From: Subject: Administration Wiretap Proposal Hits the Right Issues But Goes Too Far Date: Fri, 19 Jun 2009 07:09:53 -0400 MIME-Version: 1.0 Content-Type: text/html; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable Content-Location: file://C:\Documents and Settings\Peter Swire\My Documents\Upload from GWU Computer\Z-server 2006\Internet\Internet 2004\Brookings pen-trap.htm X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579 Administration Wiretap Proposal Hits the Right = Issues But Goes Too Far 3DFP_navbar=20
3DGlobes
 3D""
Administration Wiretap Proposal Hits the Right = Issues But=20 Goes Too Far

Analysis Paper = #2,=20 Brookings Project on Terrorism and U.S. Foreign Policy, = October 3,=20 2001

Peter P. Swire, Visiting Professor of = Law ,=20 George Washington University Law School.

Brookings = Project on=20 Terrorism and U.S. Foreign Policy

3D"" pro= ject=20 home page =
One of the key=20 components of Administration's counter-terrorism legislative = package=20 is to enhance the government's authority to obtain and place = so-called "pen register" and "trap and trace" orders = ("pen/trap=20 orders"). On October 1, 2001, the House Judiciary Committee = adopted=20 much of what the Administration proposed, but toned down = some of the=20 other provisions of the larger proposal. At this writing, = the Senate=20 Judiciary Committee is considering the Administration = proposal=20 together with an alternative package put forward by Senator = Leahy.=20

This essay provides some basic background = information on=20 pen/trap orders and how changing technology indeed supports = further=20 legislative actions in this area, including proposals = dealing with:=20 emergency trap and trace actions without a court order; = nationwide=20 scope for trap and trace orders; updating outdated telephone = language to apply to the Internet; and providing a more = effective=20 way for law enforcement to help system owners who are under = computer=20 attack.

Based on my experience working on these = issues in=20 the last Administration, I believe that while additional = legislation=20 is warranted, the current proposals need further work in the = Congress before they are enacted. Ideally, the Congress = should hold=20 hearings and study the complex legislative language. If = Congress=20 decides that time is of the essence, then at a minimum any=20 legislation rushed through now should have a two year = sunset. That=20 way, the proposals could be studied more carefully before = they=20 become a permanent part of our surveillance law.=20

Background on Pen/trap Orders

The = term "pen=20 register" comes from the old style for tracking all of the = calls=20 originating from a single telephone. At one point, the = surveillance=20 technology for wiretapped phones was based on the fact that = rotary=20 clicks would trigger movements of a pen on a piece of paper. = Police=20 could then read off the numbers dialed on the phone. = Although=20 technology has changed, we still call the list of phone = numbers=20 dialed a "pen register." The term "trap and trace" covers = all of the=20 calls to a particular phone. Surveillance technology "traps" = a=20 particular call as one that is going to the target phone. It = then=20 "traces" the call back to its point of origin.

There = has=20 been a longstanding consensus that this sort of to/from = information=20 about phone calls is less sensitive than the content of = phone calls.=20 In the 1960's, the U.S. Supreme Court held in Katz v. = United=20 States that there is a "reasonable expectation of = privacy" in=20 the content of a phone call made from a phone booth when the = caller=20 had closed the door. The Fourth Amendment thus required a = warrant=20 before the police could wiretap the call. Congress followed = this=20 case by passing a strict wiretap law for the contents of = phone=20 calls. Court orders under this statute are called "Title = III" orders=20 because the wiretap rules were in Title III of an omnibus = crime=20 control law passed in 1968.

The Supreme Court in = 1979 made=20 clear that to/from information was not as sensitive as the = contents=20 of a phone call. In Smith v. Maryland the Court held = that=20 there was no "reasonable expectation of privacy" in to/from=20 information. The Justice Department often cites Smith = as the=20 legal basis for there being no constitutional protection for = to/from=20 information. Those who support greater protections against=20 surveillance point out that Smith assumed that pen/trap = information=20 was very limited. For instance, the Court noted that law = enforcement=20 could not determine whether the phone call was completed, = the=20 identity of the callers, or the "purport" of any = communication.=20

In 1984 Congress responded to Smith and to = the early=20 use of e-mail by passing the Electronic Communications = Privacy Act=20 (ECPA). ECPA created some procedural rules for pen/trap = orders. As=20 discussed below, these rules are much less strict than for = wiretaps=20 of the content of communications. ECPA also created somewhat = complex=20 rules for police access to e-mails. For interception of the = content=20 of e-mails, for instance, ECPA states that e-mail and phone = call=20 wiretaps must meet the strict Title III standards. E-mails = are=20 different from phone calls, however, in that they sit around = on a=20 service provider's computers. Police can get recent e-mails = out of=20 computer storage with a subpoena. They can get the contents = of=20 e-mails that are older than 180 days under the same low = standards=20 that apply to pen/trap orders.

