<DOC>
[109th Congress House Hearings]
[From the U.S. Government Printing Office via GPO Access]
[DOCID: f:20710.wais]
IMPLEMENTATION OF THE USA PATRIOT ACT: CRIME, TERRORISM AND THE AGE OF
TECHNOLOGY
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON CRIME, TERRORISM,
AND HOMELAND SECURITY
OF THE
COMMITTEE ON THE JUDICIARY
HOUSE OF REPRESENTATIVES
ONE HUNDRED NINTH CONGRESS
FIRST SESSION
__________
APRIL 21, 2005
__________
Serial No. 109-18
__________
Printed for the use of the Committee on the Judiciary
Available via the World Wide Web: http://www.house.gov/judiciary
______
U.S. GOVERNMENT PRINTING OFFICE
20-710 WASHINGTON : 2005
_____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512ÿ091800
Fax: (202) 512ÿ092250 Mail: Stop SSOP, Washington, DC 20402ÿ090001
COMMITTEE ON THE JUDICIARY
F. JAMES SENSENBRENNER, Jr., Wisconsin, Chairman
HENRY J. HYDE, Illinois JOHN CONYERS, Jr., Michigan
HOWARD COBLE, North Carolina HOWARD L. BERMAN, California
LAMAR SMITH, Texas RICK BOUCHER, Virginia
ELTON GALLEGLY, California JERROLD NADLER, New York
BOB GOODLATTE, Virginia ROBERT C. SCOTT, Virginia
STEVE CHABOT, Ohio MELVIN L. WATT, North Carolina
DANIEL E. LUNGREN, California ZOE LOFGREN, California
WILLIAM L. JENKINS, Tennessee SHEILA JACKSON LEE, Texas
CHRIS CANNON, Utah MAXINE WATERS, California
SPENCER BACHUS, Alabama MARTIN T. MEEHAN, Massachusetts
BOB INGLIS, South Carolina WILLIAM D. DELAHUNT, Massachusetts
JOHN N. HOSTETTLER, Indiana ROBERT WEXLER, Florida
MARK GREEN, Wisconsin ANTHONY D. WEINER, New York
RIC KELLER, Florida ADAM B. SCHIFF, California
DARRELL ISSA, California LINDA T. SANCHEZ, California
JEFF FLAKE, Arizona ADAM SMITH, Washington
MIKE PENCE, Indiana CHRIS VAN HOLLEN, Maryland
J. RANDY FORBES, Virginia
STEVE KING, Iowa
TOM FEENEY, Florida
TRENT FRANKS, Arizona
LOUIE GOHMERT, Texas
Philip G. Kiko, Chief of Staff-General Counsel
Perry H. Apelbaum, Minority Chief Counsel
------
Subcommittee on Crime, Terrorism, and Homeland Security
HOWARD COBLE, North Carolina, Chairman
DANIEL E. LUNGREN, California ROBERT C. SCOTT, Virginia
MARK GREEN, Wisconsin SHEILA JACKSON LEE, Texas
TOM FEENEY, Florida MAXINE WATERS, California
STEVE CHABOT, Ohio MARTIN T. MEEHAN, Massachusetts
RIC KELLER, Florida WILLIAM D. DELAHUNT, Massachusetts
JEFF FLAKE, Arizona ANTHONY D. WEINER, New York
MIKE PENCE, Indiana
J. RANDY FORBES, Virginia
LOUIE GOHMERT, Texas
Jay Apperson, Chief Counsel
Elizabeth Sokul, Special Counsel on Intelligence
and Homeland Security
Jason Cervenak, Full Committee Counsel
Michael Volkov, Deputy Chief Counsel
Bobby Vassar, Minority Counsel
C O N T E N T S
----------
APRIL 21, 2005
OPENING STATEMENT
Page
The Honorable Howard Coble, a Representative in Congress from the
State of North Carolina, and Chairman, Subcommittee on Crime,
Terrorism, and Homeland Security............................... 1
The Honorable Robert C. Scott, a Representative in Congress from
the State of Virginia, and Ranking Member, Subcommittee on
Crime, Terrorism, and Homeland Security........................ 2
WITNESSES
The Honorable Laura H. Parsky, Deputy Assistant Attorney General,
U.S. Department of Justice
Oral Testimony................................................. 4
Prepared Statement............................................. 7
Mr. Steven M. Martinez, Deputy Assistant Director, Cyber
Division, Federal Bureau of Investigation
Oral Testimony................................................. 27
Prepared Statement............................................. 29
Mr. Jim Dempsey, Executive Director, Center for Democracy and
Technology
Oral Testimony................................................. 32
Prepared Statement............................................. 34
Mr. Peter Swire, Professor of Law, Ohio State University
Oral Testimony................................................. 38
Prepared Statement............................................. 41
APPENDIX
Material Submitted for the Hearing Record
Prepared Statement of the Honorable Robert C. Scott, a
Representative in Congress from the State of Virginia, and
Ranking Member, Subcommittee on Crime, Terrorism, and Homeland
Security....................................................... 75
Prepared Statement of the Honorable Maxine Waters, a
Representative in Congress from the State of California........ 76
Submission by Peter Swire entitled ``The System of Foreign
Intelligence Surveillance Law,'' 72 George Washington Law
Review 1306 (2004), available at http://papers.ssrn.com/sol3/
papers.cfm?abstract_...........................................
id=586616........................................................ 77
IMPLEMENTATION OF THE USA PATRIOT ACT: CRIME, TERRORISM AND THE AGE OF
TECHNOLOGY
----------
THURSDAY, APRIL 21, 2005
House of Representatives,
Subcommittee on Crime, Terrorism,
and Homeland Security
Committee on the Judiciary,
Washington, DC.
The Subcommittee met, pursuant to notice, at 10:03 a.m., in
Room 2141, Rayburn House Office Building, the Honorable Howard
Coble (Chair of the Subcommittee) presiding.
Mr. Coble. Good morning, ladies and gentlemen. Good to have
you all with us for our oversight hearing on the implementation
of the USA PATRIOT Act, sections 209, 217, and 220 of the act
that address crime, terrorism, and the age of technology.
Our Nation has a dependency problem, one that we need to
nurture and protect. That dependency is on technology.
Computers and related technology have improved every aspect of
our lives, our health care, our education, our security, just
to name a few.
This same technology also aids those who threaten our
Nation and it facilitates terrorists and criminals alike. At
the stroke of a key someone can cause millions of dollars of
damage to our economy or shut down 911 systems of our emergency
responders.
The threat has grown with the benefits of and dependency
upon technology. Now, after September 11 attacks, the risks are
greater. Even prior to the attacks the Judiciary Subcommittee
on Crime, Terrorism, and Homeland Security had been working on
legislation to improve Federal law to protect the Nation from
cybercrime and cyberterrorism.
In an almost prophetic effort this Subcommittee held three
hearings on the growing threat of cybercrime and cyberterrorism
in the summer of 2001, and was in the process of drafting
legislation to meet those threats when the 9/11 attacks
occurred.
These hearings highlighted that the Border Patrol and
checkpoints at our airports and shipping ports cannot protect
against cybercrime and terrorism.
This type of crime is borderless, knows no restraints, and
can substantially harm the Nation's economy and our citizens.
To protect our privacy and our safety, law enforcement must
be able to deal with new technology and the associated
challenges. The borderless nature of cyberspace causes
jurisdictional and investigative problems for law enforcement
and facilitates often times criminal activity.
The law enforcement officials and private representatives
at these hearings agreed that the criminal law needed to be
updated and clarified.
In the PATRIOT Act, this Committee incorporated H.R. 2915,
the legislation produced by the Subcommittee and then Chairman
Lamar Smith in the summer of 2001. The PATRIOT Act updated
criminal law to address the new challenges. These updates were
designed to help law enforcement assess whether unlawful
conduct is the result of criminal activity or terrorist
activity and to respond appropriately.
The hearing today will discuss sections 209 that deals with
stored electronic communications; 217 that addresses computer
trespassers; and 220 that updates the service of search
warrants for electronic communications.
These sections are set to expire on December 31 of this
year.
I look forward to hearing from the testimonies from the
witnesses, and now I'm pleased to recognize the distinguished
Gentleman from Virginia, the Ranking Member, Mr. Bobby Scott.
Mr. Scott. Thank you, Mr. Chairman. And thank you again for
scheduling another hearing on the USA PATRIOT Act. I think it's
important that we have these hearings. I think we did a good
job as a Committee when we passed the PATRIOT Act.
Unfortunately, our work somehow dissolved between the Committee
and the floor of the House. But we have taken in one of the
points of this sunset which was to give us an opportunity to
review our work product, and these hearings are certainly
extremely important.
This hearing is about the investigation and prosecution of
crimes through use of electronic evidence, section 209 of the
act references seizure of voice mail messages pursuant to a
warrant. However, that section authorizes access to much more
than just voice mail and authorizes access through ways other
than warrants, such as administrative, grand jury, and court
issued subpoenas. And under the appropriate circumstances,
there can also be the sneak and peak situations where they ate
warrants, court subpoenas, or administrative subpoenas. So
we're talking about a section that is not only misleading
relative to the breadth of police powers that authorizes, but a
title that is deceptive as to the extraordinary nature of those
powers.
Quite frankly, Mr. Chairman, the more I review the extent
of these powers that we have extended to law enforcement
through provisions such as section 209, the more I am pleased
with our decision to provide for a sunset on some of those
powers in order that we may review in earnest what we have done
so that law enforcement authorities who get access to our
private information pursuant to these powers will be aware that
we are reviewing their actions.
This is a section whose original purpose was to protect or
electronic data against intrusion. Now, we see a big loophole
that we carved out for the purpose of law enforcement access
and the limitations on traditional methods of holding law
enforcement accountable, such as prior notice for the right to
quash and oversight of a court through return reports to the
court within a certain number of days.
And so I'm convinced that the sunset review in this area is
absolutely essential to our oversight responsibilities to the
public.
This is especially true in the areas of electronic and
general technology given the growing impact of technology to
our society. I have the same concerns about section 217, which
allows an ISP to give law enforcement wide latitude to look at
private electronic communications without court oversight or
review.
It's one thing to call law enforcement to look at a
trespass that is occurring. But it's another thing to call on
law enforcement to look to see if anything suspicious is going
on prior to a trespass actually occurring.
And while I can understand the efficiency of certain
arguments for a nationwide search warrant authority in the area
of electronic communications, I'm also concerned with the
sufficiency of the notice and the right to challenge an
oversight of such warrants.
Now for law enforcement, I think it's important to note
that I think these powers should be available in appropriate
circumstances. So I'm not calling for a sunset of those powers.
However, the public's protection of their privacy as well as
their safety, I'm saying that we need to look more precisely at
the notice to oversight and reporting requirements for these
powers and make appropriate adjustments.
We should also continue this kind of oversight through
sunsets where we have to periodically look at the use of these
powers in an arena of evolving technologies and where law
enforcement is aware that the use of these powers will need to
be scrutinized and justified.
And so, Mr. Chairman, I look forward to the testimony of
our witnesses on how we might best do that and working with you
on implementing our recommendations.
Mr. Coble. I thank you, Mr. Scott.
Lady and gentlemen, it's the practice of the Subcommittee
to swear in all witnesses appearing before us. So if you all
would please stand and raise your right hands
[Witnesses sworn.]
Mr. Coble. Let the record show that each of the witnesses
answered in the affirmative. You may be seated.
We have a very distinguished panel today. And I will
introduce them before we take testimony.
Our first witness is Ms. Laura H. Parsky, the Deputy
Assistant Attorney General of the Criminal Division at the
United States Department of Justice. In addition to serving at
the Department of Justice, Ms. Parsky has served as Director of
International Justice and Contingency Planning at the National
Security Council. She was graduated from Yale University and
obtained her law degree from Boalt Hall School of Law at the
University of California at Berkeley. Following law school, Ms.
Parsky clerked for the Honorable D. Lowell Jensen of the United
States District Court for the Northern District of California.
Our second witness today is Mr. Steven Martinez, Deputy
Assistant Director for the Cyber Division of the FBI. Prior to
beginning his current position, Mr. Martinez served in many
capacities within the FBI, including managing the counter
terrorism and counter intelligence efforts during the staging
and commencement of Operation Iraqi Freedom. Mr. Martinez is a
graduate of St. Mary's College of California and received a
master's degree from the University of California at Berkeley.
Our next witness is Mr. Jim Dempsey, Executive Director of
the Center for Democracy and Technology. Prior to joining the
Center, Mr. Dempsey was a Deputy Director of the Center for
National Security Studies and also served as Assistant Counsel
to the House Judiciary Committee's Subcommittee on Civil and
Constitutional Rights. Mr. Dempsey is a graduate of Yale
University and the Harvard Law School.
Our final witness today is Mr. Peter Swire, Professor of
Law at the Ohio State University's Moritz College of Law.
Previously, Mr. Swire served in the Clinton Administration as
Chief Counselor for Privacy in the Office of Management and
Budget. Professor Swire is a graduate of Princeton University
and the Yale Law School. After graduating from law school, he
clerked for Judge Ralph K. Winter, Jr., of the United States
District Court--strike that--of the United States Court of
Appeals for the Second Circuit.
Folks, it's mighty good to have all of you with us. As you
all have been previously informed, we operate under the 5-
minute rule here, and you will see the panels before you at the
desk when amber light appears that is your notification that
time is elapsing rapidly. And when the red light appears, the 5
minutes have expired. And have furthermore imposed the 5-minute
rule against ourselves as well. So when we examine you, if you
all could be terse, we would be appreciative of that.
Ms. Parsky, why don't you start us off?
TESTIMONY OF THE HONORABLE LAURA H. PARSKY, DEPUTY ASSISTANT
ATTORNEY GENERAL, U.S. DEPARTMENT OF JUSTICE
Ms. Parsky. Thank you. Good morning, Mr. Chairman, Ranking
Member Scott and honorable Members of the Subcommittee.
It is my pleasure to appear before you to discuss sections
209, 217, and 220 of the PATRIOT Act, provisions that have
authorized our laws to keep pace with new technologies. These
provisions have made commonsense changes that have harmonized
the treatment of similar situations, that have eliminated
unnecessary and inefficient processes, and that have given back
to victims the rights they deserve.
Together, they are a significant step forward in meeting
the challenges of investigating and prosecuting crime in the
21st century.
Our world has changed in dramatic ways in recent years. On
the one hand, as September 11th made tragically clear, we face
the threat of terrorism on a scale that was previously
unimaginable.
On the other hand, we have experienced tremendous
technological advancement that has given us modern wonders like
the Internet. It is because of both of these developments that
the PATRIOT Act is vital to our country's safety.
As the world changes, so must our laws. We cannot go back
to the days before September 11th, and we cannot turn back the
clock of the digital age. Likewise, we cannot regress to
outdated laws that defy reason in today's world.
Sections 209, 217, and 220 are just the kinds of
commonsense changes that we need to keep pace with technology.
Prior to the PATRIOT Act, voice mails were subject to
burdensome rules designed for ongoing access to live
communications rather than those rules for a single access to
other similar types of stored communications.
