Testimony of Alan Davidson

Associate Director

Center for Democracy and Technology

before the

Subcommittee on Crime of the House Judiciary Committee

June 12, 2001

Summary

Mr. Chairman and Subcommittee Members, thank you for calling this hearing and giving CDT the opportunity to testify about cybercrime. Our nation is at a point where revolutionary changes in communications and computer technology have created new concerns about public safety, security, and privacy online. Cybercrime is a serious problem that demands a real, though limited, response from government. That response must be crafted recognizing that the digital age also offers tremendous new capabilities for law enforcement, while the rise of personal information online has eroded essential privacy guarantees under law.

As Congress considers cybercrime it should also strengthen outdated privacy laws to restore the shifting balance between government surveillance and personal privacy, to build user trust and confidence in this economically vital new medium, and to afford law enforcement agencies, online service providers, and Internet users the clear guidance they deserve.

This testimony explores three broad themes:

Cybercrime is a serious problem, but must be considered in the context of today's technology, law enforcement capabilities, and eroding personal privacy protections.

· The Internet's unique open and decentralized architecture offers new challenges to traditional approaches to crime. But care must be taken that efforts to address cybercrime do not stifle the innovation or freedom that have been hallmarks of the Internet's success.

· The digital age offers tremendous new tools for law enforcement. The soaring collection of electronic records about online and offline activity have created a wealth of information to investigate and prosecute crimes. On balance, the digital age is likely to be a major net plus for law enforcement capabilities.

· Privacy rules have not kept pace with these changes. Astonishingly, the last significant update to our privacy and surveillance rules came in 1986 - before the invention of the World Wide Web, before the Internet became a fixture in schools, homes, and businesses, before more than one in two Americans used mobile phones.

Concerns about cybercrime need not, and should not, become an excuse for sweeping new authorities or greater government surveillance capability.

· The government has a real, but limited, role in promoting security online. The nature of the Internet makes its users the first and most important line of defense against cybercrime, and government alone can do little to guarantee Internet security. Government does have an important role focused on getting its own house in order, training personnel to deal with new technologies, and supporting R&D.

· It is not clear that new government authorities or investigatory powers are needed. Substantial authorities already exist for investigating and prosecuting most cybercrime.

· There is a real risk that cybercrime concerns will become an excuse to implement sweeping new authorities that jeopardize personal privacy. Past efforts to mandate key recovery encryption backdoors, deployment of the "Carnivore" surveillance tool, and expansion of CALEA requirements demonstrate a track record of invasive responses. The point is best underscored in Europe, where implementation of a new Council of Europe Convention on Cybercrime and new data retention proposals are creating huge concerns about personal privacy, cost burdens, and Internet architecture.

Congress should strengthen weak and outdated privacy protections. While improvements to security technology can come from the private sector, only legislation can update the 1980s surveillance and privacy laws in order to provide confidence in the network and resolve gaps and ambiguities in the law. Top priorities should include --

· Providing heightened protections for access to wireless location information, now available for tens of millions of Americans carrying (or driving) mobile phones.

· Increasing the standard for use of pen registers and trap and trace devices, and limiting their use on the Internet since address data for email and Web browsing can be much more revealing than telephone numbers dialed.

· Providing enhanced protection for personal information on networks.

This testimony provides a more detailed list of needed reforms. As a starting point, we would encourage Congress to take up the helpful protections developed and passed by the House Judiciary Committee last September in H.R. 5018 of the last Congress.

It should be noted that nothing in these proposals would deny law enforcement the tools needed to fight crime and defend national security. No law enforcement agency would be prohibited from locating a criminal suspect or monitoring a terrorist's email. All these proposals do is to set clear and strong privacy guidelines for use of electronic surveillance techniques and require public reporting as the foundation of oversight and accountability.

