect of the federal 
government requiring communications networks to be made "wiretap ready," 
but we believe that this legislation is substantially less intrusive 
that the original FBI proposals. If Congress is going to act in this 
area, it should work to improve and pass this version of the 
legislation.
	As I testified to before a joint hearing of the House Subcommittee 
on Civil and Constitutional Rights and the Senate Subcommittee on 
Technology and the Law on August 11, 1994, we have worked diligently on 
this legislation with all interested parties in an effort to strike a 
careful balance between law enforcement's ability to conduct electronic 
surveillance and the more important public good -- the right to privacy 
guaranteed by the 4th amendment. The bill strikes this balance in a 
number of critical areas:
	
	*  Law enforcement gains no additional authority to conduct 
           electronic surveillance.  The warrant requirements specified 
           under current law remain unchanged

	*  The standard for law enforcement access to online 
           transactional records is raised to require a court order
           instead of a mere subpoena

	*  Information gleaned from pen register devices is limited to dialed
           number information only.  Law enforcement may not receive
           location-specific information

	*  The bill does not preclude a citizen's right to use encryption
		
	*  Privacy must be maintained in making new technologies 
           conform to the requirements of the bill and privacy groups 
           may intervene in the administrative standard-setting 
           process.

	 However, Mr. Chairman, the effectiveness of these privacy 
protections, as well as the future of technological innovation and the 
deployment of advanced telecommunications services to the American 
public, turn on one critical issue which remains to be addressed:  Who 
assumes the risk and pays the cost of complying with the bill's 
requirements?  The government or industry?  
	  EFF believes that allocating the risk and cost to industry will 
place privacy and security at risk if industry is required to foot the 
bill for unnecessary or unwarranted surveillance capabilities. 
Similarly, privacy may be shortchanged if industry takes short cuts to 
save costs in meeting the legislation's requirements.   Industry may 
also be discouraged from deploying new and innovative technologies 
because of the costs of law enforcement compliance features.  Finally, 
public accountability is undermined by making potentially significant 
law enforcement costs without public scrutiny and debate.   In our view, 
the public interest can only be served if government assumes the risk 
and pays the costs of compliance.  While effective law enforcement may 
be in the public interest, it should not come at the expense of other 
public goods --  privacy, public accountability, and technological 
innovation.  To resolve this issue, we believe that the legislation 
should be amended to require government to pay all reasonable costs 
incurred to meet the statute's requirements on an ongoing basis. 
	
A.	Linkage of cost to compliance requirements in the first four 
	years -- the FBI gets what it pays for and no more

	The bill authorizes, but does not appropriate, $500 million to be 
spent by the government in reimbursing telecommunications carriers for 
bringing their networks into compliance with the bill within the first 
four years of enactment. The FBI maintains that this is enough money to 
cover all reasonable expenses of retrofitting. The industry, however, 
has consistently maintained that the costs are five to ten times higher. 
Given the FBI's confidence in their cost estimate, we believe that 
telecommunications carriers should only be required to comply to the 
extent that they have been reimbursed. 
	In his testimony before a joint hearing of the House Subcommittee 
on Civil and Constitutional Rights and the Senate Subcommittee on 
Technology and the Law on August 11, 1994, the FBI director stated that 
"I think it would be [...] extremely unlikely for a district court judge 
in the process which is contemplated by this legislation to force 
compliance or use of any sanctions when compliance is impossible because 
of the non-reimbursement which is the predicate in the legislation".  
Based on the Director's previous testimony and other discussions with 
the FBI, EFF believes that the bill should include a provision to 
directly link telecommunications carriers liability with government 
reimbursement for retrofitting.


