1994-08-12 - EFF on why they did it.

Header Data

From: Brian D Williams <talon57@well.sf.ca.us>
To: cypherpunks@toad.com
Message Hash: 2b79547a0219a7824f03cd713ce0e8e88f595b3a019d8c01c8f588dc50cdc577
Message ID: <199408121437.HAA14189@well.sf.ca.us>
Reply To: N/A
UTC Datetime: 1994-08-12 14:37:49 UTC
Raw Date: Fri, 12 Aug 94 07:37:49 PDT

Raw message

From: Brian D Williams <talon57@well.sf.ca.us>
Date: Fri, 12 Aug 94 07:37:49 PDT
To: cypherpunks@toad.com
Subject: EFF on why they did it.
Message-ID: <199408121437.HAA14189@well.sf.ca.us>
MIME-Version: 1.0
Content-Type: text/plain



Leahy and Edwards introduce a narrow Digital Telephony bill
with major new privacy protections
============================================================

Today Senator Patrick Leahy (D-VT) and Representative Don Edwards
(D-CA) introduced their version of Digital Telephony legislation. 
Since 1992, the Electronic Frontier Foundation has been successful
at stopping a series of FBI Digital Telephony proposals, which
would have forced communications companies to install wiretap
capability into every communications medium.  However, earlier this
year, Senator Leahy and Rep. Edwards, who have helped to quash
previous FBI proposals, concluded that the passage of such a bill
was inevitable this year.  To head off passage of the FBI's bill,
Leahy and Edwards stepped in to draft a narrow bill, and asked for
EFF's help in the process.  EFF remains deeply troubled by the
prospect of the federal government forcing communications networks
to be made "wiretap ready," but we believe that the legislation
introduced today is substantially less intrusive that the original
FBI proposals.

Jerry Berman, EFF Policy Director said: "We have opposed digital
telephony proposals for the past three years and still do not
believe that such legislation is necessary."

"Thanks to the work of Senator Leahy and Rep. Edwards and Senator
Biden, however, the bill contains a number of significant privacy
advances, including enhanced protection for the detailed
transactional information records generated by online information
services, email systems, and the Internet," Berman said.

Many online communication and information systems create detailed
records of users' communication activities as well as lists of the
information that they have accessed.  The new legal protection is
critical in that it recognizes that this transactional information
created by new digital communications systems is extremely
sensitive and deserves a high degree of protection from casual law
enforcement access which is currently possible without any
independent judicial supervision.  Under current law,
the government can gain access to transactional records with a mere
subpoena, which can be obtained without the intervention of a
court.  Under the new privacy protections in this bill, law
enforcement would have to convince a court to issue an order based
on a finding that there are "specific and articulable facts" which
prove that the information sought would be relevant to an ongoing
criminal investigation.  

"The fact that law enforcement has to take a case to court in order
to get permission to access records is a major new privacy
protection which will benefit all users of online communication
systems," said Daniel Weitzner,
EFF Deputy Policy Director.

Another important privacy protection is that there is a cap on the
amount of money that can be spent on surveillance technology in the
first four years.  The Attorney General is authorized to spend up
to $500 million on reimbursement telecommunications carriers who
retrofit their systems so as to come into compliance with the bill. 
So that this cap truly functions as a privacy protection, we
believe that carriers should only be responsible for complying with
the bill if the Attorney General actually pays for modifications. 
Government should get what it pays for, and no more.

"Although we do not support the concept of digital telephony
legislation, we believe that if Congress is to pass any version of
the bill this year, it should be along the lines of the
Leahy/Edwards version," said Berman.

"The version crafted by Senator Leahy and Rep. Edwards," Berman
explained, "is substantially better from a privacy, technology
policy, and civil liberties standpoint than the draconian measures
offered in the past by the Bush Administration."

"As the bill works through the legislative process," Berman
continued, "EFF will work to ensure that privacy and public process
provisions are strengthened, and that the scope remains narrow --
continuing to exclude the Internet, electronic bulletin board
systems, and online communications services such as America Online,
Prodigy and Compuserve.  Also, we note that the radio communication
provisions have not yet been subject to public discussion, and hope
that this will occur before the bill is considered by the full
House and Senate." 