These are complex issues vital to the future health and growth of the Internet. CDT looks forward to working with the Subcommittee, the Justice Department, and others in the law enforcement community to evaluate cybercrime proposals and to flesh out needed privacy enhancements, in order to restore the trust, security, and privacy consistent with the Internet's promise of promoting economic opportunity and individual freedom.

The Center for Democracy and Technology is a non-profit, public interest organization dedicated to promoting civil liberties and democratic values on the Internet. Our core goals include ensuring that the Constitutionís protections extend to the Internet and other digital media. CDT also coordinates the Digital Privacy and Security Working Group (DPSWG), a forum for more than 50 computer and communications companies, public interest groups, and associations working on information privacy and security.

Context: Law Enforcement Capabilities and Privacy Protections in a Digital Age

As the Internet becomes increasingly important to consumers and businesses, concerns about criminal activity online and cybercrime are becoming more prevalent. The rapid pace of change has made it harder for Internet users to protect themselves, and creates real challenges for law enforcement.

Concerns about cybercrime are serious. But there are also many reasons to believe the important balance between investigatory powers and individual liberty - enshrined in our legal system and guaranteed by the constitution - has shifted in this digital age, and that greater protections are actually needed for personal privacy. Part of this context is that the digital age offers remarkable and effective investigative tools for law enforcement. At the same time, the amount of personal information available electronically is rising and there is great need for updates in outdated surveillance and privacy law.

The Internet: Rising use, growing concerns, and an eroding balance

The Internet is at once a new communications medium and a new locus for social organization on a global basis. Because of its decentralized, open, and global nature, the Internet holds out unprecedented promise to promote expression, spur economic opportunity, and reinvigorate civic discourse. Individuals and groups can create new communities for discussion and debate, grassroots activism and social organization, artistic expression and consumer protection. The Internet has become a necessity in most workplaces and a fixture in most schools and libraries.

Every day, Americans use the Internet to access and transfer vast amounts of private data. Financial statements, medical records, and information about children ñ once kept securely in a home or office ñ now travel through the network. Electronic mail, online publishing and shopping habits, business transactions and Web surfing profiles can reveal detailed blueprints of peopleís lives. And as more and more of our lives are conducted online and more and more personal information is transmitted and stored electronically, the result has been a massive increase in the amount of sensitive data available to both potential criminals as well as government investigators.

As social, economic, and personal activities move online, criminal activity taking place or being investigated through the use of the Internet is increasing as well and will likely to continue to increase. One element of concern about cybercrime is the rise of both familiar forms of criminal behavior extended to the instrumentality of the Internet, as well as new harmful acts - such as hacking or identity theft - unique to the digital age. Another concern is the tremendous changes in law enforcement methods that will be needed to adopt to a world where criminal activity is moving off of street corners and into cyberspace. These concerns are exacerbated by new public education problems, as people and business rapidly adopt new online activities without a clear understanding of how to protect themselves and using technologies that may not have adequately accounted for security needs.

A natural reaction in the face of cybercrime concerns is to seek new governmental authorities and powers. A starting point for considering these government actions is the old doctors' adage: First do no harm. There is a real risk that sweeping new mandates or regulations providing incremental improvements in security could undermine many of the open and decentralized features that have been essential to innovation, growth, and freedom online.

More broadly, cybercrime must be addressed in the context of the important protections for individual liberty that stem from the U.S. constitution and are enshrined in our legal system. The Congress and our courts have often denied powerful surveillance tools or police powers to the government in order to guarantee basic liberties. In considering cybercrime, it is appropriate to look at both the new capabilities now available to government as well as the eroding state of legal privacy protections.