B.	Government reimbursement for compliance costs after four years 
	-- public accountability necessary 

	The problem, Mr. Chairman, is that under the current bill, the 
government is not responsible for paying the cost of meeting the 
mandated capability requirements after four years, particularly with 
respect to new services. The FBI has repeatedly argued that the costs 
for incorporating surveillance capabilities in new services at the 
design stage will be de minimis, a contention which most industry 
representatives and EFF believe may not be correct.  
	As this Subcommittee is aware, it is impossible to estimate 
compliance costs for technologies which are not even on the drawing 
boards.  The way to resolve the issue is to have the government assume 
the risks.  
	If costs for compliance after four years are truly de minimis,  
then the expenses born by the taxpayers will be minimal.  If, however, 
costs are substantial, the government should pay.  This will insure that 
the government,  on a case-by-case basis and with an opportunity for 
public oversight, determines if compliance is significant enough to pay 
for out of taxpayers' funds.  This will also ensure that the government 
sets law enforcement priorities.  
	As I stated earlier,  if the telecommunications industry is 
responsible for all future compliance costs, it may be forced to accept 
solutions which short-cut the privacy and security of telecommunications 
networks, or be forced to leave advanced features on the shelf, slowing 
technological innovation and the development of the NII.  Linking 
compliance to government reimbursement in the out years also has the 
added benefit of providing public oversight and accountability for law 
enforcement surveillance capability.   
	The drafters of this legislation have wisely included public 
oversight of government surveillance expenditures in the first four 
years.  This same principal should be applied to out year compliance 
costs.  

C.	Ensure the right to deploy untappable services 

	The enforcement provisions of the bill suggest, but do not state 
explicitly, that services which are untappable may be deployed.    
Having worked for many years towards the goal of promoting the 
development of the NII, the members of this Subcommittee are clearly 
aware that its promise and potential rest on the deployment of advanced 
technologies and services.  EFF remains deeply concerned that 
technological innovation and the deployment of advanced 
telecommunications services to the public may be stifled if 
telecommunications carriers are forced to incur huge costs for 
compliance, or if the Government is allowed to prohibit a new feature or 
service from being deployed.  Although EFF believes that the bill 
intends to allow carriers to deploy untappable features or services,  
the bill must clearly state that if it is technically and economically 
unreasonable to make a service tappable, or if the government has failed 
to reimburse a carrier for compliance costs, then it may be deployed, 
without interference by a court.  Making the government responsible for 
all reasonable costs of having new services comply with the legislation 
will go a long way to insuring that this legislation will not be a drag 
on innovation.

D.	Additional areas where strengthening is necessary

	In addition to our concerns about compliance costs, EFF believes 
that the bill requires strengthening in the following areas before final 
passage:


1.	Strengthened public process

	In the first four years of the bill's implementation, most of the 
requests that law enforcement makes to carriers are required to be 
recorded in the public record. However, additional demands for 
compliance after that time are only required to be made by written 
notice to the carrier.   To facilitate public scrutiny, the bill should 
require all compliance requirements, whether initial requests or 
subsequent modification, must be recorded in the Federal Register.

2.	Clarify definition of call identifying information 

	The definition of call identifying information in the bill is too 
broad. Whether intentionally or not, the term now covers network 
signaling information of networks which are beyond the scope of the 
bill.  As drafted, the definition would appear to require 
telecommunications carriers to deliver not only the signaling 
information generated by their own services, but also the signaling 
information generated by information services and electronic 
communication services that travel over the facilities of the 
telecommunication carrier.  In many cases this may be technically 
impractical.  Moreover, it is contrary to the policy adopted by the bill 
to maintain a narrow scope.

3.	Review of minimization requirements in view of commingled 
        communications

	The bill implicitly contemplates that law enforcement, in some 
cases, will intercept large bundles of communications, some of which are 
from subscribers who are not subject of wiretap orders. For example, 
when tapping a single individual whose calls are handled by a PBX, law 
enforcement may sweep in calls of other individuals as well. Currently 
the Constitution and Title III requires "minimization" procedures in all 
wiretaps, to minimize the intrusion on the privacy of conversations not 
covered by a court's wiretap order.  In the world of 1968, when the 
original Wiretap Act was passed, most subscribers telecommunications 
facilities carried single conversations on single lines.  But today, 
many conversations are co-mingled on one broadband communications 
facility.  In order to ensure that constitutionally-mandated 
minimization is maintained, the bill should recognize that stronger 
minimization procedures may be required.