Updating ECPA=20

ECPA has not aged gracefully. Much of its language = reflects=20 the telephone technology of the 1980s rather than the = Internet=20 realities of today. For instance, the term "pen register" is = defined=20 as "a device which records or decodes electronic or other = impulses=20 which identify the numbers dialed or otherwise transmitted = on the=20 telephone line to which such device is attached." Read = literally,=20 this definition might prevent police from learning pen/trap=20 information about who has been sent a communication. = "Device" sounds=20 like a physical term, so that a software wiretap might not = qualify.=20 "Transmitted on a telephone line" may not fit wireless and = other new=20 ways of sending messages. And "identify the numbers dialed" = sounds=20 like it applies to phone numbers rather than the full = panoply of=20 ways people might communicate over the Internet. =

These sorts=20 of outdated terms in ECPA create a serious risk for law = enforcement=20 that a court will hold that ECPA does not authorize modern = pen/trap=20 orders. Although no court has yet read the statute so = narrowly, some=20 judges have orally questioned whether the statute applies to = some=20 Internet communications. Some new technical challenges, = discussed=20 below, have also made it harder in some cases for law = enforcement to=20 get investigatory information.

ECPA also seems = outdated to=20 others for a different reason: because it treats the content = of=20 e-mails less protectively than the content of phone calls. = Unlike=20 for phone calls, wiretaps of e-mail content do not need to = be=20 approved by a senior Department of Justice official, and = they can be=20 used for any crime rather a limited list of serious crimes. = Perhaps=20 most importantly, Title III suppresses the use of illegally=20 wiretapped phone calls in court, but does not apply to = illegal=20 e-mail taps.

The Clinton Administration created a = process=20 last year to address the ways that ECPA was outdated. I = chaired a=20 15-agency White House working group to prepare a bill. Chief = of=20 Staff John Podesta announced the proposal in June of 2000, = and it=20 was introduced as S. 3083. The House Judiciary Committee = considered=20 some of the issues last fall, and almost unanimously = approved a=20 bill, H.R. 5018, that was stricter on privacy protections = than the=20 Administration proposal.

Nationwide Trap and = Trace=20

In 1984, when ECPA was passed, the local = telephone=20 company could generally fulfill a trap and trace order - the = call=20 came from a readily-identified phone number in a unified = phone=20 network. By 2001, the network has become far more = complicated. To=20 trace the source of an e-mail, law enforcement first must = serve a=20 trap and trace order on the local Internet service provider. = That=20 provider then might tell police that the e-mail came from a = backbone=20 provider, who got it from another backbone provider, who got = it from=20 another service provider elsewhere, who might finally be = able to=20 identify the sender of the e-mail.

Under current = law, law=20 enforcement must get one court order from a judge at the = first=20 stage, and a separate court order from another judge at each = stage=20 later on. This is time-consuming, expensive, and can seem = redundant=20 because the first federal judge has already approved the = order. The=20 Clinton last year and the Bush proposal this year both = proposed to=20 allow one trap and trace order to be effective nationwide, = back to=20 the source of the particular communication.

Although = the=20 nationwide trap and trace order largely can be seen as = updating ECPA=20 to take account of the current network, critics have voiced = some=20 concerns. For instance, prosecutors might shop around for a = judge=20 who will approve an order based on slender evidence. In = addition,=20 telecommunications companies today are used to cooperating = with the=20 local judges and police, and know how to check to ensure = that a=20 court order is valid. But how, in the middle of the night = during an=20 investigation, should a company in Ohio react to an order = from a=20 judge in Oregon if there are doubts about the order's = validity?=20 Perhaps there should be additional legislative work to = clarify how=20 the company can and should react in such cases. =

Emergency=20 Trap and Trace Orders

Today, there are very = limited=20 emergency circumstances where law enforcement can receive = trap and=20 trace information from a company even without a court order. = (In=20 general, it is a violation of ECPA for a company to turn = over=20 to/from information to the government unless there is a = court=20 order.) Today, the focus of the emergency power is where = there is=20 imminent risk to the safety of a person. The information is = provided=20 to law enforcement immediately, and a court order is = supposed to be=20 issued shortly afterwards.