The Digital Age Presents Tremendous New Tools For Law Enforcement

While the Justice Department frequently complains that digital technologies pose new challenges to law enforcement, it is clear that the digital revolution has also been a boon to government surveillance and collection of information. For example, in testimony last year before a Senate appropriations subcommittee, FBI Director Freeh outlined the Bureau's success in many computer crime cases. Online surveillance and tracking led to the arrest of the Phonemasters who stole calling card numbers; an intruder on NASA computers, who was arrested and convicted in Canada; the thieves who manipulated Citibank's computers and who were arrested with cooperation of Russian authorities; and the creator of the Melissa virus, among others. More recently, alleged hackers who distributed the "I Love You" virus and initiated last year's debilitating distributed denial of service attacks on prominent U.S. web sites have been identified.

In many of these cases, it is the Internet itself that has provided the key instrumentality in investigating and gathering information. Examples include the Justice Department's successful "Innocent Images" campaign to prosecute child pornography, and the recent highly-publicized crackdown on Internet fraud.

Electronic surveillance is going up, not down, in the face of new technologies. Computer files are a rich source of stored evidence: in a single investigation last year, the FBI seized enough computer data to nearly fill the Library of Congress twice. The FBI estimates that over the next decade, given planned improvements in the digital collection and analysis of communications, the number of wiretaps will increase 300 per cent. Online service providers, Internet portals and Web sites are facing a deluge of government subpoenas for records about online activities of their customers. Everywhere we go on the Internet we leave digital fingerprints, which can be tracked by marketers and government agencies alike. The FBI has even requested additional funds to "data mine" these public and private sources of digital information for their intelligence value.

The FBI is also becoming adept at using data collected and stored by the private sector. For example, a recent story in the Wall Street Journal detailed how federal law enforcement agencies have begun purchasing detailed collections of personal data from commercial "look-up" companies. While this raises concerns about agencies skirting the Privacy Act's restrictions on the government's own data collection efforts, it is clear that the FBI is adopting to and using these new and rich data sources.

Privacy Rules Have Not Kept Pace With These Rapid Changes

Another important context for considering cybercrime is that outdated surveillance and privacy laws have not kept up with changing technology and offer only reduced protections. Electronic privacy and surveillance are today governed by a complex statutory and constitutional framework that has slowly eroded in the face of technological change.

Remarkably, the 1986 Electronic Communications Privacy Act of 1986 (ECPA), 18 USC 2701 et seq. (setting standards for access to stored electronic communications and transactional records) was the last significant update to the privacy standards of the electronic surveillance laws. Astonishing and unanticipated changes have occurred since then, including --

· the development of the Internet and the World Wide Web, and their widespread use;

· the convergence of voice, data, video, and fax over wire, cable and wireless systems, and the rising deployment of high-bandwidth broadband facilities;

· the increasing use of mobile telephones and devices, including those that access the Internet;

· the proliferation of service providers in a decentralized, competitive communications market; and

· the movement of information out of people's homes or offices and onto networks controlled by third parties.

These changes have left gaps and ambiguities in the surveillance law framework. In some cases, such as the rise of mobile location information or the development of the Web, whole new types of information never available before to law enforcement can now be accessed under a legal framework that never contemplated their existence. In other cases, such as the use of pen registers for Internet traffic or the standard for accessing location information, the standards and procedures for lawful access are unclear at best.

These gaps create privacy problems, and they also create confusion on the part of law enforcement officers. Greater clarity and enhanced protection is needed both to promote public confidence in law enforcement and to provide deserved guidance about what is and is not acceptable behavior for electronic surveillance and data-gathering.

Most fundamentally, as a result of these changes personal data is moving out of the desk drawer and off of the desktop computer, out onto the Internet and out of personal control. More and more, this means that information is being held and communicated in configurations where it is in the hands of third parties and therefore not afforded the full protections of the Fourth Amendment under current doctrine. In a world where the Internet is increasingly essential for access to commerce, community, and government services, personal privacy should not be the price of living online. Rather, it is necessary to adopt legislative protections that map Fourth Amendment principles onto the new technology.

Concerns about cybercrime need not, and should not, become an excuse for sweeping new government authorities or greater surveillance capability.

The government has a real, but limited, role in promoting security online.