E. New privacy protections

	The Digital Telephony legislation before us includes significant 
recognition that new communication technologies, and new patterns of 
technology use, require new privacy protections.  Thanks to the work of 
Senator Leahy and Representative Edwards and Senator Biden, the bill 
contains a number of significant privacy advances, including enhanced 
protection for the detailed transactional information records generated 
by online information services, email systems, and the Internet.  These 
protections should remain in the legislation.

1.	Expanded protection for transactional records sought by law 
        enforcement

	Chief among these new protections is an enhanced protection for 
transactional records from indiscriminate law enforcement access.  For 
purposes of maintenance and billing, most online communication and 
information systems create detailed records of users' communication 
activities as well as lists of the information that they have accessed. 
Provisions in the bill recognize that this transactional information 
created by new digital communications systems is extremely sensitive and 
deserves a high degree of protection from casual law enforcement access 
which is currently possible without any independent judicial 
supervision. 
	EFF commends the authors of this legislation for recognizing that 
law enforcement access to transactional records in online communication 
systems (everything from the Internet to America OnLine to hobbyist 
BBSs) threatens privacy rights.  Indiscriminate access to transactional 
records implicates privacy interests because:

	* the records are personally identifiable, 
	* they reveal the content of people's communications, and,
	* the compilation of such records makes it easy for law enforcement 
          to create a detailed picture of people's lives online. 

Based on this recognition, the draft bill contains the following 
provisions:

	* Court order required for access to transactional records instead 
          of mere subpoena
	
	In order to gain access to transactional records, such as a list 
of to whom a subject sent email, which online discussion group one 
subscribes to, or which movies a subject requested on a pay-per view 
channel, law enforcement will have to prove to a court, by the showing 
of "specific and articulable facts" that the records requested are 
relevant to an ongoing criminal investigation. This means that the 
government may not request volumes of transactional records merely to 
see what it can find through traffic analysis. Rather, law enforcement 
will have to prove to a court that it has reason to believe that it will 
find specific information relevant to an ongoing criminal investigation 
in the records it requests.
	With these provisions, we have achieved for all online systems a 
significantly greater level of protection than exists today for records 
such as email logs, and greater protection than currently exists for 
telephone toll records. The lists of telephone calls that are kept by 
local and long distance phone companies are available to law enforcement 
without any judicial intervention at all. Law enforcement gains access 
to hundreds of thousands of such telephone records each year, without a 
warrant and without even notice to the citizens involved. Court order 
protection will make it much more difficult for law enforcement to go on 
"fishing expeditions" through online transactional records, hoping to 
find evidence of a crime by accident.  We have also submitted a detailed 
memorandum on the importance of protection and would ask that this 
document be included in the record of these proceedings along with this 
testimony.

	* Standard of proof much greater than for telephone toll records, 
          but below that for content

	The most important change that these new provisions offer is that 
law enforcement will: (a) have to convince a judge that there is reason 
to look at a particular set of records, and; (b) have to expend the time 
and energy necessary to have a United States Attorney or District 
Attorney actually present a case before a court. However, the burden of 
proof to be met by the government in such a proceeding is lower than 
required for access to the content of a communication.

2.	New protection for location-specific information available in 
        cellular, PCS and other advanced networks 

	Much of the electronic surveillance conducted by law enforcement 
today involves gathering telephone dialing information through a device 
known as a pen register. Authority to attach pen registers is obtained 
merely by asserting that the information would be relevant to a criminal 
investigation. Under current law, courts must approve pen register 
requests without any substantive review of the basis for law 
enforcement's request. This legislation offers significant new limits on 
the use of pen register data.
	Under this bill, when law enforcement seeks pen register 
information from a telecommunications carrier, the carrier is forbidden 
to deliver to law enforcement any information which would disclose the 
location or movement of the calling or called party. Cellular phone 
networks, PCS systems, and so-called "follow-me" services all store 
location information in their networks. This new limitation is a major 
safeguard which will prevent law enforcement from casually using mobile 
and intelligent communications services as nation-wide tracking systems.