In fact, it was easier for law enforcement to get a warrant
to go into a person's home and listen to messages on that
person's answering machine than it was to obtain voice mail
messages left--stored with a third party.
Section 209 fixed this inconsistency by making the rules
for stored voice mail more consistent with those for other
types of stored messages, such as electronic mail.
Section 217 also addresses new technology, the rise of
computer networks, such as the Internet. Section 217 makes
clear that Federal law will not shield a person who trespasses
on the computer system of another. Section 217 puts the power
to decide who may enter property back where it belongs: in the
hands of the property owner, just as has always been the case
for homeowners.
Finally, section 220 recognizes that today's modern
communications technologies make it possible for records
relating to an investigation in a particular jurisdiction to be
stored in a distant jurisdiction, or in many cases in several
distant jurisdictions.
Rather than sending investigators all over the country to
explain the same set of facts over and over again to different
prosecutors and different judges, section 220 allows the
investigators and prosecutors who are most familiar with the
case to obtain authorization to gather electronic records from
a single judge in their own district, who is also most familiar
with the facts of the case, just as has always been the case
with other records subject to grand jury subpoenas. This
provision just makes practical sense in today's world of
electronic evidence.
In the three and a half years since Congress passed these
provisions of the PATRIOT Act by overwhelming bipartisan
majorities, we've had the opportunity to see these provisions
in action. We have seen the modern tools Congress authorized
through passage of the PATRIOT Act dramatically improve law
enforcement's ability to protect the safety and security of the
American people.
We have used these tools to disrupt terrorist networks and
to prevent terrorist attacks, to bring down international drug
conspiracies, and to rescue children in imminent danger.
Most significantly we have prevented another terrorist
attack from striking us here at home. These are the facts, not
fears.
The PATRIOT Act has made law enforcement more effective and
more efficient. All this has been done without impacting any of
the constitutional protections that we as Americans hold dear.
It is in this context that these tools must be evaluated.
It is this record of accomplishments that should be first and
foremost in your minds.
We cannot go back. If Congress fails to reauthorize the
PATRIOT Act, we will revert to old rules that hamstring law
enforcement with inefficient processes and unnecessary delays
in investigating 21st century crime.
The law would once again treat similar services differently
without good cause, and, worse, the law would protect criminals
at the expense of their victims' rights. If these provisions
are not renewed, law enforcement will be less efficient and
less effective in combating not only terrorism, but other
serious offenses, such as cyber crime, child exploitation and
kidnapping.
Our experience over the past three and a half years has
proven the utility and rationality of these modernizations of
our laws. In light of the very real threats we face today, we
cannot afford to go back to when technology was outpacing law
enforcement's tools.
Therefore, I ask that you continue to move our laws forward
by reauthorizing sections 209, 217, and 220 of the PATRIOT Act.
The Department of Justice appreciates this Subcommittee's
leadership in making sure that our country's laws meet the
challenges of today and of tomorrow.
Thank you for the opportunity to testify today and for your
continuing support. I am happy to try to answer any questions
you may have.
[The prepared statement of Ms. Parsky follows:]
Prepared Statement of Laura H. Parsky
<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>
Mr. Coble. Thank you, Ms. Parsky.
Mr. Martinez?
TESTIMONY OF STEVEN M. MARTINEZ, DEPUTY ASSISTANT DIRECTOR,
CYBER DIVISION, FEDERAL BUREAU OF INVESTIGATION
Mr. Martinez. Good morning, Mr. Chairman, Ranking Member
Scott, and Members of the Subcommittee.
My name is Steven Martinez. I'm the Deputy Assistant
Director of the FBI's Cyber Division. The primary mission of
the Cyber Division is to protect the American public against a
host of significant and potentially deadly high-tech crimes.
The uses of technology in our society are innumerable and
their value immeasurable. The state of technology has been
advancing rapidly over the past 20 years, much of it to the
benefit of people living in all corners of the world.
Unfortunately, the picture is not always so bright.
Technology has also been used to harm people, while
offering a particularly effective escape route. In this digital
age, crimes can and do occur within seconds without the
perpetrator ever getting anywhere physically close to the
victim.
In such a setting, law enforcement must be equipped with
the investigative tools necessary to meet, locate, and
incapacitate the growing threat.
With this background in mind, I want to thank you for the
opportunity to appear before you today to discuss certain
sections of the USA PATRIOT Act which are scheduled to expire
at the end of this year, specifically sections 209, 217, and
220. Going in numerical order, allow me to start with section
209.
Section 209 permits law enforcement officers to seize voice
mail with a search warrant rather than a surveillance, or title
III order. The importance of this provision is best understood
in the context of how often terrorists and other criminals rely
on technology to relay their plans to each other instead of
risking face to face in-person meetings.
Section 209 provides a very good example of how the USA
PATRIOT Act simply updated the law to reflect recent
technological developments. The drafters of the act determined
that obtaining voicemail stored on a third party's answering
system is more similar to obtaining voicemail stored on a home
answering machine, which requires a search warrant, more so
than it is to monitoring somebody's telephone calls, which
requires a title III order.
In passing this portion of the act, Congress made the
statutory framework technology-neutral. Privacy rights are
still well accounted for, since the section 209 allows
investigators to apply for and receive a court-ordered search
warrant to obtain voicemail pursuant to all of the pre-existing
standards for the availability of search warrants, including a
showing of probable cause.
With privacy rights left firmly intact, there is a distinct
advantage to the public's safety when law enforcement can
obtain evidence in a manner that is quicker than the title III
process.
I would like to move next to section 217, the Hacker
Trespasser Exception. Like section 209 before it, section 217
also makes the law technology-neutral.
Section 217 places cyber-trespassers--those who are
breaking into computers--on the same footing as physical
intruders. Section 217 allows the victims of computer-hacking
crimes voluntarily to request law enforcement assistance in
monitoring trespassers on their computers.
Just as burglary victims have long been able to invite
officers into their homes to catch the thieves, hacking victims
can now allow law enforcement officers into their computers to
catch cyber-intruders.
Think for a moment how odd it would be if a homeowner
yelled out to a police officer ``Hey, there's a burglar in my
house right now, help!'', only to have the police respond,
``Sorry, I have to apply for a court order first, try not to
scare him off.'' The homeowner would be dumbfounded; the
burglar would be long gone by time the police returned. This,
in essence, is what was occurring prior to the PATRIOT Act.
It can be said that section 217, in a very significant way,
enhances privacy. The essence of the section--to help catch
hackers--serves a vital function in the FBI's ability to
enforce data privacy laws. Hackers have no respect for your
privacy or mine.
There has been an outpouring of concern from the American
public to protect them from identity theft and to ensure that
their personal records are secure. Congress has responded with
a powerful array of laws that are designed to impose serious
consequences on computer hackers. However, if law enforcement
does not have the ability to quickly spot and then locate
hackers, then the victim toll will mount and only hackers
themselves, remaining anonymous, will be left with privacy.
The FBI understands the importance of preventing criminals
from stealing and selling our information, and we are resolved
to catch those who do. Section 217 is of enormous help in this
regard.
Lastly, I would like to turn to section 220. Section 220
enables Federal courts--with jurisdiction over investigation--
to issue a search warrant to compel the production of
information, such as unopened e-mail, that is stored with a
service provider located outside their district.
Now, for example, a judge with jurisdiction over a
kidnapping investigation in Pittsburgh can issue a search
warrant for e-mail messages that are stored on a server in
California. As a result, investigators in Pennsylvania can ask
the judge most familiar with the investigation to issue a
warrant rather than having to ask an Assistant United States
Attorney in California who's unfamiliar with the case, to ask a
district judge in California, who also is unfamiliar with the
case, to issue the warrant.
Lest you think this is merely a hypothetical example, it's
not. Using section 220, our FBI office in Pittsburgh was able
to obtain a warrant for information residing on a computer in
California that ultimately led to the rescue of a teenage girl
who was being sexually tortured in Virginia while being chained
to a wall in somebody's basement.
The man who held her hostage is now in prison, serving
close to 20 years. The girl's life was saved.
Other FBI Field Offices also have repeatedly stated that
section 220 has been very beneficial to quickly obtain
information required in their investigations.
Mr. Chairman and Members of the Committee, let me conclude
my prepared remarks by saying that the provisions of the USA
PATRIOT Act I have discussed today have proven significant to a
number of our successes and I have every reason to believe that
the need to retain these provisions in the future is also
significant.
By responsibly using the statutes provided by Congress, the
FBI has made substantial progress in its ability to enforce the
law and protect lives, while at the same time protecting civil
liberties. Thank you.
[The prepared statement of Mr. Martinez follows:]
Prepared Statement of Steven M. Martinez
Good morning Mr. Chairman, Ranking Member Scott, and members of the
subcommittee.
My name is Steven Martinez and I am the Deputy Assistant Director
of the FBI's Cyber Division. The primary mission of the Cyber Division
is to supervise the Bureau's investigation of federal violations in
which computer systems, including the Internet, are exploited by
terrorists, foreign government intelligence operatives, and criminals.
In short, our mission is to protect the American public against a host
of significant and potentially deadly high-tech crimes.
The uses of technology in our society are innumerable and their
value immeasurable. The state of technology has been advancing rapidly
over the past twenty years, much of it to the benefit of people living
in all corners of the world. Unfortunately, the picture is not always
so bright. Technology has also been used to harm people, while offering
a particularly effective escape route. In this digital age, crimes can
and do occur within seconds without the perpetrator ever getting
anywhere physically close to the victim. In such a setting, law
enforcement must be equipped with the investigative tools necessary to
meet, locate, and incapacitate this growing threat. Law enforcement
must be prepared to face sophisticated enemies and criminals who are
known to exploit technology because of its ability to keep them far
away from the scene of the crime, spread apart even from one another,
and who have the ability to delete any digital evidence of their
actions at the push of a button.
With this background in mind, I want to thank you for the
opportunity to appear before you today to discuss certain sections of
the USA PATRIOT Act which are scheduled to expire at the end of this
year, specifically sections 209, 217, and 220.
When Attorney General Gonzales testified before the House Judiciary
Committee on April 6, 2005, he shared his firm view that each of the
provisions of the USA PATRIOT Act that are scheduled to sunset at the
end of this year must be made permanent. Director Mueller provided the
FBI's perspective in a hearing before the Senate Judiciary Committee on
April 5, 2005, and he too spoke of the crucial need to renew these
provisions. Based on my knowledge of the interests, capabilities, and
motives of those who, day in and day out, are attempting to do us harm
by means of the Internet, I want to express my full agreement about the
importance of the PATRIOT Act and the provisions I plan to address
today. I believe that the Act's substantial merit can be demonstrated
by what we already have experienced as a nation; still, it is equally
true that the Act is essential so that we are prepared to confront the
ever-evolving threat that no doubt will come.
SECTION 20--SEIZURE OF VOICE MAIL WITH A SEARCH WARRANT
Going in numerical order, allow me to start with section 209.
Section 209 permits law enforcement officers to seize voice mail with a
search warrant rather than a surveillance, or Title III, order. Section
209 provides a very good example of how the USA PATRIOT Act simply
updated the law to reflect recent technological developments. The
drafters of the Act determined that obtaining voicemail stored on a
third party's answering system is more similar to obtaining voicemail
stored on a home answering machine (which requires a search warrant)
than it is to monitoring somebody's telephone calls (which requires a
TIII order). In passing this portion of the Act, Congress made the
statutory framework technology-neutral. Privacy rights are still well
accounted for, since section 209 allows investigators to apply for and
receive a court-ordered search warrant to obtain voicemail pursuant to
all of the pre-existing standards for the availability of search
warrants, including a showing of probable cause. With privacy rights
left firmly intact, there is a distinct advantage to the public's
safety when law enforcement can obtain evidence in a manner that is
quicker than the Title III process.
The importance of this provision is best understood in the context
of how often terrorists and other criminals rely on technology to relay
their plans to each other instead of risking face-to-face in-person
meetings. Attorney General Gonzales gave a good sense of the diversity
of those who would rely on the simple convenience of leaving voicemail
in furtherance of their illegal activities when he pointed out that
section 209 has already been relied upon to acquire messages left for
domestic terrorists, foreign terrorists, and international drug
smugglers.
Allowing section 209 to expire would once again lead to different
treatment for voicemail messages stored on a third party's system than
for the same message stored on a person's home answering machine. Doing
so would needlessly hamper law enforcement efforts to investigate
crimes.
SECTION 217--THE HACKER TRESPASSER EXCEPTION
I would like to move next to section 217, the hacker trespasser
exception. Like section 209 before it, section 217 also makes the law
technology-neutral. Section 217 places cyber-trespassers--those who are
breaking into computers--on the same footing as physical intruders.
Section 217 allows the victims of computer-hacking crimes voluntarily
to request law enforcement assistance in monitoring trespassers on
their computers. Just as burglary victims have long been able to invite
officers into their homes to catch the thieves, hacking victims can now
allow law enforcement officers into their computers to catch cyber-
intruders. Think for a moment how odd it would be if a homeowner yelled
out to a police officer ``Hey, there's a burglar in my house right now,
help!'', only to have the police respond, ``Sorry, I have to apply for
a court order first, try not to scare him off.'' The homeowner would be
dumbfounded, and the burglar would be long gone by time the police
returned. This, in essence, is what was occurring prior to the PATRIOT
Act.
It can be said that section 217, in a very significant way,
enhances privacy. First, it is carefully crafted to ensure that law
enforcement conducts monitoring against trespassers in a manner
entirely consistent with protecting the privacy rights of law abiding
citizens. Second, the essence of the section--to help catch hackers--
serves a vital function in the FBI's ability to enforce data privacy
laws.
With respect to the first point, the narrowly crafted scope of this
legislation, section 217 preserves the privacy of law-abiding computer
users by sharply limiting the circumstances under which the trespasser
exception may be used. At its most fundamental level, section 217
requires consent. Law enforcement assistance is by invitation only. The
computer crime victim is actually seeking the FBI's help. In addition,
a law enforcement officer may not conduct monitoring based solely on
the computer owner or operator's consent unless the law enforcement
officer is engaged in a lawful investigation; has reason to believe
that capturing the communications will be relevant to that
investigation; and can ensure that the consensual monitoring will
acquire only those communications that are transmitted to or from the
hacker. On top of these requirements, section 217 then goes one step
further. Based on the definition of a ``computer trespasser,'' section
217 does not allow law enforcement to come to the immediate aid of
victims who are being hacked by one or more of their own customers. In
those cases the owner or operator of the computer system cannot provide
sufficient consent to monitor the trespasser, even if the hacker/
customer broke into areas of the computer he has no authority to see
(including other customer account information).
Still, despite this last limitation, the hacker trespasser
exception has been an important tool for law enforcement to obtain
evidence based on the consent of the victim, much of which involves
protecting people's privacy.
