STATEMENT
OF
GREGORY T. NOJEIM
LEGISLATIVE COUNSEL
AMERICAN CIVIL LIBERTIES UNION
WASHINGTON NATIONAL OFFICE
ON
THE FOURTH AMENDMENT AND
THE INTERNET
BEFORE THE
HOUSE JUDICIARY COMMITTEE
SUBCOMMITTEE ON THE CONSTITUTION
April 6, 2000
Chairman Canady, Ranking Member Watt and members of the Subcommittee:
I am pleased to testify before you today on behalf of the American Civil Liberties Union about the Fourth Amendment to the U.S. Constitution and the Internet. The ACLU is a nation-wide, non-profit, non-partisan organization consisting of over 275,000 members dedicated to preserving the principles of freedom set forth in the Bill of Rights. Neither ACLU nor myself has received any funding from the federal government in the past two years.
As the 21st century begins, Americans have expressed overwhelming concern about their privacy. A Wall Street Journal poll conducted at the end of last year indicated that Americans were more concerned in the new millennium about loss of personal privacy than things like terrorism, crime or even the economy.
Today I will discuss the Fourth Amendment as it applies to certain Internet communications. I will explain that when it comes to protecting the privacy of communications on the Internet, the buck stops here, with Congress, and not in the courts through Fourth Amendment jurisprudence. I will also discuss pending proposals to expand electronic surveillance authority and encourage an examination of current law to ensure that as technology advances, a level of privacy in communications is maintained.
Threats To Civil Liberties Posed By Electronic Surveillance
Electronic surveillance of communications is conducted secretly and unlike most searches in the physical world, there is no simultaneous notice that a search is being conducted. Because electronic surveillance vacuums up both innocent and incriminating conversations, we believe it resembles the kind of general search warrant that the Fourth Amendment was adopted to preclude. Everyone would agree that law enforcement ought not search all of the houses on a street because it has probable cause that crime might be conducted in one of the houses on the street. This principle has not been carried forth into the world of electronic surveillance. In the search for incriminating evidence, electronic surveillance causes a great deal of collateral damage because so many innocent communications are also intercepted.
Electronic surveillance is increasingly a scattershot investigative tool. For the first five year period for which statistics are available (1969-1973), more than half of the communications intercepted in law enforcement electronic surveillance were incriminating. However, over the most recent five-year period (1994-1998) only one-fifth of the communications intercepted in law enforcement electronic surveillance were incriminating conversations. Each time a federal or state electronic surveillance intercept is installed, on average, 1608 innocent conversations are intercepted. In 1998, the most recent year for which statistics are available in the Wiretap Report published annually by the Administrative Office of the U.S. Courts, a record number of electronic intercept applications were installed by federal and state law enforcement officials. At the same time, less than 19% of the millions of communications intercepted in 1998 were incriminating, and 1.9 million innocent communications were intercepted.
This is a tremendous loss of personal privacy. It is one of the reasons Americans overwhelmingly oppose wiretapping. Each year the Department of Justice asks Americans whether all things considered, they oppose or support wiretapping. Nearly ¾th's of the respondents consistently indicate opposition. Because it is conducted secretly, electronic surveillance undermines trust in the government and trust between individuals. For some, it inhibits communication by putting them in fear that their words might be recorded and one day be used against them.
Surveillance of communications on the Internet poses many of the same problems and raises many of the same concerns as has wiretapping over the years. Indeed, a lack of privacy in Internet communications is already cited by many as a reason why they do not engage in e-commerce, or do not communicate sensitive information over the Internet.
The Fourth Amendment and Electronic Surveillance
The Fourth Amendment provides:
- The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
Our freedom against unreasonable searches depends on crafting Fourth Amendment principles that make sense in the digital age. It used to be the case that most of the information people wanted to be kept private was stored in their home. To the extent that third parties obtained a person's most private information, it was difficult to store and difficult to collate. Now, with the advent of the Internet, the World Wide Web and instantaneous electronic communication, an invasion of privacy is only a point and a click away.