In a bill that passed the = Senate=20 a few days after the September 11 attacks (the Justice = Department=20 appropriations bill), there was a major expansion of the = emergency=20 powers. An emergency request could now be made for any = "immediate=20 threat to the national security interests of the United = States."=20 These "national security interests" may be very broad, and = the=20 threat does not need to be "substantial" but only = "immediate."=20 Perhaps even more broadly, the emergency powers would be = triggered=20 by "an attack on the integrity or availability" of = essentially any=20 computer hooked up to the Internet.

There is an = important=20 logic to these two emergency situations. First, if there is = truly=20 "an immediate threat" to the national security, then who = wants to=20 stand in the way of getting that information to the = appropriate=20 authorities? Second, if an attack on a computer is underway, = the=20 only way to track the attack to its source may be while the = attack=20 is continuing. Once the attacker has logged off, there may = be no way=20 to learn afterwards where the communication originated. If = we don't=20 provide law enforcement with an emergency exception, then it = may=20 often be too late once the court order is issued. =

That said,=20 there are deep historical concerns to allowing law = enforcement to=20 conduct searches without having to go to a magistrate first. = As a=20 technical matter, the Justice Department points out that a = trap and=20 trace order is not a "search" because Smith v. = Maryland said=20 there was no reasonable expectation of privacy in to/from=20 information. Nonetheless, expanding emergencies to include = any=20 threat to national security and any attack on a computer = gives some=20 people pause, especially when considered together with the = other=20 proposed changes.

What Is A Telephone Number On = The=20 Internet?

The next issue is how to draw the line = between=20 to/from information (less strict) and content (more strict) = for the=20 Internet. Current law says that a pen register means a = "device which=20 records or decodes electronic or other impulses which = identify the=20 numbers dialed or otherwise transmitted on the telephone = line to=20 which such device is attached." In Smith v. Maryland = the=20 Supreme Court emphasized the narrow amount of information in = "the=20 numbers dialed" when holding that there was no reasonable=20 expectation of privacy.

Law enforcement faces some = tough=20 challenges in using the current language on the Internet. = For=20 instance, many people today use web-based e-mail, such as = Hotmail or=20 Yahoo! When a suspect sends e-mail, law enforcement might = learn only=20 that it went to www.hotmail.com but not learn the e-mail = address of=20 the person who received the message. To learn the actual = address,=20 law enforcement would have to dig deeper into the e-mail, = into the=20 part traditionally understood to be "content" requiring the = strict=20 Title III search warrant. More generally, law enforcement = does not=20 want the language in the statute to be technology-specific; = as new=20 technologies develop, it is important for law enforcement to = still=20 be able to track a communication to its destination or back = to its=20 source.

The preferred language of the Justice = Department is=20 thus that a pen register should mean "a device or process = which=20 records or decodes dialing, routing, addressing, or = signaling=20 information transmitted by an instrument or facility from = which" a=20 communication is transmitted. This DRAS information = (dialing,=20 routing, addressing, and signaling) would presumably be = broad enough=20 to cover e-mail today and new technologies as they emerge.=20

This section of the law clearly needs to be updated = so that=20 it is no longer telephone-specific. The definition of DRAS=20 information, however, seems to give law enforcement = substantially=20 more content on the Internet than it could have received in = the=20 telephone world. James Dempsey of the Center for Democracy = and=20 Technology has suggested that better language would be DRAS=20 information "that identifies the destination" of a = communication.=20 "Identifying the destination" matches the historic use of = to/from=20 information in telephone numbers.

Dempsey further = suggests=20 that there should be statutory language or legislative = history=20 making it clear that pen registers do not authorize = interception of=20 search terms, URLs identifying certain documents, files or = web=20 pages, or other transactional information. Thus far, my=20 understanding is that Justice Department officials have = rejected the=20 "identifying the destination" approach, suggesting that they = indeed=20 wish to get a broader range of information under the new = statutory=20 language.

There are constitutional as well as policy = reasons=20 to support the Dempsey approach. The entire use of pen/trap = orders=20 is based on the Smith v. Maryland finding that there = is no=20 reasonable expectation of privacy in to/from information. = Under the=20 Justice Department's proposed language, law enforcement = would appear=20 to get significantly more content about a person's web = surfing,=20 e-mail, and other activities. This broad language would be=20 significantly more subject to constitutional challenge than = the=20 Dempsey alternative.