FOR MORE INFORMATION CONTACT:

Jerry Berman       Policy Director           <jberman@eff.org>
Daniel Weitzner    Deputy Policy Director    <djw@eff.org>
+1 202 347 5400


     *     *     *     *     *     *     *     *


EFF Analysis of and comments on major provisions of the bill
============================================================

A.    Key new privacy protections

1.    Expanded protection for transactional records sought by law
      enforcement

Senator Leahy and Rep. Edwards have agreed that law enforcement
access to transactional records in online communication systems
(everything from the Internet to AOL to hobbyist BBSs) threatens
privacy rights because the records are personally identifiable,
because they reveal the content of people's communications, and
because the compilation of such records makes it easy for law
enforcement to create a detailed picture of people's lives
online. Based on this recognition, the draft bill contains the
following provisions:

i.    Court order required for access to transactional records
      instead of mere subpoena

In order to gain access to transactional records, such as a list of
to whom a subject sent email, which online discussion group one
subscribes to, or which movies you request on a pay-per view
channel, law enforcement will have to prove to a court, by the
showing of "specific and articulable facts" that the records
requested are relevant to an ongoing criminal investigation. This
means that the government may not request volumes of transactional
records merely to see what it can find through traffic analysis.
Rather, law enforcement will have to prove to a court that it has
reason to believe that it will find some specific information that
is relevant to an ongoing criminal investigation in the records
that it requests. 

With these provisions, we have achieved for all online systems, a
significantly greater level of protection than currently exists for
telephone toll records. The lists of telephone calls that are kept
by local and long distance phone companies are available to law
enforcement without any judicial intervention at all.  Law
enforcement gains access to hundreds of thousands of such telephone
records each year, without a warrant and without even notice to the
citizens involved.  Court order protection will make it much more
difficult for law enforcement to go on "fishing expeditions"
through online transactional records, hoping to find evidence
of a crime by accident.

ii.   Standard of proof much greater than for telephone toll
records, but below that for content

The most important change that these new provisions offer, is that
law enforcement will (a) have to convince a judge that there is
reason to look at a particular set of records, and (b) have to
expend the time and energy necessary to have a US Attorney or DA
actually present a case before a court. However, the burden or
proof to be met by the government in such a proceeding is lower
than required for access to the content of a communication. 

2.    New protection for location-specific information available
      in cellular, PCS and other advanced networks

Much of the electronic surveillance conducted by law enforcement
today involves gathering telephone dialing information through a
device known as a pen register. Authority to attach pen registers
is obtained merely by asserting that the information would be
relevant to a criminal investigation. Courts have no authority to
deny pen register requests. This legislation offers significant new
limits on the use of pen register data.

Under this bill, when law enforcement seeks pen register
information from a carrier, the carrier is forbidden to deliver to
law enforcement any information which would disclose the location
or movement of the calling or called party. Cellular phone
networks, PCS systems, and so-called "follow-me" services all store
location information in their networks. This new limitation is a
major safeguard which will prevent law enforcement from casually
using mobile and intelligent communications services as nation-wide
tracking systems.

i.    New limitations on "pen register" authority

Law enforcement must use "technology reasonably available" to limit
pen registers to the collection of calling number information only.
Currently, law enforcement is able to capture not only the
telephone number dialed, but also any other touch-tone digits
dialed which reflect the user's interaction with an automated
information service on the other end of the line, such as an
automatic banking system or a voice-mail password. 

3.    Bill does not preclude use of encryption

Unlike previous Digital Telephony proposals, this bill places no
obligation on telecommunication carriers to decipher encrypted
messages, unless the carrier actually holds the key.

4.    Automated remote monitoring precluded

Law enforcement is specifically precluded from having automated,
remote surveillance capability.  Any electronic surveillance must
be initiated by an employee of the telecommunications carrier.

5.    Privacy considerations essential to development of new
technology

One of the requirements that telecommunications carriers must meet
to be in compliance with the Act, is that the wiretap access
methods adopted must protect the privacy and security of each
user's communication.  If this requirement is not met, anyone may
petition the FCC to have the  wiretap access service be modified so
that network security is maintained. So, the technology used to
conduct wiretaps cannot also jeopardize the security of the network
as a whole.  If network-wide security problems arise because of
wiretapping standards, then the standards can be overturned.

B.    Draconian provisions softened

In addition, the surveillance requirements imposed by the bill are
not as far-reaching as the original FBI version.  A number of
procedural safeguards are added which seek to minimize the
threatens to privacy, security, and innovation.  Though the
underlying premise of the Act is still cause for concern, these new
limitations deserve attention:

1.    Narrow Scope

The bill explicitly excludes Internet providers, email systems,
BBSs, and other online services.  Unlike the bills previously
proposed by the FBI, this bill is limited to local and long
distance telephone companies, cellular and PCS providers, and other
common carriers.  

2.    Open process with public right of intervention

The public will have access to information about the implementation
of the Act, including open access to all standards adopted in
compliance with the Act, the details of how much wiretap capacity
the government demands, and a detailed accounting of all federal
money paid to carriers for modifications to their networks. 
Privacy groups, industry interests, and anyone else has a statutory
right under this bill to challenge implementation steps taken by
law enforcement if they threaten privacy or impede technology
advancement.