Olmstead v. United States, 277 U.S. 438 (1928) is often cited as the Court's first foray into cyberspace. The Court held that a warrant is not required for a wiretap of a home or an office telephone because law enforcement officers had not physically entered the home or office, or any other place deemed constitutionally protected. The Court reasoned that since the language of the Fourth Amendment refers only to tangible things, such as houses, papers, effects and people, its reach extended only to physical intrusions.
The Court reversed itself in Katz v. United States, 389 U.S. 347 (1967). It declared, "the Fourth Amendment protects people, not places." It held that what a person seeks to preserve as private might be constitutionally protected even if it is in an area accessible to the public. In Katz, the Court held that a telephone conversation could not be intercepted without a warrant.
Congress and Electronic Surveillance
In response to the Court's decision in Katz, Congress enacted Title III of the Omnibus Crime Control and Safe Streets Act of 1968 (18 U.S.C. 2510-20). It established procedures for court-ordered wiretapping and bugging.
Because Congress recognized that electronic surveillance was so invasive of privacy, it included a number of safeguards:
- It was permitted only for specified, mostly serious crimes.
- Electronic surveillance was only authorized with a court order issued upon a showing of probable cause of crime.
- It would be used only as a last resort, when other investigative techniques had already failed or were likely to fail.
- Procedures would be adopted to minimize eavesdropping on innocent conversations.
- A person whose conversations had been intercepted would be given notice when deemed necessary in the "interests of justice."
- Only a high-ranking DOJ official can approve a wiretap application.
- Prior to trial, a defendant would be given a chance to challenge the legality of the interception of his conversations.
- Illegal electronic surveillance triggers a fine or imprisonment for up to five years.
The Fourth Amendment and Data Stored By Third Parties
This statutory scheme grew outdated quickly, in part because technology advanced, and in part because the Supreme Court rendered key decisions calling into question the application of the Fourth Amendment to sensitive personal information held by third parties. Notwithstanding the Court's willingness to protect the contents of communications in general under the Fourth Amendment, it has been less protective of content stored with third parties, and of other information relating to the communication that it does not regard as content.
In Smith v. Maryland, 442 U.S. 735 (1979) the Supreme Court ruled that the Fourth Amendment does not protect the privacy of numbers dialed on a telephone. It held that a person has no reasonable expectation of privacy in the numbers dialed from a telephone in part because telephone companies routinely record the numbers dialed for business purposes. The Court reasoned that the person making the call likely did not expect privacy because he was volunteering to the phone company information about the numbers he was dialing. The Court also distinguished the contents of the communication, which is protected by the Fourth Amendment, from the numbers the person dialed in order to make the phone call. Consequently, the reach of the Fourth Amendment in this area is likely to be determined by whether the Court views a particular electronic surveillance interception as one that involves content or something else, and whether the person making the communication had a reasonable expectation of privacy in the communication.
Likewise, in U.S. v. Miller, 425 U.S. 435 (1976), the Court had held that individuals do not have a "reasonable expectation of privacy" cognizable under the Fourth Amendment in financial records pertaining to them but maintained by their bank in the normal course of business.
Shortly after these decisions were rendered, new technology capable of conveying sensitive information stored with third parties at distant locations began to develop. Congress rightly feared that because the Court had ruled that information maintained by third parties did not enjoy Fourth Amendment protections in certain contexts, the privacy of electronic communications could not be guaranteed absent legislation.
Congress and Surveillance of Communications on the Internet
The Electronic Communications Privacy Act of 1986 (Pub. L. No. 99-508) is the comprehensive legislation Congress enacted to protect the privacy of electronic communications such as e-mail. An individual's e-mail message stored by a third party was viewed as likely unprotected by the Fourth Amendment under the Court's reasoning in Smith v. Maryland. In ECPA, Congress made the term "electronic communication" very broad to ensure that the term was expansive enough to cover evolving technology. An "electronic communication" is defined as any transfer of signs, signals, writing, images sounds, data or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectonic or photooptical system, except for wire and aural communications, communications made through a "tone only" pager or by a tracking device and certain electronic funds transfers. This covers much more than e-mail.