A diverse array of real-world examples from our criminal
investigations demonstrate that this provision has been significant in
order for the FBI to protect the privacy rights of individuals and
businesses whose computers are being broken into for the purpose of
stealing the personal data stored on their computers. Hackers have no
respect for your privacy or mine. When hackers break into a computer
network and obtain root access they get to look at, download, and even
can make changes to, whatever information is on that network. Hackers
can and do routinely steal social security numbers, credit card
numbers, and drivers license numbers. Depending on the systems they
break into, they can look at health care information and can change it
at will. There has been an outpouring of concern from the American
public to protect them from identity theft and to ensure that their
personal records are secure. Congress has responded with a powerful
array of laws that are designed to impose serious consequences on
computer hackers. However, if law enforcement does not have the ability
to quickly spot and then locate hackers, then the victim toll will
mount and only the hackers themselves, remaining anonymous, will be
left with privacy. The FBI understands the importance of preventing
criminals from stealing and selling our information, and we are
resolved to catch those who do. Section 217 is of enormous help in this
regard.
For example, under this provision, the FBI was able to monitor the
communications of an international group of ``carders'' (individuals
that use and trade stolen credit card information). The group used chat
rooms and fraudulent websites to commit identity theft, but managed to
provide themselves with privacy by using false names to get e-mail
accounts. The most important tool in their bid to remain anonymous was
their use of a proxy server they broke into and then reconfigured. The
identity thieves used the proxy server to disguise where all of their
Internet communications were coming from. The owner of the proxy server
was himself a victim of the crime, his computer having essentially been
hijacked and transformed into the hub of a criminal operation. When he
determined that his computer had been hacked he provided the FBI with
consent to monitor the intruder and hopefully to catch him. The
computer owner's ability to bring in the FBI paid off, not just for him
but for the countless other victims of the identity thief. By taking
advantage of hacker trespasser monitoring, the FBI gathered leads that
resulted in the discovery of the true identity of the subject. The
subject was later indicted and is now awaiting trial.
Since its enactment, section 217 has played a key role in a variety
of hacking cases, including investigations into hackers' attempts to
compromise military computer systems. Allowing section 217 to expire at
the end of this year would help computer hackers avoid justice and
prevent law enforcement from responding quickly to victims who are
themselves asking for help.
SECTION 220--SEARCH WARRANTS FOR ELECTRONIC EVIDENCE
LOCATED IN ANOTHER DISTRICT
Lastly, I would like to turn to section 220 of the USA PATRIOT Act.
Section 220 enables federal courts--with jurisdiction over an
investigation--to issue a search warrant to compel the production of
information (such as unopened e-mail) that is stored with a service
provider located outside their district. The practical effect of this
section is that our FBI Agents are no longer limited to applying for a
search warrant solely from the court that sits where the service
provider happens to be located.
Before discussing this section in depth, I think it is helpful to
point out that the borderless nature of Internet crime means that more
often than not ***the victim**** of a crime, the person who committed
the crime, and ***the evidence**** of that crime are all located in
different parts of the country (or indeed the world). Applying this
fact in the context of a search warrant will demonstrate the utility
and the necessity of section 220.
Prior to the PATRIOT Act, if an investigator wanted to obtain the
contents of unopened e-mail from a service provider located in the
United States, he or she needed to obtain a warrant from a court
physically located in the same federal district as the service provider
was located. To accomplish this, the FBI Agent working on the case
(this Agent typically would be located where the victim is located)
needed to brief another FBI Agent and prosecutor who were located in
the ISP's jurisdiction (where the evidence happened to be
electronically stored). The second FBI Agent and prosecutor then would
appear before their local court to obtain the search warrant. This was
a time and labor consuming process. Furthermore, because several of the
largest email providers are located in a few districts, such as the
Northern District of California and the Eastern District of Virginia,
these FBI Agents, Prosecutors, and Judges were faced with a substantial
workload dealing with cases in which neither the victim nor the
criminal resided, and they had to be brought up to speed about the
details of an investigation which, both beforehand and afterwards, they
had no need to know.
Section 220 fixed this problem. It makes clear, for example, that a
judge with jurisdiction over a kidnaping investigation in Pittsburgh
can issue a search warrant for e-mail messages that are stored on a
server in California. As a result, the investigators in Pennsylvania
can ask the judge most familiar with the investigation to issue the
warrant rather than having to ask an Assistant United States Attorney
in California, who is unfamiliar with the case, to ask a district judge
in California, who also is unfamiliar with the case, to issue the
warrant. Lest you think this is merely a hypothetical example, it's
not. Using section 220, our FBI office in Pittsburgh was able to obtain
a warrant for information residing on a computer in California that
ultimately led to the rescue of a teenage girl who was being sexually
tortured in Virginia while being chained to a wall in somebody's
basement. The man who held her hostage is now in prison, serving close
to 20 years. The girl's life was saved.
Other FBI Field Offices also have repeatedly stated that section
220 has been very beneficial to quickly obtain information required in
their investigations. The value of this provision in terrorism cases
already has been demonstrated time and again. In his April 6 testimony,
Attorney General Gonzales pointed to its important application during
investigations into the Portland Terror Cell, the ``Virginia Jihad'',
and the Richard Reid ``shoebomber'' case.
It is imperative that section 220 be renewed. The provision
expedites the investigative process and, in doing so, makes it more
likely that evidence will still be available to law enforcement after
it executes a court-authorized search warrant and obtains further
leads; the provision frees up FBI, U.S. Attorney, and judicial
personnel to more efficiently pursue other time-sensitive investigative
matters; and, section 220 in no way lowers the protections that apply
to the government's application for a search warrant.
CONCLUSION
Mr. Chairman and Members of the Committee, the provisions of the
USA Patriot Act I have discussed today have proven significant to a
number of our successes and I have every reason to believe that the
need to retain these provisions in the future is also significant. By
responsibly using the statutes provided by Congress, the FBI has made
substantial progress in its ability to enforce the law and protect
lives, while at the same time protecting civil liberties. In renewing
those provisions scheduled to ``sunset'' at then end of this year,
Congress will ensure that the FBI will continue to have the tools it
needs to combat the very real threats to America and our fellow
citizens. Thank you for your time today.
Mr. Coble. Thank you, Mr. Martinez. Mr. Dempsey?
TESTIMONY OF JIM DEMPSEY, EXECUTIVE DIRECTOR, CENTER FOR
DEMOCRACY AND TECHNOLOGY
Mr. Dempsey. Mr. Chairman, Representative Scott, Members of
the Subcommittee, good morning.
Mr. Coble. Hold. If you will just suspend just a minute,
Mr. Dempsey, I wanted to recognize the presence of the
Gentlemen from Florida, Ohio, and Arizona to my right and the
Gentleman from Massachusetts to our left.
Go ahead, Mr. Dempsey, and you won't be penalized for that
time.
Mr. Dempsey. Thank you, Mr. Chairman. We commend you, Mr.
Chairman, and Members of the Subcommittee and the full
Committee leadership for undertaking this series of hearings on
the PATRIOT Act. From this kind of detailed, objective inquiry,
we can attain the balance that was left aside in the haste and
emotion in the weeks after 9/11.
My main point today is that while, of course, the law needs
to keep pace with changing technology to ensure that the
Government can get the information that it needs to prevent
crime and terrorism, at the same time the law also needs to
keep pace with changing technology to protect privacy,
especially as technology changes in ways that make ever larger
volumes of information available to the Government,
particularly to acquire from third parties.
The PATRIOT Act addressed only one side of this equation.
Now is the time for Congress to address the privacy issues and
finish the job.
Perhaps the biggest change that is happening in technology
that increases governmental access to information and that
affects privacy is the storage of more and more information on
computer networks, and under the control of third parties. The
kind of information that you would normally keep in your file
drawer, even on your laptop in your own possession, that
information is increasingly moving out onto networks, onto web-
based storage. And the law just draws a distinction, and I
think a now outdated distinction, between interception of
communications in transit and access to those communications in
storage. And it draws a further distinction between whether the
e-mail is opened or unopened. If it's opened, it gets less
protection than if it's unopened. If it's older, it gets less
protection than if it's new.
Our recommendation is that Congress should take the Justice
Department's description of 209, for example, the so-called
voicemail provision, take their explanation and their
description of that at face value and make seizure of all
stored communications subject to a warrant.
The problem is that the way the law now works, if a stored
voicemail is opened on your home answering machine--you listen
to it, but you save it--it's protected fully by the fourth
amendment, subject to a warrant. If it's opened on a third
party server, it no longer is protected by the warrant
requirement, which is why we say that section 209 is a little
misleadingly named.
If that voicemail is older than 180 days or that e-mail is
older than 180 days, it's not protected by the warrant
requirement on the ISP computer, even though it is fully
protected still if you've printed it out and put it in your
file drawer, fully protected by the warrant requirement.
So Congress should eliminate this distinction, and, in
fact, this Committee, the full Committee, did vote in 2000 to
eliminate that distinction and to make all stored
communications--whether opened or unopened, stored--I mean a
long period of time or short period of time--subject to the
same warrant requirement that the Justice Department refers to.
Turning just briefly to the interception of--and also to
apply to those provisions some of the other protections in the
law. Again, ensuring that the Government has the access, but,
for example, we have absolutely no reporting on how often the
Government accesses stored e-mail. We have very good and
detailed statistical reports on live interceptions of e-mail
and of phone calls through the annual wiretap report. But we
really don't have a sense of access to stored communications.
And as Professor Swire will describe now, with Voice Over IP,
we're actually going to be seeing entire voice conversations
stored for perhaps lengthy periods of time as the storage
capacity is made available.
Section 217. This isn't quite like the homeowner. When the
homeowner--the homeowner can invite the police into this
property in order to find an intruder. But the homeowner cannot
authorize the police to look in the pockets of the intruder.
They cannot authorize the police to open up the briefcase of
the intruder and read what's inside the briefcase. It requires
another exception to the warrant requirement: search incident
to an arrest, which we don't have here; protection of the
officer, which we don't have here. So this isn't just like that
homeowner search.
Nationwide service of warrants I think could be very nicely
addressed by allowing those warrants to be challenged both in
the jurisdiction in which they are issued and in the
jurisdiction in which they are served. I think that's an
equitable and minor change that would rebalance that.
Mr. Chairman, Members of the Committee, we look forward to
working with you on these issues as we move forward between now
and the end of the year. Thank you.
[The prepared statement of Mr. Dempsey follows:]
Prepared Statement of James X. Dempsey
Chairman Coble, Rep. Scott, Members of the Committee, thank you for
the opportunity to testify at this important hearing. We want to
commend the Subcommittee and the full Committee leadership for
undertaking this series of hearings on the PATRIOT Act. From this kind
of detailed, objective inquiry, we can attain the balance that was left
aside in the haste and emotion of the weeks after 9/11.
Our main point today is that while, of course, the law needs to
keep pace with changing technology to ensure that government agencies
have access to information to prevent crime and terrorism, the law also
needs to keep pace with changing technology to protect privacy, as
technology makes ever larger volumes of information available for the
government to acquire from third parties, without going to the subject
of interest, as it used to have to do under the Fourth Amendment. The
PATRIOT Act addressed only one side of this equation, making government
access easier without counterbalancing privacy improvements. Now is the
time for Congress to finish the job and address the privacy side of the
equation.
In CDT's view, there are few if any provisions in the PATRIOT Act
that are per se unreasonable. We see not a single power in the Act that
should sunset. The question before us--and it is one of the most
important questions in a democratic society--is what checks and
balances should apply to those powers. With respect to the particular
PATRIOT powers at issue in today's hearing, those time-honored checks
and balances should include:
<bullet> Judicial review of intrusive techniques, preferably
judicial approval before a search.
<bullet> Second, as a general rule, individuals should have
notice when their communications are acquired by the
government.
<bullet> Finally, government surveillance needs to be subject
to Congressional oversight and some public accountability,
including through more detailed unclassified reporting.
In one way or another, PATRIOT Act provisions fail to include these
checks and balances.
prevention of terrorism does not require suspension of
standards and oversight
At the outset, let me stress some basic points on which I hope
there is widespread agreement:
<bullet> Terrorism poses a grave and imminent threat to our
nation. There are people--almost certainly some in the United
States--today planning additional terrorist attacks, perhaps
involving biological, chemical or nuclear materials.
<bullet> The government must have strong investigative
authorities to collect information to prevent terrorism. These
authorities must include the ability to conduct electronic
surveillance, carry out physical searches effectively, and
obtain transactional records or business records pertaining to
suspected terrorists.
<bullet> These authorities, however, must be guided by the
Fourth Amendment, and subject to Executive and judicial
controls as well as legislative oversight and a measure of
public transparency.
THE LAW NEEDS TO KEEP PACE WITH TECHNOLOGY--BOTH TO PROVIDE APPROPRIATE
TOOLS TO LAW ENFORCEMENT AND TO PROTECT PRIVACY
We have been told that this hearing will focus on three sections:
209 (misleadingly entitled ``seizure of voice-mail pursuant to a
warrant''); 217 (interception of computer trespasser communications);
and 220 (nationwide service of search warrants for electronic
evidence). Sections 209, 217 and 220 are not among the most
controversial provisions of the PATRIOT Act. The fact that they are
subject to the sunset at all, while, for example, the ``sneak and
peek'' authority in Section 213 and the national security letter
expansions in Section 505 are not subject to the sunset, illustrates
how the debate over the sunsets is somewhat misplaced.
As with most other sunsetted provisions, there is little call for
denying government the access to information provided under Sections
209, 217 and 220. Rather, the questions posed by these sections are
matters of checks and balances, related to the continuing but uneven
effort to rationalize the standards for government access to electronic
communications and stored records in the light of ongoing changes in
technology. It is worth noting that Sections 209, 217 and 220 have no
direct connection with terrorism. They apply to all criminal cases.
These sections highlight an overarching concern about the way in
which amendments to the surveillance laws in recent years, and
especially in the PATRIOT Act, have served as a ``one-way ratchet''
expanding government power without corresponding improvements in the
checks and balances applicable to those powers. This has been a
departure from Congress' traditional approach to electronic
surveillance issues. In the first major wiretap statute, Title III of
the 1968 Omnibus Crime Control Act; in the Electronic Communications
Privacy Act of 1986; and even in the controversial Communications
Assistance for Law Enforcement Act of 1994, Congress and the Justice
Department agreed on the twin goals of ensuring law enforcement
authority to intercept communications while also strengthening privacy
protection standards, especially in light of changing technology.
This spirit of balance has unfortunately been lost. In recent
years, time and again, the Department of Justice has proposed changes
in the surveillance laws that reduce judicial oversight or increase
Executive Branch discretion, and Congress has too often enacted them,
without ever considering how these changes add up or whether other
changes may be needed to increase privacy protections in response to
advancements in technology that have made the government's surveillance
more intrusive. Sometimes, as with the PATRIOT Act, this one-way
expansion of government power occurs in a time of intense crisis.
