RE: [ISN] Smith Bill Raises Police Power Concerns

From: InfoSec News (isnat_private)
Date: Wed May 15 2002 - 00:56:01 PDT

  • Next message: InfoSec News: "[ISN] Crackers deface Ferrari"

    Forwarded from: Marjorie Simmons <lawyerat_private>
    Alan Davidson's helpful testimony regarding H.R. 3482 follows 
    my remark, and is reported by the CDT at:
    the GPO bill is at
    My experience with responses to requests for information and 
    subpoenas I and others have drafted in civil matters seeking 
    information from ISPs in the last several years has been interesting. 
    ISP responses have been all over the map, varying from the alarming 
    (too much data handed over) to the absurdly secretive (contempt 
    charged).  ISPs so often founder in a quagmire with this stuff -- 
    hopefully Mr. Davidson's comments will have the desired impact 
    and (whatever the outcome of H.R. 3482, the "Cyber Security 
    Enhancement Act of 2001"), will prompt the codification of a useful 
    comfort zone that will cascade to civil litigants. I won't, however, 
    hold my breath in any case, as it often seems possible that the 
    tortoise called Osmosis may finish the race before the hare called 
    Marjorie Simmons
    Testimony of Alan Davidson (Associate Director CDT)
    before the Subcommittee on Crime of the Committee on 
    Judiciary U.S. House of Representatives 2-12-02
    [snip preamble] . . . 
    Our nation is at a point where revolutionary changes in 
    communications and computer technology have created new concerns 
    about public safety, security, and privacy online. In the aftermath of 
    September 11, cybersecurity is a serious problem that demands a real 
    response from government. At the same time, such responses must be 
    respectful of the protections for personal privacy and from overly 
    broad governmental authority, enshrined in our Constitution and 
    electronic surveillance laws. 
    If we are forced to give up essential liberties fundamental to our 
    American way of life than our country will truly have lost something 
    With this need to protect both security and Constitutional privacy 
    principles, CDT offers the following comments on H.R. 4382:
    First, CDT commends this committee for holding this hearing, and 
    for the relatively measured approach taken in HR 3482. We agree 
    that computer crime and security is a serious problem that requires 
    serious government response. In the USA PATRIOT Act, passed this 
    fall, substantial changes were made to the computer crime and 
    government surveillance statutes that raised serious privacy concerns 
    and are to this date still not fully understood. In contrast and with 
    one notable exception - the emergency disclosures provision of 
    Section 102 - H.R. 4382 takes a more modest approach to these 
    laws that does not raise the same types of privacy concerns.
    Second, the emergency disclosure provision of Section 102, as 
    drafted, is overly broad and would eviscerate important privacy 
    protections in current law.
    Current law protects the privacy of electronic communications by 
    prohibiting service providers from revealing those communications 
    to anyone without proper lawful orders. Emergency disclosure 
    provisions exist in the current law based on a reasonable idea - ISPs 
    who reasonably believe there is an imminent threat of death or 
    serious injury should be able to reveal communications to law 
    enforcement agencies on an emergency basis even without judicial 
    Sec. 102 would substantially expand this ability to reveal private 
    communications without any judicial authority or oversight.
    In practice, however, we have heard reports from large and small 
    providers, universities, and libraries, that the emergency disclosure 
    is being used in a different way. Providers are often approached by 
    government agents and asked to voluntarily disclose communi-
    cations or other subscriber information for investigations that the 
    government claims involve a danger to life and limb. Providers are 
    then faced with a Hobbesian choice - either turn over sensitive 
    private communications of subscribers without any court order, or 
    say no to a government request. Of course many comply with the 
    requests. Small providers have few legal resources to evaluate such 
    requests. Others receive requests from the same agents they may 
    seek help from the next day regarding hacking attacks or other 
    problems. Without proper restrictions, such "voluntary disclosure" 
    provisions risk becoming a major loophole.
    Current law, passed just four months ago, confines these extraordinary 
    disclosures to law enforcement agents in limited circumstances. As 
    drafted, Sec. 102 would threaten the privacy of communication by 
    substantially broadening these disclosures:
    It allows these disclosures to any governmental entity, not just law 
    enforcement agents. That could include literally thousands of federal, 
    state, and local employees - perhaps even foreign government 
    It no longer requires imminent danger for disclosure. It would allow 
    these extraordinary disclosures when there is some danger, which 
    might be far in the future and far more hypothetical. 
    It no longer requires a reasonable belief that there is a danger on 
    the part of the ISP. Section 102 would allow these sensitive 
    disclosures if there is any good faith belief - even if unreasonable-of 
    Thus as drafted, Sec. 102 would allow many more disclosures of 
    sensitive communications without any court oversight or notice to 
    subscribers. It would allow these disclosures to (and based on 
    requests from) potentially hundreds of thousands of government 
    employees, ranging from local canine control officials to school-
    teachers to Agriculture Department cotton inspectors to foreign 
    government officials.
    We urge the committee to carefully rethink this expansion. We 
    understand the argument that in some narrow circumstances 
    disclosures to some entities - such as the Center for Disease 
    Control - might be warranted. As supported in current law, in cases 
    of imminent threats of death or serious injury, law enforcement 
    agencies - trained to deal with such situations and cognizant of 
    legal strictures- should be the first contact point for concerned 
    citizens. We also urge the committee to maintain the requirements 
    of a reasonable belief in imminent danger.
    We are confident that if other disclosures are needed they can be 
