                             TESTIMONY OF
 
                             JERRY BERMAN
                          EXECUTIVE DIRECTOR
                    ELECTRONIC FRONTIER FOUNDATION
 
           ACCOMPANIED BY RONALD L. PLESSER PIPER & MARBURY
 
                           ON BEHALF OF THE
 
                    ELECTRONIC FRONTIER FOUNDATION
          AND THE DIGITAL PRIVACY AND SECURITY WORKING GROUP
 
                              CONCERNING
 
           THE DIGITAL TELEPHONY AND COMMUNICATIONS PRIVACY
                       IMPROVEMENT ACT OF 1994
 
                              BEFORE THE
 
       SENATE JUDICIARY SUBCOMMITTEE ON TECHNOLOGY AND LAW AND
 
       HOUSE JUDICIARY SUBCOMMITTEE ON CIVIL AND CONSTITUTIONAL
                                RIGHTS
 
                            MARCH 18, 1994
 
 
Chairman Leahy. Chairman Edwards, and Members of the Subcommittees:
 
	We appreciate the opportunity to testify today on the Clinton
Administration's draft legislation "the Digital Telephony and
Communications Privacy Improvement Act of 1994." I am the executive
director of the Electronic Frontier Foundation (EFF), a public
interest organization dedicated to achieving the democratic potential
of new communications and computer technology. With me today is Ronald
Plesser. a partner at Piper and Marbury and counsel to EFF on digital
telephony issues.
 
I. The Digital Privacy and Security Working Group
 
	We appear today on behalf of EFF and on behalf of the Digital
Privacy and Security Working Group (DPSWG), a coalition of more than
50 computer, communications, and public interest organizations and
associations working on communications privacy issues since 1991 under
the coordination of the Electronic Frontier Foundation.
 
	Senator Leahy, we must give credit where credit is due. The
DPSWG has evolved as a direct result of your privacy policy
initiatives. In 1986, many of the organizations and individuals in the
working group joined together to support your successful effort to
enact the Electronic Communications Privacy Act of 1986 (ECPA).
landmark legislation establishing early on that public policies must
and can be devised to ensure that the emerging information
superhighway operate in a manner consistent with privacy, free speech,
and other core democratic values. In 1991, many of the organizations
in the DPSWG participated in the "Ad Hoc Leahy Task Force" which you
tasked to look at how ECPA was faring and to make recommendations to
you for improving communications privacy protections.
 
II. Background on Digital Telephony
 
	The Digital Privacy and Security Working Group has had to spend
most of its time responding to govemment initiatives that would change
and modify the principles that underlie ECPA. The Clinton
Administration's Digital Telephony and Communications Privacy
Improvement Act of 1994 is only the latest in a series of government
initiatives put forward over the past few years to seek to resolve law
enforcement's perceived problems in conducting wiretapping in the era
of digital communications.
 
	In each and every case. the members of the DPSWG from AT&T to
the United States Telephone Association, from the ACLU to EFF, have
uniformly sought to identify the specific technical concerns of the
FBI and law enforcement. This has not been easy and, frankly, we
continue to believe that the FBI has not made its case. On a policy
level, there is little disagreement that the FBI and law enforcement
should continue to be able to conduct wiretaps in a digital
environment. On a technical level. their concerns are global and their
resolutions are general. The resolution of this issue should be
through carefully crafted solutions so as not to upset the balance
between law enforcement interest and continued confidence in the
public switched network. The proposals that we have seen are over-
broad and would create more problems than they would resolve. In
short, the FBI has not made a technical case that supports the
sweeping changes that it seeks.
	
*	In 1991 the Bush Administration proposed a "Sense of
the Congress Resolution" that would have interpreted current
wiretapping statutes to require communications carriers, network
operators, and service providers to turn over the "plain text" of all
communications for law enforcement purposes. The DPSWG argued that the
proposal was unworkable and vague, and its efforts led congressional
leaders to remove the provision from pending omnibus crime
legislation.
	
*	In 1992 the Bush Administration circulated Digital
Telephony No. 1, draft legislation that would have required all
providers of electronic communications services to obtain an FCC or
Attorney General Certification that their networks or facilities meet
evolving FBI electronic surveillance requirements. In September 1992,
the DPSWG published an "Analysis of the FBI's Digital Telephony
Proposal," signed by 35 computer, communications, and civil liberties
organizations and associations highly critical of the digital
telephony draft legislation on privacy, security, and economic cost
grounds. This analysis, a copy of which we submit for the record,
convinced Congress to reject the Bush Administration's proposal.
	
*	Last year. the DPSWG. based on optimism about the Clinton
Administration's information highway program. began work on a "white
paper" designed to set forth new policies to enhance privacy and
security in the context of the emerging National Information
infrastructure. When the Clinton Administration announced its "clipper
chip" encryption escrow plans and intention to conduct a high level
review of privacy, encryption, and related policies in April 1993, the
DPSWG turned its attention to addressing the Administration's
concerns. On November 24, 1993. we submitted a draft report to the
Administration that presented a detailed case against the need for
legislation like digital telephony to resolve law enforcement
surveillance problems. The FBI stated that it had concerns with the
report, but has refused to state the basis for any of its concerns. We
submit a copy of our November report for the record.
 