Sometimes, these changes occur stealthily, like the ``John Doe roving
tap'' change that was added to FISA in December 2001 by the conference
committee on the intelligence authorization act without having passed
either the House or the Senate. Other one-sided and little debated
expansions in the government's discretion include the expansion of
ECPA's emergency disclosure authorities in the legislation creating the
Department of Homeland Security, Pub. L. 107-296, Sec. 225(d). (That at
least included a reporting requirement, which should be made annual.) A
further exception to ECPA was made by Section 508(b) of the
Prosecutorial Remedies and Other Tools to end the Exploitation of
Children Today (PROTECT) Act of 2003, Pub. L. 108-21, which allowed
disclosure without a warrant or subpoena of the contents of
communications and subscriber identifying information to the National
Center for Missing and Exploited Children, which in turn can disclose
the information to law enforcement agencies. Changes to Title III's
roving tap authority were adopted in the Intelligence Authorization Act
for Fiscal Year 1999, Pub. L. 105-272, Title VI, Sec 604, Oct 20, 1998,
112 Stat 2413 (permitting roving taps to be implemented if ``it is
reasonable to presume that the person identified in the application is
or was reasonably proximate to the instrument through which such
communications will be or was transmitted''). And Section 731 of the
1996 anti-terrorism act excluded interception of wireless data
transfers and of information about electronic funds transfers from the
coverage of Title III.
Each of these changes is small in isolation, and each had a
rationale. None, however, was considered in the context of other, long-
recognized changes that need to be made to strengthen the privacy
protections of the electronic surveillance laws, including:
<bullet> extending Title III's statutory suppression rule to
electronic communications, a change even the Justice Department
once supported;
<bullet> increasing the standard for pen registers and trap
and trace devices, to give judges meaningful oversight, a
change the full Judiciary Committee supported in 2000;
<bullet> eliminating the distinctions between opened and
unopened email and between relatively fresh and older email, by
bringing all stored email under a warrant standard, another
change the Committee supported in 2000;
<bullet> establishing a probable cause standard for access to
location information, a change this Committee also supported in
2000;
<bullet> requiring reporting on access to email, also
supported by the Committee in 2000.
With this context in mind, it is easier to see why even some of the
minor changes in the PATRIOT Act draw concern, for they are part of a
steady stream of uni-directional amendments that are slowly eroding the
protections and limits of the electronic privacy laws.
SECTION 209--SEIZURE OF VOICE-MAIL MESSAGES PURSUANT TO WARRANT
Section 209 is described as permitting the seizure of voicemail
messages pursuant to a search warrant. Previously, while voicemail
messages stored on an answering machine in one's home could be seized
by a search warrant, access to voicemail messages stored with a service
provider had required a Title III order, which offers higher
protections. The theory behind section 209 is that stored voice
messages should be treated the same as stored data.
On one level, Section 209 makes the rules technology neutral, which
is usually desirable. If Section 209 is taken at face value, and if the
only difference it effects is between a Title III order and a search
warrant, both issued on probable cause, Section 209 does not represent
a big change. For this reason, CDT has described Section 209 as one of
the non-controversial provisions of the PATRIOT Act.
However, as Prof. Swire points out, Section 209 is misleadingly
titled: Because the law that was amended by 209 draws some bizarre
distinctions between read and unread email and between newer and older
email, Section 209 means that a lot of stored voice communications will
be available not with a warrant but under a mere subpoena.
Moreover, the Justice Department's explanation of Section 209
overlooks the importance of notice under the Fourth Amendment and under
Title III, and the absence of notice under the rules applied to stored
material held by a service provider. When voicemail stored on your home
answering machine is seized, you are normally provided notice at the
time of the search. You can examine the warrant and immediately assert
your rights. When email or voicemail is seized from a service provider
pursuant to a warrant, you as the subscriber may never be provided
notice unless and until the government introduces the information
against you at trial. If you were mistakenly targeted or the government
chooses not to use the evidence, you need never be told of the search
of your stored communications, so you have little meaningful
opportunity to seek redress.
In the case of stored messages (whether email or voicemail), it is
not even necessary from an investigative standpoint to deny
contemporaneous notice in the way it is with live interception. Denial
of notice is justified in the case of real-time interceptions because
the effectiveness of the technique would be destroyed if the target
were given contemporaneous notice. In the case of stored email or
stored voice messages, the evidence is already created and, especially
if notice is given immediately after seizure, the subject cannot
destroy it. Denial of notice in the case of third party searches for
stored email or voicemail is not justified.
Recommendation: Congress should take the Justice Department's
description of Section 209 at face value, and make all seizure of
stored communications, whether voice or email, subject to a warrant. It
could do so by eliminating the difference between opened and unopened
stored records and between records 180 days old or less and records
more than 180 days old. It should take the Justice Department's
arguments at face value and adopt truly technology neutral rules for
voice and data, whether in transit or in storage, applying the
protections afforded under Title III:
<bullet> minimization of non-relevant material,
<bullet> notice to persons whose communications have been
intercepted,
<bullet> a statutory suppression rule, and
<bullet> detailed statistical reports to Congress and the
public.
All of these protections apply to e-mail and voice when intercepted
in transit. None of them apply to e-mail and voice seized from storage.
The Storage Revolution Is Rendering the Law Obsolete
A storage revolution is sweeping the field of information and
communications technology. Service providers are offering very large
quantities of online storage, for email and potentially for voicemail.
Increasingly, technology users are storing information not in their
homes or even on portable devices but on networks, under the control of
service providers who can be served with compulsory process and never
have to tell the subscribers that their privacy has been invaded. New
Voice over Internet Protocol (VoIP) services may include the capability
to store past voice conversations in a way never available before,
further obliterating the distinction between real-time interception and
access to stored communications.
Section 209 takes a seemingly small category of information out of
the full protection of the Fourth Amendment and moves it under the
lowered protections accorded to remotely stored communications and
data. But stored voicemail is the tip of an iceberg. Increasingly,
individuals are using stored email to store documents, including draft
documents on computers operated by service providers and accessed
through a Web interface.
Rather than allowing growing amounts of personal information to
fall outside the traditional protections of the Fourth Amendment, it is
time to revisit the rules for networked storage (whether of voice or
data) and bring them more in line with traditional Fourth Amendment
principles, by requiring contemporaneous notice as the norm and
covering both newer records and older records (again, whether voice or
data) under the same probable cause standard. That would be truly
technology neutral and would have the advantage of not allowing
technology advances to erode privacy protections.
Section 217--Interception of computer trespasser communications
Section 217 permits law enforcement agencies to carry out
electronic surveillance of without a court order when the service
provider permits the surveillance on the ground that a ``trespasser''
is using its system. Section 217 represents another in a steadily
growing series of exceptions to the protections of the electronic
communications privacy laws. (The emergency disclosure provision of
Section 212 is another example.)
Section 217 and similar provisions essentially allow ``off the
books surveillance''--they define certain interceptions not to be
interceptions, and certain disclosures not to be disclosures. Once an
access to communications or data is excluded from the coverage of the
surveillance laws, not only is it not subject to prior judicial
approval, but also there are no other protections normally associated
with electronic surveillance:
<bullet> There is never a report to a judge. (In contrast,
under both Title III and FISA, when electronic surveillance is
carried out on an emergency basis, an application must be filed
after the fact.)
<bullet> There is no time limit placed on the disclosures or
interceptions. (A Title III wiretap cannot continue for more
than 30 days without new approval.)
<bullet> There is never notice to the person whose
communications are intercepted or disclosed.
<bullet> There is no statutory suppression rule if the
communications were improperly seized, and there would be no
suppression remedy at all if the information is deemed to be
outside the protection of the Fourth Amendment.
<bullet> The interceptions and disclosures are not reported to
Congress or the public.
The Department of Justice, in its defense of Section 217, claims
that the privacy of law-abiding computer users is protected because
only the communications of the computer trespasser can be intercepted.
But what if the system operator is wrong? What if there is a legitimate
emergency, but law enforcement targets the wrong person? Under Section
217, a guilty person gets more notice than an innocent person--the
guilty person is told of the surveillance or disclosure but the
innocent person need never be notified.
Contrary to the Department's arguments, Section 217 is not
analogous to the case of the home trespasser. While the homeowner can
invite in the police onto his property, the homeowner cannot authorize
the police to go through the trespasser's pockets or read the papers in
his briefcase. To do so requires a separate Fourth Amendment basis,
which would require a warrant unless one of the exceptions applied, and
in the online context, there may be no other exception available.
Recommendation: While an emergency exception to the court order
requirement may be appropriate for trespasser situations, interceptions
under the trespasser rule should be treated as interceptions under
Title III:
<bullet> As with other emergency interceptions, when
electronic surveillance is carried out on an emergency basis,
an application for judicial approval must be filed after the
surveillance commences
<bullet> The length of interceptions should be limited to the
time necessary to identify the trespasser or for 30 days,
whichever is less
<bullet> Interceptions under the trespasser rules should be
treated as interceptions for purposes of giving delayed notice
to the person whose communications are intercepted.
<bullet> Interceptions under the trespasser rules should be
treated as interceptions for purposes of the statutory
suppression rule.
<bullet> Interceptions under the trespasser rule should be
counted as interceptions for Title III purposes and included in
the annual Wiretap Report.
Section 220--Nationwide service of search warrants for electronic
evidence
Section 220 amended 18 U.S.C. 2703 to allow judges to issue search
warrants for electronic evidence that can be executed outside of the
district in which the issuing court is located. In a world where the
center of an investigation may be in one state, but the target's ISP
has its servers in another state, this makes obvious sense. Moreover,
unlike Section 216, which authorizes a kind of roving pen register (one
order can be served on multiple service providers in different
districts until the government gets the full picture it wants), it
seems that search warrants under Section 220 have to name the service
provider upon whom they will be served. If it turns out that that
provider does not have the records being sought, the government will
have to obtain a new search warrant (as it would any time a search
warrant does not turn up the expected evidence.)
However, as the Electronic Privacy Information Center has noted,
Section 220 removes ``an important legal safeguard by making it more
difficult for a distant service provider to appear before the issuing
court and object to legal or procedural defects. Indeed, it has become
increasingly common for service providers to seek clarification from
issuing courts when, in the face of rapidly evolving technological
changes, many issues involving the privacy rights of their subscribers
require careful judicial consideration. The burden would be
particularly acute for smaller providers.''
Recommendation: One solution to this problem is to allow a warrant
to be challenged not only in the district in which it was issued but
also in the district in which it is served. While the issuing judge may
have a better sense of the factual basis for the order, a judge in the
district in which the order is served may be in a better position to
interpret or redefine the scope of the order in light of issues
concerning the system of the service provider on whom the order is
served.
Even aside from Section 220, whether search warrants for electronic
evidence are issued for evidence inside or outside their jurisdictions,
judges should question applicants to be sure that the warrant is
narrowly drawn. Judges should use extra care in understanding what
information is being sought, whether it will be copied or originals
will be seized (interfering with ongoing business), and whether it is
possible to disclose just certain fields or just records from a certain
pertinent timeframe. These are analogous to questions that judges have
the authority to consider in the case of physical searches, but judges
need to understand computer systems in order to fully enforce the
specificity requirement of the Fourth Amendment in the digital context.
Judges should look more carefully at the return of service. While
notice under 18 U.S. C. 2705(b) can be prohibited, judges should be
hesitant to deny notice to the person to whom the records pertain,
since the subscriber is really in the best position to raise legitimate
concerns. This is just another way in which judges faced with the
authorities of the PATRIOT Act can assert closer scrutiny and place
conditions on the exercise of PATRIOT authorities without denying the
government access to the information needed.
CONCLUSION
CDT supports the Security and Freedom Enhancement (SAFE) Act, a
narrowly tailored bipartisan bill that would revise several provisions
of the PATRIOT Act. It would retain all of the expanded authorities
created by the Act but place important limits on them. It would protect
the constitutional rights of American citizens while preserving the
powers law enforcement needs to fight terrorism.
We look forward to working with this Subcommittee and the full
Committee as you move forward in seeking to establish some of the
checks and balances that were left behind in the haste and anxiety of
October 2001.
Mr. Coble. Thank you, Mr. Dempsey. Professor Swire.
TESTIMONY OF PETER SWIRE, PROFESSOR OF LAW,
OHIO STATE UNIVERSITY
Mr. Swire. Thank you, Mr. Chairman, and Mr. Ranking Member,
and Members of the Committee. I appreciate very much the
opportunity to testify before you today.
Most of my remarks today will be on section 209 of the
PATRIOT Act, the section that expanded the Government's access
to voicemail and many other telephone conversations without the
need for a wiretap order.
Before turning to that, I will briefly comment on the other
two sections that are the subject of today's hearing.
Both section 220, on nationwide service of warrants, and
section 217, the computer trespasser exception, were considered
in detail when I chaired a White House Working Group in 2000 on
how to update surveillance law for the Internet Age. As my
written testimony explains in greater detail, I generally
support extension of section 220 although with some refinements
that Jim Dempsey has in his written testimony.
For section 217, however, modifications should be made.
Section 217 solves some important real-world problems. It lets
a computer system owner ask the police for help when their
system is under attack. With the owner's permission, law
enforcement can surf over the shoulder of the system operator
in order to spot the hacker and track him back through the
Internet. That's the good news.
The bad news, though, is that there are no checks against
abuse in the section. Section 217 says the police are only
supposed to look at the communications of the hacker. But if
the police look at other e-mail and web traffic they can still
use all that information. They can use it in future
investigations. They can use it in court. The incentives for
law enforcement are to get permission to enter the system under
217, and then see how much they can get to see while they're
there.
As my written testimony explains, there is a simple
solution to this. It's the same solution that this Committee,
the Judiciary Committee in full, passed in 2000, with only one
dissenting vote. The simple solution is that the same
suppression rule that applies to phone wiretaps should also
apply to e-mails. If law enforcement breaks the legal rules, if
they go too far and break the law, they should not get to use
the fruits of the illegal search.
The rest of my time I'm going to spend on section 209. It
turns out that section 209 has much broader ramifications than
most people realize--than I realized before I was asked to
testify this week.
Section 209 allows the Government to get access to
voicemails and many telephone conversations with much less than
a wiretap order. The actual textual change in 209 is simple.
The old law said that stored electronic records were under
looser rules of the Stored Communications Act. All the PATRIOT
Act did was say stored wire or electronic records; wire means
any voice, telephone calls, voicemail sorts of records.
In many instances under section 209 now, law enforcement
can get your stored, but also stored voice now with a grand
jury subpoena, where there's no judge involved at all or else
with a judicial order that requires much less than probable
cause.
Section 209 was given to the Congress and to the public as
if it were only about voicemail. It does apply to voice mail,
which are stored telephone communications, but that's not all.
The key new thing I think we're learning is that section 209
applies to any and all telephone conversations that are stored.
The term ``voice mail'' does not exist in the statutory text,
except in the title.
Should any of us care about stored telephone conversations?
The answer is yes. The simple technological fact is that stored
telephone conversations are becoming much more common due to
changing phone technology. Every major telecomm company is part
of this shift. SBC, Comcast, Verizon, Qwest--all of them are
implementing right now major moves into this new phone
technology. The new technology has a clumsy name, VOIP, which
means Voice over Internet Protocol. What it means is that
telephone conversations are shifting to this Internet protocol.
