September 6, 2000
The Internet and Public Safety
Over the last decade, use of computers and the Internet has grown exponentially, and individuals have increasingly come to depend on this use in their daily lives. The Internet has resulted in new and exciting ways for people to communicate, transfer information, engage in commerce, and expand their educational opportunities. These are but a few of the marvelous benefits of this rapidly changing technology. There is no question that the Internet has changed the way we live today. Yet, as has been the case with every major technological advance in our history, we are seeing individuals and groups use this technology to commit serious criminal acts. As people have increasingly used computers for lawful purposes, so too have criminals increasingly exploited computers to commit crimes and to harm the safety, security, and privacy of others.
Since just the beginning of the year, for example, legitimate e-commerce has been the target of malicious computer hackers in the form of "denial of service attacks." These unlawful attacks involved the unauthorized intrusion into a large number of computers, which were in turn used to launch attacks on several, target computers, such as Yahoo, eBay, and CNN. In these cases, the number of victims was substantial, as was the collective loss and cost to respond to these attacks. We have also seen the emergence of fast-moving viruses that have caused damage to computer systems around the world and have disrupted the computer systems of consumers, businesses, and governments. In May, the "I Love You" virus infected 45 million files in computer systems all over the globe, causing damages estimated at $2.61 billion. Frighteningly, the "I Love You" virus was followed by almost 30 copycat variants.
While the denial of service attacks and viruses have received a great deal of attention and are cause for concern, they are but one facet of the criminal activity that occurs online today. Criminals use computers to send child pornography to each other through anonymous, encrypted communications; hackers break into financial computers and steal sensitive, personal information of private consumers, such as names, addresses, social security numbers, and credit card information; and criminals use the Internet’s inexpensive and easy means of communication to commit large-scale fraud on victims all over the globe.
Let me share some statistics with you that illustrate the dimensions of the problem. Seventy-four percent of businesses recently surveyed by the Computer Security Institute reported computer security breaches that included theft of proprietary information, financial fraud, system penetration by outsiders, data or network sabotage, or denial of service attacks. Indeed, almost twenty percent of respondents reported 10 or more such incidents. In addition, Internet fraud has increased exponentially. Since it’s inception in May of this year, for example, the FBI’s Internet Fraud Complaint Center has received 1,200 complaints every week. At this rate, they will receive 62,000 complaints a year. Simply put, criminals are exploiting the Internet and victimizing people, worldwide, everyday.
Responding to the Challenge of Unlawful Conduct on the Internet
The growing threat of illicit conduct online was made clear in the findings
and conclusions reached in the report of the President’s Working Group
on Unlawful Conduct on the Internet, entitled, "The Electronic Frontier:
The Challenge of Unlawful Conduct Involving the Use of the Internet."
This extensive report highlights some of the significant challenges facing
law enforcement in cyberspace. As the report states, the needs and
challenges confronting law enforcement, "are neither trivial nor theoretical."
The Report outlines a three-pronged approach for responding to unlawful
activity on the Internet:
The report also emphasizes the need to address the privacy issues
raised by changes in computer and telecommunications technology.
I would encourage anyone with an interest in this important topic to review
carefully the report of the Working Group. The report can be found
on the Internet by visiting the website of the Department of Justice’s
Computer Crime and Intellectual Property Section, located at www.cybercrime.gov.
That website also contains a great deal of other information relating to
cyber-crime and to the laws protecting intellectual property.
The migration of criminality to cyberspace accelerates with each passing day and the threat to public safety is becoming increasingly significant. As Deputy Attorney General Eric Holder told a joint hearing of House and Senate Judiciary Subcommittees in February, this nation’s vulnerability to computer crime is astonishingly high and threatens not only our financial well-being and our privacy, but also this nation’s critical infrastructure.
Legislation That Would Promote the Safety, Security, and Privacy of Internet Users
It is important to note, Mr. Chairman, that when law enforcement successfully apprehends a criminal who has stolen a citizen’s personal information from a computer system, or a hacker who has compromised the financial records of a bank customer, we are undeniably working, not just to apprehend the offender, but to protect the privacy of law-abiding citizens and to deter further privacy violations at the hands of criminals.
Thus, in order to address the looming threats created by the criminal misuse of the Internet, Congress should consider a comprehensive package of amendments to current law. Such a package should enhance both privacy and public safety by (1) addressing loopholes in the substantive offenses that define criminal conduct relating to computers and the Internet; (2) updating the procedural tools that law enforcement investigators use to gather evidence of criminal acts and identify the perpetrators; and (3) ensuring protection for the legitimate privacy interests of law-abiding Internet users.