III. The Digital Telephony and Communications Privacy Improvements Act
of 1994
 
	Despite our concerted efforts, the Clinton Administration has
now proposed its own bill, the Digital Telephony and Communications
Privacy Improvement Act of 1994. Responding to the February draft bill
on March 9, 1994, 20 members of the DPSWG, including AT&T, MCI. USTA,
Business Software Alliance, Software Publishers Association, Apple
Computer. the American Civil Liberties Union, and the Electronic
Frontier Foundation sent a letter to the President and Vice President
stating strong opposition to the new version of digital telephony. On
March 11, the DPSWG sent its initial analysis of the legislation
to FBI Director Louis Freeh, which reiterated that the legislation is
unnecessary and, as drafted, could undermine communications privacy
and citizen confidence in the public switched telephone network.
 
	The Clinton Administration's proposed digital telephony legislation
would:

*	require carriers to provide real-time remote access not only
to the contents of communications data sought pursuant to a judicial
warrant but also to call setup and other transactional data sought in
any lawful investigation;

*	require suppliers of hardware and software to telecommunications
providers to meet law enforcement requirements on a priority basis at
reasonable cost; and 

*	empower the Attorney General to seek to enjoin a
carrier from operating who was not in compliance with law enforcement
requirements and to impose significant fines on carriers and suppliers
who fail to meet law enforcement demands.
 
1. The legislation threatens privacy rights.

	As we interpret the draft legislation, it would require a
service provider to hand off not only the contents of communications
but deliver to remote locations "call setup information" whether or
not incident to a warrant issued for wire. oral, or electronic
communications as set forth in 18 U.S.C. Section 2518. Extending the
legislation's scope beyond the acquisition of content (pursuant to a
warrant under Section 2518) to the independent acquisition of call setup
information raises many issues that require examination.
 
	For example, currently the legal standard for obtaining
transactional data is a certification (via subpoena or statement to a
judge) that the sought-after data is relevant to an ongoing criminal
investigation. In the era of personal communications services (PCS)
and the information highway, transactional data will reveal far more
about individuals than it has in the past. In fact, in some cases it
may be equivalent to content information. This transactional data
certainly could make it possible to build a detailed model of an
individual's behavior and movements. The net result could be
government dictating to industry. that it create a surveillance-based
system that would allow federal, state, and local governments to use a
service provider's electronic communication facilities to conduct
minute-by-minute surveillance of individuals.
 
	As long as they have an IRS or other administrative subpoena
or a law enforcement agent willing to certify that the sought-after
data is relevant to an ongoing criminal investigation, law enforcement
officials could demand that they be notified at some remote location
every time certain individuals communicate by telephone, and their
location at the time, as well as every database they connect to and
when they log on and off. In short, law enforcement officials could
insist on instantaneously knowing the existence of every single
electronic communication (but not its content).
 
	The enormous potential for abuse and threat to personal
privacy suggests that. if transactional data were to be covered bv
digital telephony legislation. it should be incidental to a "Title
III" wiretap warrant. This would not limit in any wav law
enforcement's access to trap and trace. pen register. or call billing
information under current law or practice. This is particularly true
given that no case has been made that demonstrates any current or
potential difficulty in getting this non-content information under
current practices. The technology in fact has made these types of
services much easier for law enforcement to use and access. Additional
legislation is simply not necessary to obtain this data.
 
2. We do not know what is covered.
 
	The obligation to isolate the content of communications must be
reasonably related to the service provider's telecommunications
services. It would be unreasonable for the FBI to demand any person
involved with the communication to furnish it with access to that
communication. For example, most providers, including local telephone
companies. usually need to isolate communications for purposes of
billing and maintenance. It is appropriate for the FBI to seek their
assistance in intercepting communications on their networks only when
the requests are reasonably related to the telecommunications services
they provide.
 
	Therefore, the question is not necessarily who is covered, but
what telecommunications services are covered. For example, the
legislation should reflect the fact that. in reselling services, even
local telephone companies sometimes are unable in those instances to
furnish call setup information regardless of whether it is incidental
to the acquisition of a communication's content.

	3. It is not clear what requirements would be placed upon
service providers and what standard of compliance would be applied.
 
	Legislation should carefully define the obligations of service
providers. This is not the case with the FBI's current draft of
proposed legislation. These obligations are vague and subject to
considerable interpretation. Service providers and manufactures must
have flexibility to adopt procedures that reasonably comply with the
specific functional performance requirements of law enforcement.
 
	This is particularly true where, as here, compliance requires
an assessment of future needs and interoperability requirements. There
is a difference between compliance and a guarantee, and legislation
must reflect that difference. Carriers should be required to provide
reasonable cooperation and that cooperation should be measured bv a
standard of reasonable compliance.
 