What that means, in turn, is that telephone conversations are
being stored at home and in the network for millions of
Americans.
The numbers for this change are big and they are real. This
is not Internet hype. The phone software called Skype has now
recorded over 100 million downloads. Over 20 percent of all new
business phones already use this technology, with estimates of
over half of new business phones within 3 years. Growth rates
in the residential sector are over 30 percent a year.
Because VOIP uses the Internet to transmit voice, all the
tools that make the internet work come into play. The Internet
tool that section 209 takes advantage of is called caching.
Just as your web browser stores graphics and images in its
caches, ordinary users can and will have their phone
conversations stored or cached at the Internet network level.
People won't even realize their phone conversations are being
stored, putting their phone calls at risk of being seized with
much less than a wiretap order.
What should be done with section 209? The first thing is
that you shouldn't simply take my word for these changes. You
should ask the Department of Justice. They're here today and my
written testimony suggests questions you can pose to the
Department. And this way, all of us will know what the new law
really means.
My written testimony suggests possible changes to be done
to address this concern, and in conclusion I thank the
Committee for the opportunity to share these thoughts.
My written testimony contains citations to my law review
and other writings on the PATRIOT Act, and if I can be of
assistance in the future, please do not hesitate to ask.
[The prepared statement of Mr. Swire follows:]
Prepared Statement of Peter P. Swire
<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>
Mr. Coble. Thank you, professor, and we've been joined by
the Gentlelady from California, Ms. Waters.
We will probably, folks, have a second round today. This is
a very important subject matter, so we'll probably do a second
round.
Ms. Parsky, your written testimony provides a good
description of the distinction between communications subject
to a wire tap communication--subject to stored communications.
You state that the Wire Tap Act--and I assume that you
refer to wiretaps generally--was designed to address a very
particular type of situation: the ongoing interception of real-
time conversations. You then distinguish ongoing interception
of real-time with the one time access to stored communications,
such as voicemail.
Now, if I understand Professor Swire's claims, he argued
that the possibility--that with the possibility of future
technology, store telephone calls over the computer--the
distinction between wiretaps and stored communications will be
lost.
Cannot a person already record their phone calls through
high-tech message machines?
Ms. Parsky. Mr. Chairman, you raise a very important issue,
which I think actually there are two issues raised by Professor
Swire that I'd like to clarify.
One is that to the extent that individual parties choose to
store or to record conversations that they may have, whether it
be over VOIP, which uses an Internet protocol, or over a normal
telephone, over a wire system, once those communications are
stored by the individual in either world they are subject to a
search warrant. There's nothing that's special or different
about VOIP in that context.
You could just as easily have a conversation with--between
two parties and one of the parties has a--makes a consensual
recording of that conversation and stores it on a cassette in
their home.
The other important thing to point out is that VOIP does
not change the obligations that are on service providers,
whether they be a cable company or a telephone company; that to
the extent that there's any interception and seizure of
communications beyond that which is necessary to the provision
of the services, they're violating the Wiretap Act, and there
are consequences for that.
So I think that there is much ado about the new
technologies that are coming up in our future. But, in fact,
there's really nothing different except for the protocol. The
same laws, the same restrictions would apply.
Mr. Coble. Thank you. Professor Swire, is--you indicate
that 209 applies to all stored telephone communications and not
just the voicemail. Is not the real distinction that law
enforcement receives the stored communication through a one-
time access request rather than ongoing interception?
Mr. Swire. That's the distinction the Justice Department is
supporting. That means that if your phone conversations are
stored at the network level by your ISP in the future, they'll
be accessible under that Stored Communications Act. Up until
now, those phone conversations that went through the telephone
network, you needed a wiretap order to hear what Jim Dempsey
and I were saying.
Tomorrow, if it's stored at the network level, the Justice
Department can get it, in some cases with a grand jury subpoena
or other lower than search warrant requirements.
Mr. Dempsey. Mr. Chairman, could I speak to this question?
Mr. Coble. Sure.
Mr. Dempsey. Cause this is a very good line of questioning.
One distinction is between the sort of real-time
interception and the stored.
Another distinction looks to where is it stored. If you
store a voicemail, an e-mail, a document in your office or in
your home, no matter how old it is, no matter what you've done
with it, if you've read it or not read it, it's protected fully
by the fourth amendment and requires a warrant. If you store it
outside of your home--if it's stored in the basement of the
Capitol Building or stored on a server of the telephone
company, which increasingly it is--it's not protected by the
fourth amendment. It doesn't require a warrant, particularly
after you've read that e-mail or listened to that telephone
call, and to get one--it's not so much--there is a distinction
between ongoing and one-time. But to get one piece of paper
from your office, a warrant is required. To get one recorded
phone call from your office, a warrant is required. You have to
get it from----
Mr. Coble. My time is about to expire. I don't want to
overlook Mr. Martinez, since the other three--are you going to
weigh in, Mr. Martinez?
Mr. Martinez. Well, again, I think one of the things that
we need to recall is that we are talking often of situations
where consent is acquired, in fact, is initiated by a victim.
And so this is a different situation than where we would
initiate an investigation, you know, go through the effort to
obtain a wiretap warrant.
So I think we do need to recognize that there are real
victims in these types of situations and that consent is often
the entry point that we have as the law enforcement agency.
Mr. Coble. My time has expired. The Gentleman from
Virginia.
Mr. Scott. Thank you, Mr. Chairman. Let's put a little
bit--put this in perspective. Either search warrant versus a
wiretap warrant, what is the exact difference between the two.
I mean the wire tap you have to have--go to the judge, get a
probable cause, listen in. It's limited. Search warrant can be
done administratively without a judge looking over from time to
time?
Mr. Dempsey. Well, Congressman, in both cases, it requires
a finding of probable cause by a judge. In the case of a
wiretap, at least for voice communications, it requires in the
Federal case, it only applies to a certain number of serious
crimes--a list of about a hundred of the most serious crimes.
It requires senior Justice Department approval. There are
periodic reports to the judge. There's a statutory suppression
rule in addition to whatever fourth amendment suppression rule
there is. And there are these fairly detailed and useful
reports to Congress about the use of the technique.
Mr. Scott. Mr. Martinez, are there any things such as an
administrative search warrant?
Mr. Martinez. An administrative search warrant? There are
administrative subpoenas, but again a search warrant connotes
that a law enforcement officer has had to make findings of
facts, provided that in an affidavit, and it is reviewed and
becomes an order of the court to take action.
Mr. Scott. That's the search warrant. Now, if you're going
to this ISP off site, do you need a search warrant--you don't
need a search warrant?
Mr. Dempsey. If the communication is an unopened e-mail 180
days old or less, you need a search warrant. If it's an opened
e-mail, you use a subpoena. If it's more than 180 days old, you
use a subpoena.
Mr. Swire. Can I make a real quick point on that. I don't
think we know what an unopened phone call looks like. That's
never been defined. But if I've talked with you on the phone,
the Justice Department may think that's already been opened,
and they might get it under the lower standard. That's
obviously something to clarify.
Mr. Scott. Well, let's--Mr. Dempsey, you kind of talked
about letting the police into my house and letting them look
around is different from letting them look into the crooks'
pockets. Let me know if I got this wrong. I looked at it a
little different. I looked at it not as me letting the police
into the house. I live in an apartment building. How about the
apartment superintendent letting them into my apartment. Isn't
that more akin to what's going on when AOL let's you into my e-
mails going back and forth?
Mr. Dempsey. I think that's a very interesting way of
looking at it. It may be another appropriate way. It is true--
and I think appropriate--that system administrators have the
right to monitor their own systems. I think maybe the
supervisor of the apartment, if he believes you're away, and an
intruder breaks into your apartment, the supervisor of the
building can call the police and say someone is in so and so's
apartment.
Mr. Scott. In that case, you've got kind of an assumed
permission that if there's a leak, the water is flowing out of
my front door and I'm not there, the superintendent can go in.
Over my objection without me knowing, can the building
superintendent let the police into my apartment to wander
around?
Mr. Dempsey. I think there are some circumstances probably
in which they can.
Mr. Scott. But that's not the normal situation.
Mr. Dempsey. Now, it would be--let me say one of the ways
in which people have talked about section 217, this trespasser
provision, is as an emergency provision, particularly in the
case of computer crime, in which time is of the essence; the
hacker may be in and out; you need to get the information
quickly.
But if that's the justification--if we're looking at a sort
of an emergency exception--a funny smell is coming from your
apartment or there's terrible noises coming from your
apartment, screaming--in those kinds of situations, there might
be grounds to enter without a warrant. But as in emergency
wiretaps generally, there should be then go to the judge, take
care of the emergency, then go to the judge, get the order,
count it as an interception, bring it under the other rules,
count it--report it to Congress, et cetera.
Mr. Scott. Yeah, but you got to have a check and balance.
If you call it an emergency and go get something, and it wasn't
an emergency, you got the exclusionary rule looking at you. So
you don't have an incentive to trip over the fourth amendment.
Mr. Dempsey. Correct.
Mr. Scott. Because if you found something, you can't use
it, so there's no incentive--and that's kind of the policing
mechanism you have if there's no incentive, you don't do it.
Mr. Dempsey. And here----
Mr. Scott. But there is an incentive to cheat and get in
there. If you can use it, then there are no sanctions because
you're not going to be able to sue the police--a guilty person
is not going to sue the police, and get any----
Mr. Dempsey. Well, there are two or three provisions in the
PATRIOT Act that I would sort of call ``off the books''
surveillance. What we do is we define it not as an interception
or not as a disclosure, and then once we do that under the
statutory structure, all of the other protections are
eliminated, including the suppression rule. And what I think
Professor Swire and I are saying is recognize the trespasser
concept to some extent, but build around it some more checks
and balances.
Mr. Scott. It's well known that e-mails kind of survive in
cyberspace somewhere after you thought you had erased them. Are
voicemails similarly preserved some kind of way? If you got a
Verizon----
Mr. Swire. It depends on what Verizon or SBC does in their
system. As you move towards----
Mr. Scott. You mean we don't know?
Mr. Swire. I don't know.
Mr. Scott. We don't know if our voicemails are preserved in
cyberspace. Anybody know? We have another round, gentlemen.
Mr. Martinez. I think that you'd find in the industry that
there are different means of doing that in different
technologies for storage and different reasons that they might
have for storing, including billing purposes and that type of
thing.
But if I may for a minute, I don't know if the analogy or
the contrast between an emergency situation and one that is not
emergency is really the appropriate one, because we don't want
to take away from the victim, and again we talk about systems
administrators. They're in the best position to determine
whether or not their system is under attack. And there are
instances where they may have evaluated that they have a
situation where they can record all that--all the traffic and
at a later date, because it's not considered particularly
virulent to their system provide that to law enforcement and
say I think I may have had an attack. It doesn't appear to have
been a great one.
Or they may determine that they are under a current attack
and there's information being exfiltrated in real-time. We're
forcing a distinction upon them that really ought to be up to
them to decide. You know do I have a more expedient situation.
But what we don't want take away from them is our ability to
address it quickly and try to mitigate--help mitigate it for
them.
Mr. Coble. The Gentleman's time has expired. And as I said,
we'll do another round. The Gentleman from Arizona, Mr. Flake.
Mr. Flake. Thank you, Mr. Chairman--the witnesses.
Ms. Parsky, under section 209 how long can law enforcement
go without notifying a subscriber or a customer that their
stored communications have been accessed? How long is it? Is it
indefinitely? And if not, how long is the longest time that
it's happened?
Ms. Parsky. Well, excuse me, under section 209 actually is
not the provision and the PATRIOT Act is not the provision that
makes that determination. It's actually determined by ECPA. And
under ECPA, there is a requirement that for stored electronic
communications or wire communications, section 209 then brings
in the wire communications, either you need to access them with
a search warrant if they are unopened or within the first 180
days, in which case there would be notice with the search
warrant, or if they are older than 180 days, then you have to
provide notice and a court order. So it's not a search warrant,
but the provision of ECPA requires notice if a search warrant
is not used.
Mr. Flake. So under no circumstance is anyone's stored
electronic communication accessed without their knowledge.
Ms. Parsky. Well----
Mr. Dempsey. Congressman, if I--could I respond?
Mr. Flake. Sure. Please.
Mr. Dempsey. I think in the case of a warrant, the notice
is served on the service provider with the warrant. There's no
notice to the customer ever----
Mr. Flake. That's what I----
Mr. Dempsey. --unless the evidence is used against them in
court.
Mr. Flake. That's my question.
Ms. Parsky. That's correct.
Mr. Flake. When will the customer know?
Ms. Parsky. Well, as with any business records that might
be stored by a third party, if you have a bank, for instance
and there's a grand jury subpoena and law enforcement has, you
know, lawful right to access those records that are being
stored by a third party, the customer, the owner of those
records, would not get notice either. So this isn't applying
anything different.
Mr. Flake. But this is--it is different, though.
Mr. Swire. But this is the world of stored records we're
moving to, and we're hearing that the customers never find out
under these grand jury subpoenas and other things. This is what
would apply to an increasing number of ordinary phone calls
going forward.
Mr. Flake. This is different. I would maintain that if you
have an account at a bank, obviously you're a customer of that
bank. Maybe you don't know that the bank is being monitored or
surveilled or information is being gathered, but in this
circumstance, you are the target. But, yet, because law
enforcement gets it from a third party, then you, the target,
are not informed, and you're saying that that is the case; that
can be the case for an indefinite period of time?
Ms. Parsky. That's correct. If you are the target, whether
it's a voicemail message that's being stored, or it's your bank
records being stored, you would have notice if there are
criminal charges brought, and that's part of the Government's
case, through the discovery process.
Mr. Flake. But not until the criminal charges are brought?
Ms. Parsky. Right.
Mr. Flake. Surveillance----
Ms. Parsky. It's comparable in the physical world or in the
electronic world.
Mr. Flake. Mr. Dempsey, you care to----
Mr. Dempsey. Well, which means that in the case of the
individual whose records are wrongly acquired, who's never
charged with a crime, the person who really would want to have
some recourse, he may never be told.
Mr. Flake. Does that trouble you, Mr. Martinez? You seem to
indicate concern for the victims quite a bit. Would somebody be
considered who was wrongly believed to have information that
would make them a suspect, but then never--they never find out
that they were being surveilled?
Mr. Martinez. Well, I think one analogy I could draw is in
the world of physical surveillance. You know we follow bad
guys, and they make contact with both other bad guys and other
unwitting people that might not be part of their conspiracy.
And so there is going to be times when we do have information
or do see information that might not regard the actual crime
that we--but what we're interested in is evidence. And we're
going to boil it down to evidence, and I think that's the
approach we would take.
Mr. Flake. Ms. Parsky, what delays were experienced prior
to section 209 that made section 209 necessary?
Ms. Parsky. Well, I think that there is the basic fact that
the procedures for obtaining a wiretap, which are procedures
that are put in place for the very special circumstance and the
increased expectation of privacy and invasion of that privacy
when you have an ongoing interception of live communications.