Moreover, such a comprehensive package should not ignore the need for law enforcement to have adequate resources to respond to the continuing growth in cyber-crime. The changing nature of criminal investigations and the need to develop effective computer crime prevention and response strategies requires a focused, national effort that includes local, state, and federal law enforcement entities. Law enforcement is taking steps to respond to this dramatic increase in criminal activity: indeed, he FBI alone opened more than twice as many computer crime investigations in FY 1999 as it had in FY 1998. Unlike traditional methods of equipping and training law enforcement officers, investigators focusing on cyber-crime must receive continuous training and updated equipment in order to stay current with the rapidly changing technology. Criminals undoubtedly understand the latest technology, and so must law enforcement. In order to be able to meet the growing threat, we urge Congress to fully fund the Administration’s FY 2001 budget request for increased prosecutive resources for the Criminal Division’s Computer Crime and Intellectual Property Section and for United States Attorneys Offices – to handle cyber-crime investigations and cases.
We also need to amend existing law in two areas. First, we must make certain that the substantive laws defining what conduct is criminal – such as the Computer Fraud and Abuse Act (section 1030 of title 18) – are adequately refined and updated. Second, we must look critically at the tools law enforcement uses to investigate computer crimes – such as the existing Electronic Communications Privacy Act and the pen register and trap and trace statutes – to ensure that they are cast in terms that fully account for the rapid advances in technology. Failure to do both will hamper our efforts. If we have the appropriate substantive laws, but no means to effectuate them, we will be stymied in our pursuit of online criminals. Conversely, if the conduct in question is not covered by the criminal law, the ability to gather evidence is of no value in protecting the safety and privacy of people who use the Internet.
The Administration has been carefully considering these issues for a number of months. As a result of this process, in July the Administration, through the Department of Justice, transmitted to Congress proposed legislation that attempts to resolve the shortcomings in both the substantive and procedural laws, while improving privacy safeguards. In short, this proposal seeks to enhance both online privacy and public safety. I urge Congress to consider this kind of comprehensive legislation that seeks to deal with the full scope of the problem, rather than attempting to address the issues piecemeal.
With that background, I am pleased today to offer the views of the Department of Justice on the legislation recently proposed by Members of this Subcommittee.
Department of Justices Views on H.R. 5018
I applaud the members of this subcommittee for your concern for protecting the privacy interests of Internet users and their online safety and security. As my testimony today indicates, the Department shares your concerns about ensuring the privacy interests of those who use computer networks lawfully. The Department does, however, have serious reservations about the way the proposed bills treat these important issues.
Let me begin by discussing H.R. 5018, the "Electronic Communications Privacy Act of 2000." Although this bill attempts to address a number of important concerns, it is not the kind of balanced, comprehensive package that would improve the safety, security, and privacy of Internet users. It does not update the substantive criminal law that defines computer crimes in order to assure that criminals who violate the security and privacy of American citizens are properly punished. Nor does it modernize the investigative tools used to fight cyber-crime in a balanced way. And it does not address the desperate need for resources to assure that investigators and prosecutors have the training and equipment to pursue cyber-crime cases properly.
H.R. 5018 would make three significant changes to the law: (i) it would amend the laws governing how law enforcement may obtain non-content information under the pen register/trap and trace statutes; (ii)it would introduce statutory suppression for a range of non-Constitutional violations; and (iii)it would create a host of new reporting requirements. I will address each of these features in turn.
Proposed Trap and Trace/Pen Register Amendments. Section 4 of H.R. 5018 would make it more difficult for law enforcement authorities to obtain a Trap and Trace or Pen Register Order for electronic mail. Law enforcement investigators use such orders to collect the "to" and "from" information associated with communications from a particular e-mail account. For example, when a criminal uses e-mail to send a kidnaping demand, to buy and sell narcotics, or to lure children for sex, law enforcement needs to know to whom he is sending messages and from whom he receives them. Current law requires the applying government attorney to certify that the information likely to be obtained through the Order is relevant to an ongoing criminal investigation.
H.R. 5018, like the Administration’s bill, would introduce the requirement of judicial review of the factual basis for such orders. Specifically, H.R. 5018 would require such applications to contain "specific and articulable facts" that would justify the collection of the data. While the Justice Department can comply with the added administrative burdens imposed by increasing this standard, we have concerns about the amendments. Specifically, the technology-specific manner in which the bill would implement this change, the lack of an emergency exception, and the unrealistic geographic limitations that restrict such orders in the present law all raise serious concerns that should be addressed.