ECPA has a number of shortcomings that should be addressed. It is not as protective of e-mail and other electronic communications as Title III is of voice communications:
- Only a high-ranking DOJ official can authorize an application for wiretap order; "any attorney for the Government" may authorize an application for an order to intercept e-mail and other electronic communications;
- Wiretaps can be issued only upon a showing of probable cause that one of a list of enumerated offenses has been committed; e-mail and other electronic communications can be intercepted with a court order based on probable cause issued in connection with any federal felony; and
- The statutory exclusionary rule that encourages law enforcement to comply with the proper procedures for electronic surveillance applies only to wiretaps and bugs, not to interception of e-mail and other electronic communications.
Electronic communications ought to be afforded the same protections as voice communications because they are functionally similar.
Second, under the scheme adopted in ECPA, real-time interception of e-mail messages is given greater protection than is acquisition of the message from a "provider of electronic communications service" after it has been stored. Under ECPA, real-time interception of e-mail messages and other electronic communications requires a court order based on probable cause of crime, interception is an investigative technique of the last resort, and continuing judicial oversight is required. 18 U.S.C. 2510-22. However, since real-time interception of electronic communications is not necessary in most cases, these provisions do not afford the protection for electronic communications that Congress likely intended. Instead, law enforcement need only wait until the provider stores the e-mail message; it is stored immediately upon delivery.
Once in storage, law enforcement access is obtained more readily under 18 U.S.C. 2703. A search warrant based on probable cause issued by a federal magistrate (as opposed to a court order with the protections mentioned above) is all that is required to access e-mail in storage for less than 180 days. 18 U.S.C. 2703(a). In other words, by waiting an instant until the message is delivered and "stored," the requirement of a court order with continuing judicial oversight, the statutory requirement for minimization procedures, the substantial fines and prison time for violating the statute, and the requirement that the communication be eavesdropped upon only as an investigative technique of last resort are all avoided.
This is what the Fifth Circuit concluded in Steve Jackson Games, Inc. v. U.S. Secret Service, 36 F.3d 457 (5th Cir. 1994). As a result, court orders are likely seldom sought to intercept e-mail; rather, it is simply accessed with a warrant when it is stored.
What does this mean for a service like AOL's "Instant Messaging?" It resembles a phone conversation over the Internet. But if AOL stores the messages -- even for an instant -- the communication has lesser protection than would a phone conversation.
Importantly, once the e-mail has been stored with the provider for over 180 days, it can be made available to law enforcement acting with only an administrative subpoena and delayed notice to the customer, or with a warrant without notice. 18 U.S.C. 2703(b). Most importantly, such e-mail can be obtained by law enforcement acting with a court order issued based upon a showing of only "specific and articulable facts showing that there are reasonable grounds to believe" that the contents of the communication are "relevant" to an ongoing investigation. "Relevance" is a far lower threshold for a search than is "probable cause." In effect, the privacy of the contents of an e-mail message or other electronic communication diminishes just because a service provider retained the message an inordinately long time.
It is tempting to assume that a person using the Internet has a reduced expectation of privacy. This assumption is very dangerous in an increasingly interconnected world, where transactions that we seek to keep private are increasingly conducted over the Internet. It triggers a downward spiral in the level of protection that is offered to communications. Rather than allow this, Congress should step in to bolster expectations of privacy and reject proposals that would diminish personal privacy.
Proposals Regarding Surveillance of Internet-Related Communications.
It is against this backdrop that we encourage you to examine proposals to expand law enforcement's electronic surveillance authority to combat crime facilitated by communications on the Internet.
Nation-wide Pen Register and Trap and Trace Orders. A pen register is a device that records telephone numbers dialed from a telephone; a trap and trace device, like caller ID, records the phone numbers of incoming calls. 18 U.S.C. 3127. Under current law, the standard for obtaining a court order authorizing placement of a pen register or trap and trace device is extremely low. The statute provides that the court shall issue an order authorizing the installation of a pen register or trap and trace device whenever any attorney for the Government or an investigative officer merely certifies in an ex parte proceeding that information likely to be obtained is relevant to an ongoing criminal investigation. 18 U.S.C. 3123. No judicial finding of relevance is required. In fact, even if the court finds that only completely irrelevant information would be obtained, the plain language of the statute requires that the judge issue the order anyway. In other words, the court wields a rubber stamp. Pen registers and trap and trace devices are used much more often than electronic surveillance such as wiretaps.