And because of that, what the Wiretap Act puts in place
additional procedures, additional protections to the
Constitution that are resource intensive and time consuming.
With respect to a search warrant, there still are
constitutional protections. There's still a standard of
probable cause that needs to be met, and it's still presented
to a neutral magistrate to make a neutral decision, but there
aren't all the same hoops that need to be jumped through
because it's a stored communication which, not under the
PATRIOT Act, but, you know, over 20 years ago, was determined
does not meet the same level of protection as an ongoing
interception.
Mr. Coble. The Gentleman's time has expired. The Gentleman
from Massachusetts, Mr. Delahunt.
Mr. Delahunt. Yes, thank you, and this is again, Mr.
Chairman, I want to compliment you and the Ranking Member for
providing us with a very informative panel, much like the one
we just had the other day.
Mr. Coble. Thanks.
Mr. Delahunt. You know some of us understand the law well.
And from past experience, we've been involved in these kind of
investigations involving electronic eavesdropping, et cetera,
and we're familiar with the act.
I think what you have to understand is that many on this
panel, and I presume in Congress, are illiterate when it comes
to the technologies. I, for example, don't know how to use e-
mail. I don't have what do you call it a Palm Pilot or a
Blackberry. I don't know how to turn on a computer. So I'm
really at a disadvantage in the sense that I understand the
law, but I really don't understand the technologies.
But I think the overarching concern--and I think it's been
expressed rather well by both Mr. Dempsey and Professor Swire--
the issue here is really one of privacy. And fundamentally, I
think our purpose should be--and in this recent colloquy that
you had I think with Mr. Flake involving notification--there's
another piece of this, too, and that's the issue of
transparency. I think much of the concern that the American
people have is what's happening. You know, people like myself
really don't know what's happening, because we're not familiar
with the technologies. But we have this very profound unease
that something is happening, and it may be untoward and it may
be intrusive of our privacy.
So I think what we ought to be doing is examining how we
deal with the concerns that the American people have in terms
of their privacy. I think we address that through as much
transparency as we can without imposing impediments that are
really unreasonable on the Government. And I would suggest
that's the kind of balance that we want to strike. I see the--
this particular--the issues that we've been discussing here
today as an opportunity to do just that. I mean why--what's
magical about 180 days? And that is--is that really a false
distinction? I don't know. I--you know.
Mr. Swire. Congressman, can I?
Mr. Delahunt. Sure.
Mr. Swire. In preparing for the testimony, I went back and
looked at the Committee report from 2000 or H.R. 5018. That's
when this Committee, the full Committee, in great detail looked
at many of these issues. That Committee report is written in
pretty plain English. It explains a lot of these issues and
hits some of the----
Mr. Delahunt. I was on the Committee at the time, and I was
very proud of the fact that the Committee came out with a--I
think a fine piece of legislation unanimously and one I think
that was very thoughtful and many of us were very much engaged
in that. But I think the reauthorization process now provides
us an opportunity to do some clean up and anticipate, like
VOIP. I mean I don't even know what VOIP is. I mean I can't
even imagine. What do you? What do you sit in front of a screen
and talk to the screen? I don't know.
Mr. Swire. No. It's really great now. You'll use a regular
handset. You'll think it's a phone call, but it's going through
the Internet.
Mr. Delahunt. Well, that's good. I mean I don't have a
clue.
Ms. Parsky. If I may, I'd like to address the privacy
issues that you raise and I think one important thing here is
that we stay focused on the PATRIOT Act and the sunset
provisions of the PATRIOT Act.
Mr. Delahunt. Now, see that's where I disagree with you.
Okay. I think we have--we can amend the PATRIOT Act without
just addressing those provisions that are sunset. I think we
have an opportunity here to do something again without imposing
an impediment on the Government, but if we just focus on these
particular sections without implicating ECPA and all these
other rather significant ancillary pieces of our statutory
scheme that by necessity are implicated, we're really not going
to, I think, come up with a product that I think reassures the
American people that their privacy is being protected, for
example. That's my point.
Mr. Dempsey. Congressman, if I could, just on the question
of transparency. I think you're 100 percent correct. There are
two ways that we provide transparency.
One, which Congressman Flake was referring to----
Mr. Delahunt. Notification.
Mr. Dempsey. --notice to the individual. Under the wiretap
law, the surveillance is conducted in secret. Absolutely. The
technique would be ineffective. It would be worthless unless
there were that secrecy.
Mr. Delahunt. Right.
Mr. Dempsey. But after, as you know, the investigation is
closed, then notice is provided to people whose communications
were intercepted whether they are charged with a crime or not.
But for some of these other provisions, we do not have that
kind of notice. And, for example, in the trespasser case,
section 217 says that the trespasser interception is not an
interception to be counted, to be notified, to be reported to a
judge, et cetera. I think that could be addressed.
The second way we do transparency is by reports to
Congress. And I think partly the sunset has helped to draw some
of that information out, but now if these authorities are going
to continue, and they probably should continue, there needs to
be that kind of statutory reporting obligation that says how
often are they being used, how many individuals' communications
are being implicated, et cetera.
Mr. Coble. The Gentleman's time has expired. You may
continue that for the second round, Mr. Dempsey. I want to say
to my friend from Massachusetts you have assuaged my
discomfort. I am relieved to know that I am not the lone Member
of Congress who does not possess a Palm Pilot. [Laughter.]
Mr. Delahunt. In fact, we are the brotherhood.
Mr. Coble. The Gentlelady from California, Ms. Waters.
Ms. Waters. Well, thank you very much.
Ms. Parsky and Mr. Martinez, since sections 209, 217, and
220 are not specified as tools solely to combat terrorism and
terrorism-related activities, how many times have these
sections been used in non-terrorist criminal investigations? If
the USA PATRIOT Act was passed to aid in terrorism and
terrorism-related investigations, then what are the purposes
for sections 220, 217, and 209 if these sections do not limit
investigations strictly to terrorism and terrorism-related
investigations?
Ms. Parsky. Let me begin and then Mr. Martinez I'm sure
will have some followup. But the first thing that I think is
important to make clear is that the PATRIOT Act contains
provisions that are specifically addressed to terrorism, but it
also contains provisions that are not specifically addressed to
terrorism, and because there are those specifications in
certain provisions, the other provisions by necessity are
necessity are modernizations of all of the criminal procedures;
and that if there had been an intent that it only be applied to
terrorism, it would have been stated as such. These provisions
that we're talking about today are some of those very
provisions that are intended just to modernize the tools that
are available to law enforcement to protect our communities
across the board, not just the terrorists.
Ms. Waters. May I interrupt for one moment? I want to be
clear that you're saying that the stored communications that
have been referenced here so many times today--the telephone
calls, et cetera--may be accessed without notification to the
party that is the target of the investigation, and this
information may be used in any shape, form, or fashion that the
interceptor would like to use it for?
Ms. Parsky. Absolutely. What this does is it applies the
same normal rules that would apply to any criminal
investigation.
Ms. Waters. No. No. No. But this is without notification--
well. This is information--these are facts. It's not as if you
have an investigation to seek facts. Whatever is on the record
is on the record. The telephone calls are there. The messages
are there--what have you. They're accessed. I don't know about
it. You don't need a warrant to get it. You can use it any way
that you want to. Perhaps you have an investigation about
terrorism. There is not terrorism, but you find that somebody
may have committed another infraction or it could be considered
a crime. Then you take this information and you pass it on to
another law enforcement agency. Is that what you're saying?
Ms. Parsky. Well, what I'm saying is that the same rules
that have applied for years----
Ms. Waters. Well, we haven't had these rules.
Ms. Parsky. No, but the rules aside from the PATRIOT Act.
The same rules that have applied to electronic mail, that have
applied to physical records that are stored with a third party,
these exact same rules. All the PATRIOT Act does is it says
that you treat the same all types of stored communications,
whether they are wire, whether they are electronic, whether
they are physical or physical records. There's nothing new
here.
Ms. Waters. It is something new----
Ms. Parsky. The same notice provisions apply.
Ms. Waters. Well, let me just stop you again. As I
understand it, under those circumstances, you have a limited
period of time by which you can engage in the so-called search
or investigation. I may be wrong. But this could go on forever
and ever and ever; is that correct? Is that a difference?
Ms. Parsky. There's nothing in the PATRIOT Act that changes
the length of time that it may take for an investigation to be
carried through. That's dictated by the facts of the case. But
there are--I mean there are very significant cases. There are
child pornography cases. There are places where we have rescued
children from their molesters because of the very critical
modernizations that were provided through the PATRIOT Act.
Ms. Waters. Yeah. But, I'm not talking about that. What I'm
talking about is this: you access my telephone messages. You
use them in any way that you want to, not just for terrorism,
but like you said, it's meant to apply to, you know, cases in
the same manner that prior to the PATRIOT Act. You can do
anything you want with that information. You can share it. You
can give it to anybody you want to give it to, and you can
continue to access that information for as long as you want to
without having to report to a court or anything. Is that what
you're telling me?
Ms. Parsky. No. That's not correct at all. What happens is
the exact same standards apply whether it is a wire
communication, an electronic communication or a physical
record. You still need to go to a court to get a court order, a
search warrant. You still need to provide notice with that
search warrant to the same extent----
Ms. Waters. And that's good for how long? Thirty days?
Ms. Parsky. Which? The search warrant?
Ms. Waters. Yes.
Ms. Parsky. The search warrant has to be served within 10
days, and then you obtain the evidence that is stored.
Ms. Waters. And how long can you look for the evidence?
Ms. Parsky. The search gives you access for that one period
of time to go and collect the stored records within the scope
of the search warrant. So you are limited by the terms of the
search warrant to a particular scope. You are limited to the
investigation that you are carrying on, and there are other
protections that are built into our system so, in fact, you
cannot go and do whatever you want with it or disclose it to
whomever you want. There are Privacy Act implications. And
you're----
Ms. Waters. What if you go to a provider, looking for
information, and for whatever reasons, however they store that
information, however they categorize that information, it's not
easily found. You have to--they have to do a number of things
to access the information, and how long can that go on? Do they
have to give you the information in 10 days, 15 days, 30 days?
Or can you work with them to get you that information over the
next year?
Ms. Parsky. Well, if it's a search warrant, you go in and
you obtain the information. If it's a subpoena, then there is a
return date on the subpoena, and by the return date, they need
to return to the grand jury the records that have been
requested.
Ms. Waters. I'm talking about search warrant now I guess.
I'm talking about search warrant.
Ms. Parsky. In the search warrant, we go in and we obtain
it ourselves. We don't give them a certain amount of time to
provide it to us, because then we risk that they would destroy
the records.
Mr. Dempsey. Yeah, actually, Congresswoman, if I may say
just on that one point with the service provider: actually
Congress changed the law recently to allow the service of
warrants by fax. So they are faxed into the service provider
without the presence of an officer there.
I think really what we're looking at here is sort of a
confluence of three different things. One is the specific
provisions of the PATRIOT Act that we're talking about today,
relatively narrow changes. But I've been trying to say that
they interface with other changes in technology that need to be
addressed.
Third, they also interface with other provisions of the
PATRIOT Act, for example, section 203, which was the subject of
a hearing the other day, so that in terms of what can be done
with this information, it's not only limited any longer to law
enforcement uses. It can be disclosed if it constitutes
information about foreign affairs. It can be disclosed to
national security, military, protective, immigration or
intelligence agencies.
Mr. Coble. Well, the Gentlelady's time has expired. We can
continue this in the second round.
We'll start our second round now.
The courts have long recognized that providers of
communications services possess a fundamental right to take
reasonable measures to protect themselves and their properties
against the illegal acts of trespassers. Now, I don't mean this
to sound as subjective as it's going to sound, but who has the
reasonable expectation of privacy under section 217? The owner
of the computer or the criminal or terrorist hacking into the
computer? Start with you, Ms. Parsky.
Ms. Parsky. Thank you. You raise a very important point,
and I think particularly when we're talking about privacy
rights here, and when we're focusing on the provisions of the
PATRIOT Act that are subject to pre-authorization. Section 217
is a critical provision to protect privacy. It's a critical
provision to protect the privacy not only of the service
provider whose property is being unlawfully accessed. That's
what the hacker trespasser is doing. But, you know, we are
living in a time when there are all sorts of computer hacking
incidents that are subjecting consumers and individuals to the
potential for identity theft. So that to the extent that you
have this hacker then accessing the individual account holder's
information and providing very private information to others to
conduct criminal activity, this is allowing law enforcement to
protect those privacy rights of the consumers.
Mr. Coble. Which was vague prior to the act?
Ms. Parsky. That's correct.
Mr. Coble. Let me hear from the rest of the panelists.
Ms. Martinez. Congressman, if I can follow up on that.
Again, in working--the FBI works very hard to garner good
relationships with e-commerce businesses so that we can get the
information we need to go at cyber crime, and there are some
incentives and disincentives for them to do it.
One of the things that I think we're starting to agree upon
is that e-commerce businesses have a responsibility to protect
the--both their intellectual property, but also the vast amount
of personal information that they might store in the course of
their normal business.
Again, this expands their ability to be a responsible
corporate citizen, to get information to us that might allow us
to act quickly to stop an attack that might very well expose
hundreds of thousands, millions of personal records. So again,
anything we do that would reduce our ability, especially the
timeliness of our ability, to address those types of situations
when a consenting party comes to us and makes us aware of a
problem, I think would be--would go against being able to
protect privacy of citizens in general
Mr. Coble. Thank you, sir. Mr. Dempsey?
Mr. Dempsey. Mr. Chairman, I agree with Mr. Martinez. But
the question is what if they're wrong? What if the system
operator is wrong and points the finger at the wrong person?
What if law enforcement comes in and acts over broadly? I'm
saying respond to the emergency, recognize the seriousness of
the computer crime, but build some checks and balances in that
gives some redress when a mistake is made.
Mr. Coble. Professor?
Mr. Swire. Thank you. It's the expectations of privacy of
all those phone users, e-mail users, credit card people. That's
where the ordinary citizen's privacy is at stake. And right
now, if the Government looks through those, either by mistake
or because they want to look through those, they can take that
information. They can use it in future investigations. They can
use it in court. And the statutory suppression rule that this
Committee has previously passed addresses that so that you have
a rule that says they should follow the law and not be over
broad in their searches.
Mr. Coble. Ms. Parsky, your facial response tells me you
want to weigh in again, and you may.
Ms. Parsky. Thank you. Well, one thing to make clear is
that this isn't just about an emergency. This is the equivalent
of a normal consent situation. And there are numerous, you
know, vast arrays of examples where in a physical world, there
is a citizen or a company that provides law enforcement with a
tip, and we need our citizens to bring crimes to our attention.
They don't always pan out. There is always the potential that
there will be access to information about individuals who don't
end up having criminal culpability.
Mr. Coble. I thank you for that.
Ms. Parsky. Thank you.
Mr. Coble. Let me beat the red light by putting another
question to Mr. Dempsey.
Mr. Dempsey, in your written testimony, you stated that
section 220 of the USA PATRIOT Act makes obvious sense.