The Administration bill would, while raising the barriers to obtaining pen register and trap and trace orders, also amend those telephone-era statutes in a technology-neutral manner to make clear their relevance to the electronic age. Thus, if amended by that bill, the statute would apply to all "dialing, routing, addressing, and signaling information" associated with a given communication. It would thus increase privacy protection for all forms of electronic communication – including plain old telephone calls.
H.R. 5018, by contrast, would apply the heightened standard only to devices that identify "an e-mail address." This definition does not take into account the large number of other ways that electronic communications are sent over computer networks. For example, an electronic letter can be sent using "file transfer protocol" (or "ftp"), and messages of all kinds are exchanged using Internet mechanisms such as "instant messaging" and "chat rooms." Moreover, because the definition is phrased in terms of one of today’s technologies, "e-mail," it will likely become quickly outdated as the Internet continues to evolve. It may be that in ten years, no one will be using what we now call "e-mail" at all but will be instead using some new technology not covered by the bill. Thus, the prudent course in amending our laws is to define terms using technology-neutral language, such as that contained in the Administration bill.
We also believe that any amendment to the pen/trap statute should supplement existing legal authority that allows law enforcement to use pen/trap devices in emergency situations – such as when they encounter an immediate danger of death or serious bodily injury or when they are investigating organized crime – without getting prior approval from a court, so long as they obtain court approval within 48 hours thereafter. The Administration bill would add two long-overdue exceptions to the prior-approval requirement: (1) immediate threats to national security; and (2) investigations of ongoing intrusions into computer networks under 18 U.S.C. §1030. In the latter case, rapid investigative response is made essential both by the nature of the medium – in which attackers may move seamlessly and almost instantaneously through a series of "stepping stone" victim sites, launching attacks from each – and by the quickly disappearing character of network routing evidence.
H.R. 5018 also fails to address a crucial and growing obstacle to the ability of law enforcement to investigate threats to public safety and to business online: the geographical limitations currently found in the trap and trace and pen register statutes. Under current law a court can only order the installation of a pen/trap device within the geographical boundaries of that Court’s district. But changes in telecommunications technology and the telecommunications industry means that many different companies, located in a variety of judicial districts, may handle a single communication as it crosses the country. As a result, investigators often have to apply for multiple court orders in multiple jurisdictions in order to trace a single communication, causing a needless waste of resources and delaying and impeding important investigations. Indeed, in computer network investigations, such delays can cause perishable data to be lost and effectively end an investigation.
The statute should be amended to ensure that federal courts have the authority to order all telecommunications carriers providing service in the United States – whether within a particular judicial district or not – to provide law enforcement authorities the information needed to trace both voice and electronic communications to their source. Language implementing such a change is contained in the Administration’s bill. It is important to recognize in considering a nationwide trap-and-trace provision that introducing such a change would in no way reduce privacy protections. As is the case today, a federal court with jurisdiction over the investigation would still have to approve the application. No privacy interest is enhanced by repeatedly applying for identical orders in different parts of the country based on the same underlying facts.
New Statutory Suppression Remedies. Section 2 of H.R. 5018 creates two new statutory suppression remedies. It would require that courts exclude evidence from any criminal trial – whether the crime is the distribution of child pornography, a terrorist conspiracy, or murder – where investigators failed to meet statutory requirements. The statutes at issue define the legal procedures that investigators must use to obtain stored electronic communications and to intercept the content of electronic communications using a wiretap. The Department believes that expanding statutory suppression provisions beyond those that apply to the real-time interception of content would confer an unwarranted windfall on criminals.
By suppressing evidence, a court interferes with the core function of a criminal trial: the search for the truth. The exclusion of evidence prevents a jury from hearing all the relevant facts that allow it to determine guilt or innocence. Because suppression of evidence affects the central values of our criminal justice system, it is generally reserved for the most serious violations of law, such as violations of the Constitution. Congress should be cautious in considering whether to create new suppression remedies by statute in situations where no Constitutional violation has occurred.
Indeed, in the more serious situations intended to be covered by the new statutory suppression provisions, suppression already exists for law enforcement misconduct that rises to the level of a Constitutional violation. For example, if a wiretap affidavit submitted for the interception of the content of electronic communications contained intentionally false statements, any resulting interception would violate the Fourth Amendment, and a court would properly suppress such evidence. Statutory rules, on the other hand, can be enforced through existing civil remedies that do not allow the guilty to escape just punishment. See, e.g., 18 U.S.C. §2707 (setting forth civil and disciplinary remedies for violations of 2703).