3.    Technical requirements standards developed by industry
instead of the Attorney General

All surveillance requirements are to be implemented according to
standards developed by industry groups.  The government is
specifically precluded from forcing any particular technical
standard, and all requirements are qualified by notions of economic
and technical reasonableness.

4.    Right to deploy untappable services

Unlike the original FBI proposal, this bill recognizes that there
may be services which are untappable, even with Herculean effort to
accommodate surveillance needs.  In provisions that still require
some strengthening, the bill allows untappable services to be
deployed if redesign is not economically or technically feasible.


C.    Provisions that must be changed

EFF plans to work on the following issues in the bill as the
legislative process continues:

1.    Strengthened public process

In the first four years of the bill's implementation, most of the
requests that law enforcement makes to carriers are required to be
recorded in the public record.  However, additional demands for
compliance after that time are only required to be made by written
notice to the carrier. All compliance requirements, whether initial
requests or subsequent modification, must be recorded in the
Federal Register after public hearings, to allow for public
scrutiny.

2.    Linkage of cost to compliance requirements -- the FBI gets
what it pays for and no more


The bill authorizes, but does not appropriate, $500 million to be
spent by the government in reimbursing telecommunications carriers
for bringing their networks into compliance with the bill.  The FBI
maintains that this is enough money to cover all reasonable
expenses.  The industry, however, has consistently maintained that
the costs are five to ten times higher. Given the FBI's confidence
in their cost estimate, we believe that telecommunications carriers
should only be required to comply to the extent that they have been
reimbursed.  This spending cap is both a safeguard against
requiring unnecessary surveillance technology, and a way to
guarantee that carriers' expenses for electronic surveillance are
truly paid for by the government, not by the customers.

3.    Ensure right to deploy untappable services

The enforcement provisions of the bill suggest, but do not state
explicitly, that services which are untappable may be deployed. 
The bill should be state directly that if it is technically and
economically unreasonable to make a service tappable, then it may
be deployed, without interference by a court.

4.    Clarify definition of call identifying information

The definition of call identifying information in the bill is too
broad. Whether intentionally or not, the term now covers network
signaling information of networks which are beyond the scope of the
bill.  To maintain the narrow scope of the bill, this definition
should be clarified.

5.    Review of minimization requirements in view of commingled
      communications

The bill implicitly contemplates that law enforcement, in some
cases, will intercept large bundles of communications, some of
which are from subscribers who are not subject of wiretap orders. 
For example, when tapping a single individual whose calls are
handled by a PBX, law enforcement may sweep in calls of other
individuals as well.  Currently the Supreme Court requires
"minimization" procedures in all wiretaps, to minimize the
intrusion on the privacy of conversations not covered by a
court's wiretap order.  We believe that the bill should reinforce
the current minimization requirements by recognizing that stronger
minimization procedures may be required.

                                   
                                    * * *


Locating Relevant Documents
===========================

** Original 1992 Bush-era draft **

ftp.eff.org, /pub/EFF/Policy/FBI/Old/digtel92_old_bill.draft
gopher.eff.org, 1/EFF/Policy/FBI/Old, digtel92_old_bill.draft
http://www.eff.org/pub/EFF/Policy/FBI/Old/digtel92_old_bill.draft
bbs: +1 202 638 6120 (8N1, 300-14400bps), file area: Privacy -
Digital
     Telephony; file: digtel92.old


** 1993/1994 Clinton-era draft **

ftp.eff.org, /pub/EFF/Policy/FBI/digtel94_bill.draft
gopher.eff.org, 1/EFF/Policy/FBI, digtel94_bill.draft
http://www.eff.org/pub/EFF/Policy/FBI/digtel94_bill.draft
bbs: +1 202 638 6120 (8N1, 300-14400bps), file area: Privacy -
Digital
     Telephony; file: digtel94.dft


** 1994 final draft, as sponsored **

ftp.eff.org, /pub/EFF/Policy/FBI/digtel94.bill
gopher.eff.org, 1/EFF/Policy/FBI, digtel94.bill
http://www.eff.org/pub/EFF/Policy/FBI/digtel94.bill
bbs: +1 202 638 6120 (8N1, 300-14400bps), file area: Privacy -
Digital
     Telephony; file: digtel94.bil


** EFF Analysis of sponsored version **

ftp.eff.org, /pub/EFF/Policy/FBI/digtel94_analysis.eff
gopher.eff.org, 1/EFF/Policy/FBI, digtel94_analysis.eff
http://www.eff.org/pub/EFF/Policy/FBI/digtel94_analysis.eff
bbs: +1 202 638 6120 (8N1, 300-14400bps), file area: Privacy -
Digital
     Telephony; file: digtel94.ana


Personnally this makes me want to puke......

No Compromise!!!!





Thread