Elaborate in some detail on that if you will.
Mr. Dempsey. Well, I think we do have nationwide
communication systems and for a crime in California the
evidence may be--the electronic evidence may be stored in
Virginia.
It is appropriate I think for a judge in California to
issue that warrant to be served in Virginia, to send the
evidence back to California where the locus of the
investigation is. My only concern is that a little bit tips the
balance in the other direction, and if the service provider
gets a warrant that looks over broad, that looks burdensome,
that may sweep too broadly or it may be unclear, the person in
California issuing the warrant may not have understood the
computer network of the person in Virginia.
The person in Virginia, they want to do the right thing.
But they also want to be careful. They should have the
opportunity to go to a judge in Virginia or in California, but
certainly in Virginia where they are and say we want to
cooperate. We will give it over, but we--it should be focused a
little bit more.
Mr. Coble. I got you. I thank you. My time has expired. The
Gentleman from Virginia.
Mr. Scott. Thank you, Mr. Chairman. We keep talking about
how you're going to use the information as the kind of
violation of privacy that you actually use it. Some of us may
think that just looking at, because we're not talking about
robots. We're talking about somebody who could be your
neighbors and people are kind of thinking terrorism. Let's kind
of think mental health records and medical records that
people--that your neighbors may be looking at if they happen to
work for the FBI. And when you think of it in that nature, I
mean sometimes you don't want people looking at your medical
records and your mental health records, and your private
communications with your friends, colleagues, or spouse. You
may not want the--your neighbors to know that you're having
marital problems and all that kind of stuff. So just the idea
that you get to look at it, I mean. And then after you get to
sharing it all--and we're not even getting into that--but some
people are going to be looking at your very private
communications. And you don't know going in what's going to pop
out of that e-mail.
Ms. Martinez. If I may address that very example, I think
health records is a good one. There have been intrusions into
medical facilities and health records have been compromised. In
working a computer intrusion investigation, it would be very
important for us to determine what type of data was targeted.
And it may very well be that we determine that very specific
health records of very specific individuals were targeted. But
without us being able to do the investigation and drill to that
level of detail we wouldn't know and that would impede our
ability to work that case back to identify----
Mr. Scott. You don't know--you don't know when you start
reading your--I mean it--doesn't the e-mail from me to my
doctor or from a person to his priest doesn't start off by
saying personal information enclosed. Caution. Warrant
required. You just start reading and start tripping over all
this information that could affect--it could be your neighbor.
You know you didn't know that about your neighbor.
Mr. Swire. Congressman, can I--one of the things that the
Government's position has been if the record is stored, then
you're pretty much out of luck. You're under much less luck
than you used to be. Once it's stored, there's no
constitutional protections--reasonable expectation to privacy--
you've handed that over to a third party. Once it's stored,
you're under the Stored Communications Act at best. You're not
getting wiretap protections anymore.
So they're saying once these things get stored----
Mr. Scott. And you can do it by subpoena. You don't even
need a search warrant? Is that right?
Mr. Swire. It depends on the time, and they have different
things, but a lot of times you can do it through a grand jury
subpoena, through this 2703(d) order, or you can do it through
a search warrant. The Government gets to choose.
Mr. Scott. Now, we keep talking about these delayed
notices. If you trip over this embarrassing information about
your neighbor and don't use it and don't notify anybody, there
are, in fact, no sanctions if you're not going to use the
information; is that right?
Ms. Parsky. Well, if I may, I think one important thing to
keep in mind here, particularly when we're talking about
section 217 is that we're talking about, number one, the fact
that when you have these communications that are going on on a
service provider's network, there is already the ability for
the service provider to monitor those communications. So
regardless of whether law enforcement is involved, you have the
service provider monitoring. But in section 217, we're talking
about the additional situation where these private records,
whether they be, you know, medical records or personal notes to
a neighbor, those are being also accessed by a trespasser.
So the additional insertion of law enforcement into that
calculus actually adds more protections because law
enforcement----
Mr. Scott. But you're kind of getting over broad----
Ms. Parsky. --is subject to other restrictions that
criminals are not.
Mr. Scott. Do you need a trespasser to trigger all of these
search warrants and subpoenas?
Ms. Parsky. Section 217 is specific to hacker trespassers
and that is where the system--the system provider--the service
provider can--they have the ability to monitor the
communications. They can provide the consent to law enforcement
to assist them in protecting their own property.
Mr. Scott. So if AOL is listening into--is reading all of
my e-mails, then they can invite law enforcement to look over
their shoulder as they look at my e-mails?
Ms. Parsky. Rather than their collecting it and providing
it to law enforcement afterwards, when law enforcement doesn't
have the ability to help protect them and to help solve the
crime.
Mr. Scott. If AOL has a privacy agreement with me, then
they can't do that.
Ms. Parsky. That's correct. That's a contractual matter.
Mr. Swire. AOL can read your e-mail only for the purpose of
protecting their service or their rights or for purposes of
protecting the security of their system. But I think we've sort
of shifted over a little bit--mushed up 209 and 217. Two
seventeen is limited to trespasser cases. 209, the warrant or
subpoena access, is for all investigations. And I think though
one of the issues you were getting at with the question of the
medical records, et cetera, the real-time interception cases
have almost a two-layered protection. You get the warrant,
which has the particularity required by the fourth amendment
giving the Government the right to get into somebody's
communications stream.
The law imposes what is almost an extra protection, which
is the minimization requirement, which says that you can only
record specifically what is incriminating. There is no real
minimization requirement on the stored records side. The
minimization requirement is in title III, not on the Stored
Records Act.
So one you're in there and particularly because you don't
know what you're getting until you actually open it. You don't
know whether it's relevant or not until you actually look at
it. The Government I think does acquire a lot of information in
a stored capacity, bring it back, sit there, open it, go
through it, and at that point there, they are looking at and
they have in their possession a lot of material that turns out
to be extraneous.
Mr. Scott. Mr. Chairman, let me just say that one of the
problems after you get in there and start reading and reading
if you do not use the--if you don't want to use the material,
there is not requirement--there's no sanction for continuing to
read.
Mr. Dempsey. Not really.
Mr. Scott. With a requirement of a warrant going in, you
don't know what you're going to get so if you mess up, if you
break into somebody's house and get--find the drugs, you can't
use the drugs under the exclusionary rules. So you have no
incentive to break in.
Under this, with this delayed notice and all that, if you
find some goodies, you can find the notice. But if you don't
find anything, there is no sanctions.
Mr. Dempsey. Right.
Mr. Coble. Well, the Gentleman's time has expired. Ms.
Parsky, you and Mr. Martinez want to weigh in before I
recognize the Gentleman from Massachusetts?
Ms. Parsky. I think we both want to make a couple of brief
comments. I thank you very much.
Mr. Coble. And briefly if you can because we've got to move
along.
Ms. Parsky. Very briefly. But the one thing that I think is
important to understand is that if you have a search warrant,
there is very specific requirement that it be relevant to
criminal activity and that there be a defined scope for that
search warrant. So you don't go in and you're able to inspect
or search or seize anything you want. You go in within the
scope of the search warrant and there is the ability for
someone to challenge whether, in fact, you stayed within the
scope.
Mr. Scott. Yes, but that doesn't apply to a subpoena?
Ms. Parsky. But that applies to a search warrant whether
it's for physical records or electronic records and to the same
extent that you might have a search warrant to search physical
files and you may have to open up the file to see if what's in
there is within the scope of your search warrant, the same
applies to the electronic world. I think Mr. Martinez.
Mr. Martinez. And I think to follow up on that. Again, I'll
make the analogy with the physical seizure of health records.
You may, in the course of an investigation, try to determine if
there are victims that are part of the health organization's
records, and you may see some information about someone's very,
very personal health profile. Again, if it doesn't go the
specific violation that I'm trying to prove or determine
elements of, I don't know that I would have a positive
requirement to then go back and tell everyone whose record I
looked at that I set aside because it wasn't pertinent to my
investigation that I looked at your health record.
We'd go on to the next one and aggregate evidence and move
on from there.
Mr. Swire. May I have one sentence just to follow? Under
new technology, we're storing lots and lots more things than we
used to. That may mean the laws about stored records deserves
some reexamination.
Mr. Coble. The Gentleman's time has expired. The Gentleman
from Massachusetts, Mr. Delahunt.
Mr. Delahunt. Yeah. I think that goes to--you know, and I
appreciate the distinctions obviously between electronic
records and physical records.
But people understand a physical record. As I indicated
earlier, there's a lot of us that really can't put our--we
don't grasp the extent of and the volume of electronic records.
That's where the unease of the American people are in terms of
their privacy.
And I think that was the debate and the discussion, that's
what we have to remember, and we have to--if we're going to--
and I think we should. Okay. If we're going to give law
enforcement the updated means to conduct investigations, at
some time we have to do this in a way that's thoughtful enough
to balance the concerns that Americans have about privacy. And
the best we can do is, you know, in my judgment, is
transparency and notification. If we do that, even though it's
burdensome, it doesn't impede the investigation.
You know, Mr. Martinez, I mean everything that's done post
the investigation by virtue of that definition doesn't impede
the Government from, you know, fulfilling its role in terms of
protecting the American people or, you know, enhancing public
safety. I mean that's what I'm suggesting here.
Mr. Martinez. Well, I want to make one point about the
emerging new technologies. I think as we look at technologies
emerge, we have to be very careful to determine whether that
technology is really unique. Does it really present a set of
circumstances that did not exist before or that hasn't been
analyzed and very, very carefully thought through before,
because--just because it is a new technology, it doesn't
necessarily mean that there isn't already an existing paradigm
in the law to handle it.
So I wouldn't want to make the assumption--you know, when
we transition from an analog telephone to cellular telephone--
you know, we still had conversations going over it.
Now, there were a lot of implications to that. The
technology was indeed different, but I think much of the
circumstance was similar to what existed before.
Mr. Delahunt. But it's the speed.
Ms. Parsky. Well, I think as an important----
Mr. Delahunt. The problem you have in terms of the
transmission, the communication itself is so quick and so
instantaneous, you need to be upgraded. Okay. And I think what
we have to do is look at concomitant ways to again ensure that
those privacy rights and--if there's anything about the
American people and in terms of the essence of our democracy
it's the right to privacy. If you don't have privacy, that's
the beginning in my judgment of totalitarianism. Okay.
And that's why Americans emphasize so much this checks and
balances issue and this transparency. And that I think is the
framework, the mind set that should come to this. Before my
time runs out, what I'm going to do is adopt the questions that
were presented by Prof. Swire as mine. And I'm asking you, and
I'm going to put this on you, Ms. Parsky, to respond to those
questions in writing. In the past, under other Attorneys
General, I've made those requests. Somehow it gets lost in the
black hole. But this is a new Attorney General, a new
Administration. I would hope that those questions, which are
now Delahunt's questions, okay, would be responded to and, you
know, please would you direct the answers to those questions to
me? I'll give Mr. Coble and Mr. Scott--you can Cc: them. Right?
But I think they're good questions, because I think they go to
the clarify--I think really what some of this is about is
clarification.
Ms. Parsky. If I may just briefly respond quickly or follow
up on what Mr. Martinez said. I think that it's important to
recognize that there are still laws that we can apply to these
new and complicated technologies. And as Professor Swire says,
yes, with, you know, Internet protocol and with packets of
information, it may be easier to store information. That
doesn't mean that it's authorized to store information. So even
if a network administrator may be able to store it, the same
rules still apply in terms of what kind of contractual
relationship, what kind of consent those working under that
network administrator have entered into and that have----
Mr. Delahunt. And I understand that, and I'm sympathetic,
and I understand that.
You know, I think what we hear from Mr. Scott in terms of
his concerns about mental health records. I think we need to
explain, you know, the concept of minimization and what it
means whether we're intercepting a telephone conversation and
how the concept of minimization in terms of review of records
applies to electronic records.
Mr. Dempsey. Congressman, I think that one of the things
you mentioned was speed and volume. And it goes to
Representative Scott's questions. Well, I remember a couple of
years ago, FBI Director Freeh was testifying in support of his
budget request and talking about how the FBI needed more money
to process the data that they were collecting, and he cited one
case----
Mr. Delahunt. Well, didn't he get a new computer for that?
Mr. Dempsey. Well, different issue. Different issue,
Congressman.
One case the FBI seized enough electronic information that
if it were printed out, it would have filled the Library of
Congress one and one half times over. That was FBI Director
Freeh's testimony. That was the volume of stored records that
were available to them in that one investigation.
Mr. Coble. The Gentleman's time has expired. The Gentlelady
from California, Ms. Waters.
Ms. Waters. Thank you very much, Mr. Chairman. First, I'd
like to ask unanimous consent to enter my statement into the
record.
Mr. Coble. Without objection.
Ms. Waters. And secondly, I think the discussion was going
in a direction that I have great interest. I think that we all
have a very special need to believe that we have control over
our lives, and it is very disconcerting to think about people
having access to every tidbit of information about your life
because they are able to store your telephone conversations,
your e-mail messages, and on and on and on. It's just pretty
overwhelming.
And so I think we certainly need to understand the new
technology and who has the ability to store what and for how
long. And whether or not, you know, there is certain kind of
permission needed in some cases to be able to give that
information or share that information.
And I do think that perhaps we need to look at this new
body of law relative to this new technology so if nothing more
comes out of it then disclosure to the client. We get credit
reports. I mean we force credit card companies to give us a
report every year to tell us what they're holding and what
they're advising people about us.
For our medical records, our doctors have to have written
permission from us to give it to somebody, I just think we need
to find out what--well, we need to develop this body of law
that will help us feel we have some control. I recognize the
need for, you know, the criminal justice system to be able to
access certain things through warrants and subpoenas, but I do
think I have a right to know whether or not my computer or
company or my server is holding information and what form it's
in, and how long it's held. Some of those things I think are
just very basic to being able to have some kind of contractual
relationship with those who are holding significant information
about you.
I think I would feel better if I just had disclosure,
because I understand that the technology works in different
ways and we don't know what technology is being used by what
companies. Then I may have a right to choose a particular
company because they don't keep certain information or they
discard information after a certain period of time. So I think
we should----
Mr. Coble. Would the Gentlelady suspend for a moment?
Ms. Waters. Yes.
Mr. Coble. Reverting to Mr. Delahunt's suggestion, the
record will remain open for 7 days folks so we can have
exchange and this will be ongoing. This is not the day of
finality on this matter by any means.
Ms. Waters. So I--let me ask, Mr. Delahunt, when you
referred to Mr. Swire's questions, I don't know what those
were, but are they included in----
Mr. Delahunt. They are an appendix to his testimony.
Ms. Waters. Do they relate to the concerns that I----
Mr. Delahunt. Some of them do.
Ms. Waters. Just, and if I may, I have a few more seconds
left here, Mr. Swire. Could you comment on what I tried to
communicate just a few moments ago about possible disclosure or
having some choices in the selection of companies that I deal
with, et cetera, et cetera.
Mr. Swire. I have two comments. One is when it comes to
stored records, this Committee in the fall of 2000, in H.R.