    carefully crafted, and we look forward to working with the 
    Committee as well as experts in industry and other interested 
    parties to find a more balanced approach.
    In addition, we strongly encourage this Committee to add 
    accountability mechanisms for this extraordinary power. Congress 
    should consider requiring notice to the subscriber, after the fact 
    (and deferrable based on a judicial order), as a means of providing 
    subscribers with some way of knowing that their communications 
    have been disclosed. And at a bare minimum Congress should 
    mandate a reporting requirement for these emergency disclosures 
    to federal law enforcement, to give Congress some method of 
    evaluating their use.
    Third, we urge the Committee to continue its work to balance 
    powerful surveillance authorities with appropriate privacy 
    An essential element of security in cyberspace is trust. If Internet 
    users cannot trust that their most sensitive personal and business 
    communications will be private, than we cannot realize the 
    promise of the Internet as a communications medium.
    Powerful new surveillance authorities require powerful oversight 
    and accountability. In addition, the digital age is making more 
    personal information available than ever before, also increasing 
    the need for a legislative framework that protects personal 
    information from inappropriate surveillance.
    The USA Patriot Act passed this fall provides substantial new 
    government capabilities to conduct surveillance on Americans 
    and to combat terrorism and cyber crime. H.R. 4382 also provides 
    additional and powerful new resources and tools. But in both cases 
    there are virtually no new measures for oversight and accountability, 
    or any protections for all the sensitive personal information 
    increasingly available in the digital and wireless age. (We note that 
    this committee's own admirable efforts to strike a greater balance in 
    the PATRIOT Act were largely ignored.)
    We urge this committee to adopt a more comprehensive approach 
    to cybersecurity that recognizes the urgent need for additional 
    privacy protections. The Congress could start by taking up the 
    helpful changes to surveillance law developed and passed by the 
    House Judiciary Committee in the last Congress, under H.R. 5018, 
    Heightened protections for access to wireless location information, 
    requiring a judge to find probable cause to believe that a crime has 
    been or is being committed. Today tens of millions of Americans 
    are carrying (or driving) mobile devices that could be used to create 
    a detailed dossier of their movements over time - with little clarity 
    over how that information could be accessed and without an 
    appropriate legal standard for doing so. 
    An increased standard for use of expanded pen registers and trap 
    and trace capabilities, requiring a judge to at least find that specific 
    and particularly facts reasonably indicate criminal activity and that 
    the information to be collected is relevant to the investigation of 
    such conduct. 
    Addition of electronic communications to the Title III exclusionary 
    rule in 18 USC ?2515 and add a similar rule to the section 2703 
    authority. This would prohibit the use in any court or administrative 
    proceeding of email or other Internet communications intercepted 
    or seized in violation of the privacy standards in the law. 
    Require statistical reports for ?2703 disclosures, similar to those 
    required by Title III. 
    Require high-level Justice Department approval for applications to 
    intercept electronic communications, as is currently required for 
    interceptions of wire and oral communications. 
    In addition, other issues - some of broader scope - need to be 
    Improve the notice requirement under ECPA to ensure that 
    consumers receive notice whenever the government obtains 
    information about their Internet transactions. 
    Provide enhanced protection for personal information on networks: 
    probable cause for seizure without prior notice, and a meaningful 
    opportunity to object for subpoena access. 
    Require notice and an opportunity to object when civil subpoenas 
    seek personal information about Internet usage. 
    The bills put before this Committee last Congress were efforts 
    towards a modest improvement in privacy protections without in 
    any way denying the government any investigative tools. They 
    should serve as a starting point, and we hope that you will 
    consider including them to address the privacy concerns of many 
    Americans and the imbalance that exists in today's electronic 
    surveillance laws. 
    In conclusion, we urge to Subcommittee to 
    Substantially narrow the new emergency disclosure provisions 
    of Section 102. If retained, they should greatly limit the scope 
    of governmental entities that can receive such disclosure, could 
    provide deferred notice to the subscribers whose communications 
    were revealed, and should absolutely require reporting to 
    Congress on their use. 
    Take a more balanced approach by including some of the privacy 
    protections passed by this committee last Congress. Among the 
    most urgent of these: a need for clearer protection of wireless 
    location information, clearer definitions of what constitutes 
    content for pen/trap orders online, and additional statistical 
    reporting requirements. 
    Protecting national security and public safety in this digital age 
    is a major challenge and priority for our country. On balance, 
    however, we believe that new sources of data and new tools 
    available will prove to be of great benefit to government 
    surveillance and law enforcement. It is essential that we offer a 
    measured response to these concerns, and urgently take up the 
    need for additional privacy protections in the electronic 
    surveillance laws.
    Powerful new government surveillance and law enforcement 
    capabilities demand powerful oversight, accountability, and 
    privacy protection mechanisms. We look forward to working 
    with the Subcommittee and other interested parties to craft 
    an approach that protects both security and privacy online.
    On Sunday, May 12, 2002 11:41 pm, InfoSec News 
    [SMTP:isnat_private] wrote:
    | Forwarded from: Bob <bobat_private>
     . . .
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed May 15 2002 - 05:00:19 PDT