Despite these reservations, the Department would, in the proper context, support harmonization of the way in which the law treats voice and electronic communications. Changes in technology and society have militated toward treating these two forms of communication in the same way. Thus, we believe the law could treat electronic communications in the same way as voice communications for purposes of suppression – so long as this change is part of a broader recalibrating of the way that the law treats all communications. For example, the Administration’s package proposes that wiretaps for electronic communications should be treated just the same as voice wiretaps, including approval by a high-level Justice Department official, limited to the list of predicate crimes under §2516, and with the availability of suppression under §2515.
New Reporting Requirements. Section 3 of H.R. 5018 mandates extensive new reporting requirements that would create a significant burden for law enforcement authorities. These reporting requirements would apply to the use of orders under section 2703(d) of title 18. Such orders are most commonly used to obtain stored traffic information – such as computer logs showing when communications were transmitted – and sometimes the content of communications that the user has chosen to save with a third party provider. These orders are far less intrusive than wiretap authorizations for the interception of the content of communications in real time using a wiretap. Yet H.R. 5018 would impose reporting requirements even greater than those imposed on law enforcement for wiretap orders.
Moreover, the imposition of such extensive reporting requirements for cyber-crime investigators would come at a time when law enforcement authorities are strapped for resources to fight cyber-crime. The reporting requirements for wiretaps, while extensive, are less onerous because law enforcement applies for such orders relatively rarely. Extending such requirements to orders used to obtain mere transactional data would dramatically hinder efforts to fight cyber-crime, such as the distribution of child pornography and Internet fraud.
Department of Justices Views on H.R. 4987
Mr. Chairman, let me turn to H.R. 4987, the "Digital Privacy Act of 2000." Again, while the bill addresses important issues, it is not the kind of balanced, comprehensive package that would promote both privacy and effective law enforcement. Indeed, it raises many of the same concerns as H.R. 5018. For example, it creates an extensive new reporting requirement for an even broader set of legal processes, including search warrants and grand jury subpoenas, threatening to turn crime-fighters into bookkeepers. And, while it creates a suppression remedy for wiretaps that involve electronic communications matching the standard for voice wiretaps, H.R. 4987 would not make the other changes to the statute that would allow voice and electronic communications to be treated equally.
Further, H.R. 4987 contains a provision that would unduly restrict the investigative use of cell phone location information. Currently, law enforcement obtains such information through 2703(d) orders, based on presenting "specific and articulable facts showing that there are reasonable grounds to believe that the [information] is relevant to an ongoing criminal investigation. The proposed amendment to section 2703 of title 18 would restrict law enforcement to obtaining such information only upon a judicial finding that "there is probable cause to believe that the equipment has been used, is being used, or is about to be used to commit a felony offense." This new restriction would prevent location information from being obtained where the phone itself is not being used to commit the offense. For example, in one important investigation, cell phone location information allowed investigators to locate an escaped murderer and arrest him. The proposed bill would forbid investigators from using location information in this kind of situation in the future because the killer’s phone was not being used to commit a crime. Similarly, in another investigation, an individual committed murder in one part of a city and lied to create an alibi by stating that he was in a different part of the city at the time of the murder. The records of the location of his cell phone revealed his lies and assisted law enforcement authorities to prove his guilt, even though the phone had nothing to do with the crime itself. Moreover, there may be cases where the location of a victim’s phone can provide critical – and, in a kidnaping case, even lifesaving – information but we may not be able to obtain the victim’s consent prior to obtaining and acting on the information.
As you can see, the consequences of the proposed provision are significant. Thus, the Department opposes this provision in its current form.
Conclusion
Mr. Chairman, I want to thank you again for this opportunity to testify today about our efforts to fight crime on the Internet and comment on the legislation proposed by you and members of your subcommittee. The public is undoubtedly concerned about their online privacy – and the potential for criminals, private industry, and the government to infringe upon it. But the public is also deeply concerned about their safety and security when using the wondrous resources of the Internet. Enhancing the ability of law enforcement to fight cyber-crime both promotes Internet users’ safety and security and enhances their privacy by deterring and punishing those criminals who violate individual privacy. The Department of Justice stands ready to work with the Members of this Subcommittee and others to achieve these important goals.
Mr. Chairman, that concludes my prepared statement. I would be pleased to answer any questions that you may have at this time.