Computer Trespasser = Exception=20

There is an important "computer trespasser" = proposal in=20 the Bush bill that has never been the subject of a = Congressional=20 hearing or significant public attention. My view is that = some=20 version of this proposal may be good public policy, but it = needs=20 more debate before being accepted as a permanent change in = the law.=20

The problem arises today because of limits on how = law=20 enforcement can work with the owners of computer systems = that are=20 under attack. ECPA generally allows a system owner to = monitor the=20 system to prevent and respond to attacks. ECPA also allows a = system=20 owner to turn over to police evidence of criminal attacks = that have=20 already occurred. What ECPA does not allow, however, is for = law=20 enforcement to "look over the shoulder" or "surf behind" the = owner=20 of a computer system. The concern has been that law = enforcement and=20 system owners would agree to have law enforcement officials=20 permanently stationed in communications companies, = monitoring=20 anything suspicious that occurred. One worry is that system = owners=20 might feel pressured to allow law enforcement officials on = the=20 premises, leading to virtually unlimited wiretapping. =

The=20 current rules can be very frustrating for system owners who = want to=20 ask the police for help with computer attacks. If an = intruder is=20 coming into the system every night, the owner might want the = police=20 to lie in wait for the attack and then use a trap and trace = order to=20 follow the intruder back to the source. The police, however, = cannot=20 take up residence and wait for a future attack. This problem = has=20 been especially acute for the Defense Department, which is = subject=20 to an enormous number of hacking attacks and cannot = coordinate=20 easily with law enforcement. It is also a problem for = smaller=20 enterprises, which often lack the technical expertise to = defend=20 their own systems against attack and wish to have police = help.=20

Last year, this issue was discussed extensively = within the=20 Administration but a decision was made not to include the = provision=20 in the Admnistration's legislative proposal. The trick is = how to=20 help law enforcement appropriately without creating a recipe = for=20 permanent wiretapping. Language from last year's discussions = has now=20 surfaced in the Bush Administration's proposed bill. =

The new=20 proposal allows law enforcement to assist system owners in = tracking=20 a "computer trespasser," defined as "a person who accesses a = protected computer without authorization and thus has no = reasonable=20 expectation of privacy in any communication transmitted to, = through,=20 or from the protected computer." Interceptions would now be = allowed=20 by law enforcement if: (1) the owner or operator of the = system=20 authorizes the interception; (2) there is a lawful = investigation;=20 (3) the official "has reasonable grounds to believe that the = contents of the computer trespasser's communications will be = relevant to the investigation"; and (4) "such interception = does not=20 acquire communications other than those transmitted to or = from the=20 computer trespasser."

This computer trespasser = proposal has=20 just begun to receive attention from experts outside of the=20 government. It is a significant change to current law, = because it=20 creates conditions under which law enforcement officials can = station=20 themselves in communications companies to watch phone calls, = e-mail,=20 and web surfing as it occurs. Some non-government experts = are=20 beginning to point out how open-ended the computer = trespasser=20 exception may turn out to be in practice.

My view is = that=20 there is a real problem that needs to be addressed: how law=20 enforcement can appropriately cooperate with companies to = confront=20 ongoing hacking attacks. But Congress should be reluctant to = support=20 the current language until there have been extensive = hearings and=20 debate about this change to the law.

Should New = Privacy=20 Protections Accompany the New Wiretap Powers? =

Last year,=20 the Clinton Administration took the position that wiretap = laws=20 should be updated both to provide law enforcement = appropriate tools=20 for the Internet and to enhance the protection of privacy = for=20 e-mail, in order to reflect the importance of the content of = e-mail=20 communications.

For pen/trap orders, one important = change=20 was that the Administration said that a federal judge should = make an=20 independent determination of whether the order should issue. = Under=20 current law, "the court shall enter an ex parte order = authorizing the installation and use of a pen register or = trap and=20 trace device if the court finds that the attorney for the = Government has certified to the court that the = information=20 likely to be obtained by such installation and use is = relevant to an=20 ongoing criminal investigation." (emphasis added) =