	In installing new software or equipment under this statute, a
service provider must be able to reasonably assess future demands by
law enforcement. Other industries subject to regulation at least know,
for example, the temperature at which they must maintain the
specimens, the emission standard they must satisfy, or the type of
safety restraint equipment they must install and the date by which
they must have it installed in vehicles. Service providers cannot be
held to an absolute standard of compliance where they are using and
delivering new technologies to the public and the demands of law
enforcement are not clearly specified. This applies to both capability
and capacity. Law enforcement must be specific in its requirements for
capacity and capability from each service provider.

	4. Issues arise as to what is expected of commercial mobile 
service providers.
 
	It is not a foregone conclusion that mobility in a digitized
telecommunications environment will degrade or otherwise impede the
law enforcement community's ability to effectively execute court-
approved wiretap orders.
 
	Wireless carriers are committed to assisting law enforcement
agencies to successfully wiretap and intercept voice
communications. To accomplish this goal, the wireless industry
understands that available excess port capacity is needed in all
switches throughout the nation. While it may be reasonable for federal
and state law enforcement agencies to acquire the contents of wireless
communications pursuant to "Title III" warrants through additional
port capacity, it would be prohibitively expensive to require that
every one of the nation's switches be connected to the FBI to enable
it to acquire such information on a "real time" basis at remote
locations.
 
	Connecting every one of the nation's switches to the FBI.
moreover, would increase exponentially the risk of unauthorized access
to wireless communications. Further, the proliferation of fraudulent
use of wireless telephones through such techniques as "cloning" and
"tumbling" ESNs (electronic serial numbers) poses additional questions
with respect to privacy and the ability of law enforcement to properly
execute courtapproved wiretap orders.
 
	5. It is uncertain what the responsibilities of manufacturers
and suppliers are under the legislation.
 
	The FBI wishes manufacturers of telecommunications equipment
and providers of support services to fall within the scope of the
legislation. But, would service providers be held liable for software
or hardware that is not available from vendors? Why? How would the
obligations be enforced against foreign manufacturers? What would be
the liability of a domestic carrier that relies upon foreign
manufacturers? What are the trade implications of having domestic
manufacturers export equipment designed for governmental surveillance?
 
	6. Serious issues are raised as to how, and during what period,
costs are to be recovered to ensure that there is a direct
relationship between the costs reasonably incurred by covered entities
and the government's requirements.
 
	Government should pay for what it needs, which will help focus
attention upon the facilities that truly need upgrading. If the
government does not pay for upgrades or facilities, then the service
providers should not be held responsible. The FBI appears to have
accepted the concept that govemment should pay for the costs of
compliance but has so far underestimated these costs and proposed an
arbitrary three-year limit on cost reimbursement. Government
compensation should be ongoing with industry's compliance.
 
IV. Is this Legislation Neeessary?
 
	The most fundamental question that needs to be resolved is
whether this legislation is necessary. In our view neither the Bush
nor Clinton Administrations have made a persuasive case. They argue
that electronic surveillance is essential to law enforcement. but they
have not demonstrated that their access to communications subject to
judicial warrants have been impaired. They have pointed to problems
encountered with call forwarding and cellular communications, but
carriers have been able to meet new requirements through cooperative
efforts. In the report prepared for the Clinton Administration and
sent to the FBI last November, the DPSWG presented the following case:
 
*	First, there is no evidence that current law enforcement
efforts are being jeopardized by new technologies. As described in our
attached report, a Freedom of Information Act request made by Computer
Professionals for Social Responsibility turned up evidence that not
one law enforcement agency could demonstrate that digital telephony
has interfered with any electronic surveillance activities.
 
*	Second, industry is cooperating with appropriate authorities
to avoid future problems and to expand existing capacities.

*	Finally, given this lack of ascertainable concern now or in
the future, it is not justifiable to require all providers, including
telephone companies, packet switching networks, computer and software
manufacturers, and the like, to be subject to new design standards and
requirements. This is particularly the case where such requirements
may in some cases severely limit the development of the new national
infrastructure and once again lessen the American public's confidence
in our communications networks.
 
	ECPA was enacted to reaffirm the confidence of all Americans
that their communications whether aural or digital, common or private,
voice, date, or video are secure from unauthorized interceptions. The
govemment has the current authority and ability to adequately
intercept electronic communications when authorized to do so.
Sufficient reasons to amend this statute now to allow the government
to dictate the design of communications technology just do not exist.
 
V. Conclusion
 
	We applaud the fact that Congress is holding these hearings.
Only Congress can resolve whether or not legislation is necessary and
work to bridge the considerable division between the Administration
and the private sector. We welcome the opportunity to state our views,
and are ready and anxious to work with you and the Administration to
find solutions to law enforcement needs that strike a balance between
those needs. privacy. and other significant societal interests.