5018, passed I think unanimously or almost unanimously a number
of provisions about stored records, and there's a Committee
report about that. So that might be a place to look where
Republicans and Democrats worked together that year.
On disclosure, that comes up to issues of should every
company have privacy policies they communicate out there. We do
have most companies with privacy policies. There's no Federal
laws that say they have to do that, and a lot of companies have
over time watered those down in the last three or 4 years
because they don't want to be constrained if they feel like
using data later. And I think if you look at those privacy
policies in general they're less detailed and less full today
than they were 3 or 4 years ago, and that might be something
for people to look at also.
Ms. Waters. Well, that's a good idea. Let me just say based
on some of the recently developed laws, we are supposed to be
given an opportunity to opt-in or opt-out----
Mr. Swire. Yes.
Ms. Waters. --on information that's shared about us. But I
don't think it gets to the stored information at all. I'll go
back and take a look at that.
Mr. Swire. For your medical data and financial data, the
stored records at the bank or the hospital, those are subject
to some of those choices the Congress put into law.
Mr. Dempsey. Although in every case, those provisions have
law enforcement and intelligence exceptions.
Ms. Waters. Oh.
Mr. Scott. What do you mean by an exception?
Mr. Dempsey. That basically it doesn't matter what the
privacy policy says. When the Government comes in with whatever
compulsory process is permitted, whether it's a warrant, a
subpoena or a court order, the privacy policy evaporates.
Ms. Waters. But if I got disclosure, if I understand what
it is you are storing, and, you know, how you do this, how much
information you hold on to for what periods of time, I may have
some options about whether or not I want to deal with you or I
may want to handle my business in a different way. For example,
let me just tell you here in the Congress of the United States,
you know, people keep in their computers, you know, all of the
daily calls. They keep telephone numbers. They keep everything.
Well, you know, some people may want to decide I don't want
that in the computer for whatever reasons. I want to use some
old systems. And I knew and understood, which I'm going to ask
now, what is being stored for how long in the systems that we
use, then I may, you know, make some different decisions.
Mr. Coble. The Gentlelady's time has expired. We have the
Lady from Texas has just joined us. We will include, professor,
your questions in our post-hearing letter. And that can be
addressed then.
The Gentlelady from Texas is recognized for 5 minutes.
Ms. Jackson Lee of Texas. Thank you very much, Mr.
Chairman. To the panelists, thank you. We are at the same time
in a Homeland Security mark up and so I thank you for your
testimony and apologize for my tardiness in this hearing.
But let me just take the opportunity. This hearing deals
with certain sections of the PATRIOT Act for reauthorization
that are not necessarily that controversial. But I am going to
take this opportunity to press some points that may be somewhat
more global.
And that is that the idea of the PATRIOT Act, of course,
was to ensure safety or to correct some of the ailments that
many thought could cure the tragedy that we faced on 9/11. Some
of the weaknesses as we moved into cyber security and
technology. We just passed a bill in Homeland Security to
establish an Assistant Secretary in the Homeland Security
Department for Cyber Security. Again, the whole issue of
integration if you will to provide more security for the
Nation.
I raise the question, however, as an opponent of the
PATRIOT Act and a huge skeptic of the reauthorization of any of
the sections, meaning that I want close scrutiny is where we
are in 2005. Some will say that the aviation industry is not
that much safer. Questions are being raised about our security
personnel as we--our screeners. It's certainly out of the
jurisdiction of this Committee, but I think the main question
is whether we have been made safer by downsizing on some of our
civil liberties and the ability, of course, for unreasonable
search and seizure.
I think my colleague from California made the point that
now vastness is a vast wasteland dealing with e-mail and I
believe that we have lost the touch of writing the written
letter, if you will. And so cyber security has become our means
of communication. I am concerned with even the minimal, if you
will elimination or impacting on the use of e-mails and the
privacy of individuals and the intrusion by law enforcement
entities on the basis of homeland security or national
security.
So I'm going to start with Mr. Swire in terms of putting
you on the immediate hot seat for this global question that
I've asked and that is are we safer and is the--are we
necessarily having to do this--having to reenact these
provisions on the PATRIOT Act to ensure that safety?
Mr. Swire. That feels pretty hot. Are we overall safer?
There was certainly some provisions of the PATRIOT Act that I
supported when I was in the Clinton Administration and that
were sensible updating to take account of new technology.
I think that when I think of safer and downsizing civil
liberties, the one point I stress is that the current law seems
to be once the record is stored, once it's held at the ISP or
the bank or something like that, you've lost all your
constitutional protections of reasonable expectation to
privacy. I think that hasn't been fully understood by a lot of
people; that those stored records that we've heard so much
about today, once they're out there, the constitutional
protections are gone. That means Congress is the only place
that writes those privacy rules.
And so this Committee and the rest of the Congress has to
think about if the courts aren't going to do it, what's the
Congress going to do to right the law so that we have safety
and civil liberties going forward.
Mr. Dempsey. Congresswoman, we are safer, but not safe.
Progress has been made, but still a lot more needs to be done.
On the question of cyber security, I think that clearly the
PATRIOT Act focuses almost exclusively on after the fact
prosecutorial efforts. Clearly, a lot more needs to be done on
building secure systems.
But I think finally the question of civil liberties is I
believe, and I think there should be pretty wide agreement. If
you look at the 9/11 Commission Report, if you look at the
Gilmore Commission Reports, the Markle Task Force, what we
should be seeking here is not a trade-off, not a surrender of
some civil liberties in order to purchase some security, not a
trade-off, but a balance. But a little bit here I hear the
Justice Department saying give us more power to deal with new
technology, but don't adjust the privacy protections to deal
more--with the new technology. The technology is changing. We
need to change the laws in ways that make it easier for the
Government, and there's some validity to that. But don't change
the law in ways that would improve the checks and balances. And
I think we need those checks and balances. I think they do not
hurt us.
Our rights are not what is wrong with our counter terrorism
approach. We need these checks and balances. They can be
effective with all the authorities we've talked about today.
Ms. Jackson Lee of Texas. And this is a very strong point
that you made, Mr. Chairman. I think--I hope the halls of
this--or the walls of this Committee room have heard Mr.
Dempsey and Mr. Swire and not to ignore Mr. Martinez and Ms.
Parsky. I'm sure that I'll be able to read your testimony, but
my point is the importance of privacy and balancing our
national security.
I yield back.
Mr. Coble. I thank the lady. Mr. Martinez, Mr. Dempsey
referred to DOJ, either one of you want to respond to that?
Ms. Parsky. Well, I appreciate the opportunity, and I would
like to just respond briefly that the Justice Department's
position is that we should be able to bring our law enforcement
tools up to speed with modern technology, while preserving all
the checks and balances and the constitutional protections and
other protections that are built into our criminal procedures.
And all we are looking to do is apply those exact same checks
and balances protections of privacy to the modern world.
Mr. Coble. Well, this----
Mr. Scott. Mr. Chairman? Can I ask----
Mr. Coble. Yes.
Mr. Scott. --one. There's one point I----
Mr. Coble. I will. But I say to my friend from Virginia----
Mr. Scott. It will be quick.
Mr. Coble. Well, if you can, 'cause I got 50 constituents
who are waiting on me for about 10 minutes now. So, Mr. Scott.
Mr. Scott. Well, if AOL doesn't care about my privacy,
what--and they give anybody--they give Government permission,
where does it say--am I without safeguards, is that what I
understand?
Mr. Swire. That's section 217. If AOL invites the
Government in, and the Government is supposed to only look at
the hackers, but they look at everyone else, right now they get
to use all that evidence in court and in future investigations.
Mr. Scott. Or look at it, because the question, the point
was made that if you're in the doctor's office, you can look at
the file. You don't know what's going to be in it when you open
it up, but you know what file you're looking at. You're not--
you didn't have--you're not in the doctor's office looking at
all the files.
Thank you, Mr. Chairman.
Mr. Coble. I thank the Gentleman, and I thank the
panelists. This has been a very worthwhile hearing it seems to
me. As I said before, the record will remain open for 7 days,
and I again thank the witnesses for your testimony. The
Subcommittee very much appreciates this.
In order to ensure full record and adequate consideration
of this important issue, the record will be left open for
additional submissions for 7 days. Also any written questions
that a Member wants to submit should be submitted within that
same 7-day timeframe. This concludes the oversight hearing on
the ``Implementation of the USA PATRIOT Act: Crime, Terrorism
and the Age of Technology.''
Thank you for your cooperation and your attendance, and as
well as those in the audience and the Subcommittee stands
adjourned.
[Whereupon, at 11:49 a.m., the Subcommittee was adjourned.]
A P P E N D I X
----------
Material Submitted for the Hearing Record
Prepared Statement of the Honorable Robert C. Scott, a Representative
in Congress from the State of Virginia, and Ranking Member,
Subcommittee on Crime, Terrorism, and Homeland Security
Thank you, Mr. Chairman, for scheduling this hearing on USA PATRIOT
Act provisions to investigate and prosecute crimes through the use of
electronic evidence. Section 209 of he Act references ``Seizure of
Voice Mail Messages Pursuant to Warrant.'' However, that section
authorizes access to much more than voice mail and authorizes access
through ways other warrants, such as by administrative, grand jury and
court issued subpoenas, under the appropriate circumstances. And they
can be ``sneak and peek,'' whether warrants, court subpoenas or
administrative subpoenas. So we are talking about a section that is not
only misleading relative to the breadth of the police powers it
authorizes, but a title that is also deceptive as to the extraordinary
nature of the powers.
Quite frankly, Mr. Chairman, the more I review the extent of the
powers we have extended to law enforcement through provisions such
section 209, the more I am pleased with our decision to provide for a
sunset on some of these powers in order that we may review in earnest
what we have done, and so that the law enforcement authorities who get
access to our private information pursuant to these powers, is aware we
will be reviewing them. This is a section whose original purpose was to
protect our electronic data against intrusion. When I see the ``mack
truck'' hole we carved out of that purpose for law enforcement access,
and the limitations on traditional methods of holding law enforcement
accountability such as prior notice with right to quash, and oversight
of a court through return reports to the court within a certain number
of days, the more I am convinced that sunset review in this area is
absolutely essential to our oversight responsibilities to the public.
And this is especially true in the areas of electronics and general
technology, given the growing impact of technology on our society. I
have the same concerns about Section 217, which allows an ISP to give
law enforcement wide latitude to look at private electronic
communications without court oversight or review. Its one thing to call
law enforcement to look at a trespass that is occurring; its another
thing to call in law enforcement to look o see if there is anything
suspicious going on, prior to a trespass occurring. And while I can
understand the efficiency and exigency arguments for a nationwide
search warrant authority in the arena of electronic communications, I
am also concerned with the sufficiency of the notice and, right to
challenge and oversight of such warrants.
For law enforcement, the good news in what I am saying is that I
think these powers should be available in appropriate circumstances, so
I am not calling for sunsetting them. However, for the public's
protection of their privacy as well as their safety, I am saying that
we need to look more precisely our notice, oversight and reporting
requirements for these powers, and make appropriate adjustments. We
should also continue this kind of oversight through sunsets, where we
have to periodically look at the use of these powers in an arena of
evolving technologies, and where law enforcement is aware that the use
of these powers will need to be scrutinized and justified. So, Mr.
Chairman, I look forward to the testimony of our witnesses on how we
might best do that, and to working with you on implementing their
recommendations. Thank you.
Prepared Statement of the Honorable Maxine Waters, a Representative in
Congress from the State of California
Mr. Chairman, sections 209, 217, and 220 of the Patriot Act,
violate Americans' privacy rights and civil liberties and should not be
renewed. None of these sections are limited in their application--they
can be used for any kind of criminal investigation that the DOJ sees
fit, and are not limited to terrorism.
Mr. Chairman, section 209, the ``Seizure of Voicemail Messages
Pursuant to Warrants'' of the Patriot Act allows law enforcement
agencies, in some circumstances, depending on the amount of time the
messages have been stored, to seize American citizens' stored voicemail
messages without a search warrant or subpoena. Section 209 also is not
subject to the exclusionary rule. Therefore, if law enforcement
illegally seizes an American citizen's voicemail messages, the
illegally seized voicemails still can be used as evidence against a
person in court. Since section 209 has no notice requirement, the
citizen would not even know she was the subject of surveillance, until
she is brought to court.
Mr. Chairman, even if law enforcement gains access to an American
citizen's voicemail in adherence to section 209, there are no
limitations as to how the information will be used or publicized. This
power far overreaches into the constitutionally guaranteed right to
privacy.
Mr. Chairman, section 217, or the ``Interception of Computer
Trespasser Communications'' section, is just as harmful as section 209.
Under section 217, if a computer service provider claims that an
individual is ``trespassing'' on its network, law enforcement is free
to intercept that individual's private communications without
permission from a judge. This section fails to address the question of,
who qualifies as a ``trespasser.''
Mr. Chairman, the DOJ would like Americans to believe this section
is limited to computer hackers. However, section 217 never specifically
describes a ``computer trespasser'' as a computer hacker. The
definition given is ``a person who accesses a protected computer
without authorization and thus has no reasonable expectation of
privacy, in any communication transmitted to...the protected
computer.'' This definition leaves open several definitions as to what
constitutes a ``computer trespasser.''
Mr. Chairman, this vague definition is dangerous because there is
no judicial oversight or notice requirement in section 217. Therefore,
this section, like many other Patriot Act provisions, allows law
enforcement to freely and secretly spy on Americans, with no checks or
supervision from a judge to make sure this power is not abused. Section
217 places all power within the hands of law enforcement and the system
owner or operator.
Mr. Chairman, section 220, or the ``Nationwide Service of Search
Warrants for Electronic Evidence'' section, amends the Federal Rules of
Criminal Procedure to expand the jurisdictional authority of a court to
authorize search warrants outside of the court's judicial district in a
criminal investigation. This section allows law enforcement to pick and
choose which court it can ask for a search warrant. This leaves open
the possibility that law enforcement agents can ``shop'' for judges
that have demonstrated a strong bias toward law enforcement with regard
to search warrants, using only those judges least likely to say no--
even if the warrant does not satisfy the strict requirements of the
Fourth Amendment of the Constitution. This section also has no notice
requirement.
Mr. Chairman, only local judges and courts should be allowed to
grant warrants for investigations falling within their jurisdictions.
Judicial oversight is only effective if the presiding judge is within
the jurisdiction where the search and/or investigations are taking
place. Local judicial oversight is a key check against unreasonable
searches and seizures. Also, Americans have the right to due process
and should be notified if they, or their property, are the subject of a
search warrant or criminal investigation, even if the notice is issued
after the search or investigation has commenced.
Mr. Chairman, absent a clear demonstration from law enforcement
that these new surveillance powers are necessary, sections 209, 217,
and 220 should be allowed to expire. These sections of the Patriot Act
threaten the basic constitutional rights of millions of Americans.
I yield back the balance of my time.
Submission by Peter Swire entitled ``The System of Foreign
Intelligence Surveillance Law''
<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>
<all>