3.	New limitations on "pen register" authority 

	Contemporary uses of pen registers also involve substantial 
privacy invasion, even aside from location information.  Currently, law 
enforcement is able to use pen registers to capture not only the 
telephone number dialed, but also any other touch-tone digits dialed 
which reflect the user's interaction with an automated information 
service on the other end of the line, such as an automatic banking 
system or a voice-mail password. If this bill is enacted, law 
enforcement would be required to use "technology reasonably available" 
to limit pen registers to the collection of calling number information 
only.  We are aware that new pen register devices are now on the market 
which automatically screen out all dialed digits except for the actual 
telephone numbers.  Just as this bill would require telecommunications 
carriers to deploy technology which facilitates taps, we believe that 
law enforcement should be required to deploy technology which shields 
users communications from unauthorized invasion.

4.	Bill does not preclude use of encryption 

	Unlike previous Digital Telephony proposals, this bill places no 
obligation on telecommunication carriers to decipher encrypted messages, 
unless the carrier actually holds the key to the message as well. 

5.	Automated remote monitoring precluded 

	Law enforcement is specifically precluded from having automated, 
remote surveillance capability. Any court-ordered electronic 
surveillance must be initiated by an employee of the telecommunications 
carrier, upon request by law enforcement.  Maintaining operational 
separation between law enforcement agents and communication networks is 
an important privacy safeguard. 

6.	Privacy considerations essential to development of new technology 

	One of the requirements that telecommunications carriers must meet 
to be in compliance with the bill is that the wiretap access methods 
adopted must protect the privacy and security of each user's 
communication. If this requirement is not met, anyone may petition the 
FCC to have the wiretap access requirements modified so that network 
security is maintained. This requirement, just like those designed to 
serve law enforcement's needs, must be carefully implemented and 
monitored so that  the technology used to conduct wiretaps cannot also 
jeopardize the security of the network as a whole. If network-wide 
security problems arise because of wiretapping standards, then the 
standards should be overturned.

F.	Improvements over previous Administration proposals 

	In addition to the privacy protections added to this bill, we also 
note that the surveillance requirements are not as far-reaching as the 
original FBI version. A number of procedural safeguards are added which 
seek to minimize the threatens to privacy, security, and innovation. 
Though the underlying premise of the bill is still cause for concern, 
these new limitations deserve attention: 

1.	Narrow Scope

	The bill explicitly excludes Internet providers, email systems, 
BBSs, and other online services. Unlike the bills previously proposed by 
the FBI, this bill is limited to local and long distance telephone 
companies, cellular and PCS providers, and other common carriers. 

2.	Open process with public right of intervention 

	The public will have access to information about the 
implementation of the bill, including open access to all standards 
adopted in compliance with the bill, the details of how much wiretap 
capacity the government demands, and a detailed accounting of all 
federal money paid to carriers for modifications to their networks. 
Privacy groups, industry interests, and anyone else has a statutory 
right under this bill to challenge implementation steps taken by law 
enforcement if they threaten privacy or impede technology advancement.

3.	Technical requirements standards developed by industry instead of 
        the Attorney General

	All surveillance requirements are to be implemented according to 
standards developed by industry groups. The government is specifically 
precluded from forcing any particular technical standard, and all 
requirements are qualified by notions of economic and technical 
reasonableness.

4.	Right to deploy untappable services

	Unlike the original FBI proposal, this bill recognizes that there 
may be services which are untappable, even with Herculean effort to 
accommodate surveillance needs. We understand that the bill intends to 
allow untappable services to be deployed if redesign is not economically 
or technically feasible.  These provisions, however, should be 
clarified. 

G.	Conclusion

	In closing, I would like to thank Chairman Markey and members of 
the Subcommittee, as well as others who have worked so hard on this 
legislation.  The Electronic Frontier Foundation looks forward to 
working with all of you as the bill moves through the legislative 
process.


-- 
<A HREF="http://www.eff.org/~mech/mech.html">       Stanton McCandlish
</A><HR><A HREF="mailto:mech@eff.org">              mech@eff.org
</A><P><A HREF="http://www.eff.org/">               Electronic Frontier Fndtn.
</A><P><A HREF="http://www.eff.org/~mech/a.html">   Online Activist       </A>