The=20 Clinton proposal was that the judge should not be required = to issue=20 an order based on the certification by the Government's = attorney.=20 Instead, the order should issue only where the judge "finds, = based=20 on the facts contained in the application" that the standard = has=20 been met. In debate in Congress, many members agreed with = this=20 change but also wished to raise the legal standard for = issuing the=20 order. Instead of the information being "relevant to an = ongoing=20 criminal investigation," the House Judiciary Committee in = H.R. 5018=20 approved a stricter standard: "specific and articulable = facts=20 reasonably indicate that a crime has been, is being, or will = be=20 committed, and information likely to be obtained by such=20 installation and use is relevant to the investigation." =

Last=20 year, The Clinton Administration also proposed that the = contents of=20 e-mail should be given the same protection as the contents = of phone=20 calls. Signature by a senior Justice Department official = should be=20 required for a Title III order. E-mail wiretaps should apply = only to=20 listed serious crimes. Most importantly, if law enforcement=20 officials break the rules when gathering e-mails, then they = should=20 not be able to use the illegally gathered information in = later=20 proceedings.
The current Administration proposals do not = contain=20 these provisions or any others that update ECPA on the = privacy side.=20

Putting The Package Together

Now that = we have=20 examined the pen/trap proposals supported by the current=20 Administration, and the privacy-enhancing proposals that = were=20 proposed last year, we can to try to assess the overall = effect of=20 the current proposals. As indicated above, there are indeed = good=20 reasons to consider updating the statute in each of the = areas=20 targeted by the Administration's proposals.

My view, = however, is that the cumulative effect of the proposals is=20 substantial. Broad emergency provisions mean that trap and = trace=20 orders can be instituted very often without first going to a = judge.=20 The nationwide provision means that one judge, perhaps = chosen by=20 prosecutors to be especially favorable, can institute a = general=20 order without even knowing who will be subjected to it. The = expanded=20 definition of all "dialing, routing, addressing, and = signaling=20 information" means that law enforcement will quite possibly = get web=20 surfing and a good deal of other information that goes = beyond=20 identifying the destination of a communication. The creation = of the=20 computer trespasser exception would allow ongoing monitoring = of=20 private-sector systems by law enforcement.

The = cumulative=20 effect of these proposals is more worrisome because the = legislation=20 does not contain the counter-balancing provisions that were=20 discussed last year. Judges do not gain the power to make an = independent assessment of whether the facts support issuance = of a=20 pen/trap order. The standard for issuing a pen/trap order = has not=20 been increased. If law enforcement in the future does exceed = lawful=20 limits, there is essentially no remedy. The suppression = remedy that=20 has long applied to illegal telephone wiretaps would not = apply to=20 illegal e-mail wiretaps.

The proposed pen/trap = changes thus=20 contemplate broad emergency powers, instituted nationwide, = for a=20 wider range of information, and with the possibility of = ongoing=20 on-site monitoring. My view is that a package of this sort = should be=20 made a permanent part of our law only after careful = consideration=20 and informed debate.

The Administration has asked = for=20 immediate action on its proposals. If the Congress decides = to act=20 immediately, then I think it is important to have a sunset=20 provision, such as the two-year sunset being considered in = the=20 House. In this way, we can learn from our experience in the=20 intervening two years. We may find after further experience = and=20 study that some of the provisions are too loose, or too = strict, or=20 otherwise not properly defined.

If proponents are = not=20 willing to accept a sunset, then I believe that good policy = demands=20 careful study of the pen/trap provisions. The computer = trespasser=20 exception, for instance, is a brand new proposal that has = never been=20 the subject of a Congressional hearing. New technology and = new=20 terrorist threats may indeed counsel for us to change our=20 surveillance and wiretap laws. But permanent and significant = changes=20 in those laws should occur only after we better understand = what we=20 are doing.
Peter P. Swire is Professor of Law at the = Ohio State=20 University and currently a Visiting Professor at George = Washington=20 University. From 1999 to early 2001 he served as Chief = Counselor for=20 Privacy in the Office of Management and Budget. With Robert = E.=20 Litan, he is author or None of Your Business: World Data = Flows,=20 Electronic Commerce, and the European Privacy Directive, = published by Brookings in 1998.
=A92001 The Brookings Institution =

Note: The=20 views expressed in this piece are those of the author and = should not=20 be attributed to the staff, officers or trustees of the = Brookings=20 = Institution.
3D""=20   =20 top=20 | home | search = | site info = | contact = us!=20 3D""
3D""
      = The=20 Brookings Institution, 1775 Massachusetts Ave NW, Washington DC = 20036=20
      Telephone: (202) 797-6000 | = Facsimile:=20 (202) 797-6004 | E-mail: Brookings=20 Info   Comments on = this=20 Site 		3D""