Pen registers and trap and trace orders are limited to the jurisdiction of the court issuing the order. 18 U.S.C. 3123. The Department of Justice has asked that judges be given authority to issue such orders with nationwide coverage. DOJ argues that to track computer intrusions over the Internet, law enforcement officials must often seek multiple orders because electronic communications jump from computer to computer and jurisdiction to jurisdiction. However, the DOJ's request extends not only to electronic communications, but also to any communications transmitted by telephone, which do not jump from computer to computer.
We urge you to reject this request because: (i) the standard for issuing a pen register or trap and trace order must first be strengthened substantially; (ii) steps must be taken to ensure that forum-shopping for a sympathetic judge is precluded; and (iii) it is unclear exactly what information the Government is currently obtaining with the low evidentiary standard for pen registers and trap and trace devices.
The statute currently authorizes the interception of only numbers dialed to and from a telephone. The request for nationwide trap and trace and pen register orders is justified by a need to track computer intrusions back to the source. This likely involves ascertaining the suspect's e-mail address, as well as header information. Both of these include letters, not numbers dialed to and from a telephone. Under the language of the statute, neither a pen register nor a trap and trace order would cover such an interception. Moreover, it is not clear whether the Government can serve an order on an Internet service provider and obtain the e-mail addresses of incoming and outgoing messages for a particular subscriber. Further, it is not clear whether law enforcement agents use or should use authority under the pen register statute to access a variety of data, including Internet Protocol addresses, dialup numbers and e-mail logs. Before entertaining any request that trap and trace and pen register authority be expanded, law enforcement should be required to disclose the type of information it currently obtains with such orders in the digital world. Armed with that knowledge, Congress would be better positioned to evaluate a request that such authority be expended.
Reducing Anonymity on the Internet. We view Internet anonymity as one of the primary attributes of this new communications medium. The Supreme Court has held that the Constitution grants people in the U.S. the right to speak anonymously. See McIntyre v. Ohio Elections Commission, 514 U.S. 334 (1995). With respect to anonymity and Internet communications, see also ACLU v. Johnson, 4 F.Supp.2d 1029 (D.N.M. 1998) and ACLU v. Miller, 977 F.Supp. 1228 (N.D. Ga. 1997). To eliminate Internet anonymity would be the rough equivalent of outlawing pen names in the real world. It would partially stifle many communications on the Internet.
Reducing the Privacy of Pager Communications. The clone pager provisions in Section 211 of the Senate's version of the juvenile justice bill, S. 254, would erode the protections that have traditionally accompanied the conveyance of content in numeric form. A clone pager is a device that intercepts communications intended for a numeric pager and makes those communications available to law enforcement. The numbers dialed to a pager are content because they are selected by the sender to convey a message. Sometimes the message is, "call me at this number." At other times, the message is a code with meaning. For example, sending "911" might signal an emergency. Most courts agree that interception of the numbers sent to a pager is an interception of the contents of an electronic communication under ECPA that triggers Fourth Amendment scrutiny. See, e.g., Brown v. Waddell, 50 F.3d 285 (4th Cir. 1995).
The clone pager provision would substitute a new standard -- "probable cause of relevance" to an on-going investigation for the current standard of probable cause to believe that a crime is being committed, in the case of content conveyed by numbers sent to a pager. Moreover, under the Senate bill, interception would be authorized under procedures more closely resembling those relating to pen registers and trap and trace devices, as opposed to those governing interception of the contents of an electronic communication. This may well be unconstitutional and in any event, sets a dangerous precedent.
A communication that conveys content by means of numbers should be no less protected than a communication that conveys content by means of letters. Many electronic communications -- including communications sent over the Internet -- are digitized and consist only of 1's and 0's. Moreover, an encrypted communication might consist only of numbers. The Fourth Amendment requires that content be intercepted only under a probable cause of crime standard.
The Department of Justice deemed unconstitutional and unnecessary a similar provision in a bill, S. 170, in the last Congress. It said in a May 20, 1998 letter to Chairman Hyde that interception of content of communications to numeric pagers was probably protected under the Fourth Amendment. It also said that if communications sent to numeric pagers were given reduced protection, drug dealers and other criminals would simply switch to alphanumeric pagers. DOJ took no position on this modified version of the clone pager provision in the comments it submitted on the juvenile justice bills. We urge you to reject this proposal.
Foreign Intelligence Surveillance of Internet Communications. The Foreign Intelligence Surveillance Act (FISA) 50 U.S.C. 1801 et seq. became law in 1978 well before widespread use of the Internet. Under FISA, a court consisting of Article III judges secretly authorizes electronic and physical surveillance without probable cause of crime for intelligence and national security reasons. In recent years, the FISA court has issued more electronic surveillance orders than all of the federal courts combined.
Unlike Title III, which covers electronic surveillance for criminal purposes, the FISA statute was never updated to account for the new forms of electronic communications that are facilitated by the Internet. The FISA statute defines the "electronic surveillance" it regulates to include:
- "...the installation or use of an electronic, mechanical, or other surveillance device in the United States for monitoring to acquire information, other than from a wire or radio communication, under circumstances in which a person has a reasonable expectation of privacy and a warrant would be required for law enforcement purposes." 50 U.S.C. 1801(f)(4).
Moreover, recent revelations in the European Parliament about eavesdropping by the National Security Agency working with the intelligence agencies of other English speaking nations in an operation known as "Echelon" has sparked concerns here that FISA's requirement of a court order might be circumvented. We have called for hearings open to the public that would clear up these matters and ensure that the contents of domestic communications involving a U.S. person are not intercepted except with a court order.
Monitoring the Internet for Suspicious Words. Recently, the Securities and Exchange Commission announced a plan to monitor public websites, message boards and chat rooms for suspicious words. The SEC put out a request for proposals for an automated Internet search system that would flag words or phrases such as "get rich quick," copy these communications into a database, attempt to match them with e-mail addresses and other identifying information, and use the results to bring civil proceedings against people suspected of wrong doing. Yesterday, the SEC issued a press release declaring that its monitoring plan is no different in manner and scope than "finding a newspaper article with the aid of a tool that helps you to so more quickly and exactly."
Depending on the type of communication monitored and whether the parties involved have a "reasonable expectation of privacy" in the communication, such communications may not fall within the ambit of the Fourth Amendment. However, this plan raises a larger question. Should Internet communications in "public" areas be routinely monitored by federal agencies with law enforcement responsibilities acting without the "reasonable indication of criminality" usually required for an investigation, or even the receipt of information sufficient to trigger a preliminary inquiry into whether a full investigation is warranted? If so, what does this mean for the traditional investigative injunction against monitoring activities protected by the First Amendment?
When other federal agencies follow suit to enforce both civil and criminal laws, we might be left with George Orwell's America in which images of a snooping, all knowing "Big Brother" are both real and justified. The collection of data on the First Amendment activities of mostly innocent persons would also implicate the Privacy Act, which gives people an opportunity to access personally identifiable information in files the Government maintains on them.
Cyberspace Electronic Security Act (CESA): Last year, the Clinton Administration proposed legislation that purports to enhance privacy by requiring a court order before escrowed keys and passwords to encrypted communications could be disclosed to the government. But the privacy standards established in this so-called Cyberspace Electronic Security Act (CESA) would be inadequate to protect privacy.
Under CESA, third parties would be legally compelled to disclose decryption information upon a finding that the information is "reasonably necessary" to allow access to the plaintext of the communication, and that there is no constitutionally protected expectation of privacy in such plaintext. This untested standard falls far short of the traditional probable cause standard. Also, the reference to "constitutionally" protected privacy interests wou