At the root of many concerns about cybercrime are problems relating to computer security. Hacking, unauthorized access to computers, denial of service attacks, and the theft, alteration or destruction of data are all already federal crimes, and appropriately so. But Internet security is not a problem primarily within the control of the federal government. Particularly, it is not a problem to be solved through the criminal justice system. Internet security is primarily a matter most effectively addressed by the private sector, which has built this amazing, complex and rapidly-changing medium in a short time without government interference.

The government's limited role in cybersecurity stems from the unique technical features of the decentralized, global, user-controlled Internet:

· Unlike traditional broadcast or telecommunications media, where security concerns could be focused on a relatively small number of large companies, today's cybersecurity solutions must apply to literally millions of individuals around the world who create, publish, transmit, route, process, and sell online.

· The Internet's architecture is open, with few (if any) gatekeepers over online activities - a feature essential to the innovation in online services, content, and technologies, and essential to the Internet's promise in promoting free expression worldwide.

· The Internet is global, so the actions of any one national government will only have an incremental effect on behavior and are unlikely to prevent undesirable activity online.

In such an environment, it is the Internet's users who are the first and most important line of defense in the fight against cybercrime. Providing technology to protect users online - such as strong encryption tools and secure software and networks - is likely to be far more effective and scale far better than direct government intervention.

It must be stressed that the source of the security problem is not the architectural openness of the Internet, nor is it inherently a function of the anonymity that openness affords. Indeed, this robust and decentralized architecture is what makes the Internet as resilient as it is. Rather, the problem is that security measures compatible with the open and anonymous nature of the Internet have been given a low priority as the Internet has grown. The explosion of services and business online and the rapid rollout of new software with new features have often come at the expense of good technical security. In that sense, heightened concerns about cybercrime are a helpful wake-up call, not only because they highlight the lack of security but because they also emphasize the bottom line risks.

It is clear that the private sector is stepping up its security efforts, with an effectiveness that the government is not likely to match given the rapid pace of technical change and the decentralized nature of the medium. The tools for warning, diagnosing, preventing and even investigating infrastructure attacks through computer networks are uniquely in the hands of the private sector. In these ways, Internet crime is quite different from other forms of crime.

In this environment, government has an important but limited role focused on getting its own house in order, hiring trained staff, and supporting R&D. First, it must get its own computer security house in order. The Administrationís ìNational Planî for cyber-security, which focuses on protecting the governmentís own systems, has some laudable and long-overdue elements. We are concerned, though, that it relies too heavily on a monitoring system that threatens privacy and other civil liberties (ìFIDNetî) and gives too little priority to closing the known vulnerabilities and fundamental security flaws in government computer systems. (Target date for fixing "the most significant known vulnerabilities" in critical government computers: May 2003.) To improve government computer security and enforce the computer crime laws, the government needs the resources and Title 5 authority to hire and retain skilled investigators and computer security experts. Law enforcement must undertake the daunting task of training a new generation of public safety officers whose most important weapon is not a gun but a laptop.

The government should do more to support basic research and development in computer security. It is a positive step that the U.S. government has stopped fighting deployment of encryption. We are concerned, though, that a range of new surveillance initiatives ranging from "Carnivore" to CALEA and "wiretapping for the Internet" are being used to build surveillance features without adequate attention to security ñ and may themselves constitute a security vulnerability. While the potential for the government to help is limited, the risk of government doing harm through design mandates or further intrusions on privacy is very high.

It is not clear that new government authorities or investigatory powers are needed.

Substantial authorities already exist for investigating and prosecuting cybercrime. It appears that most of the "cybercrime" activities conducted online could be prosecuted through existing criminal law. The Computer Fraud and Abuse Act and other statutes broadly make hacking, unauthorized access to computers, and the theft, alteration or destruction of data already federal crimes. Powerful statutes exist to punish distribution of obscenity or child pornography online. Existing criminal statutes covering a range of topics from fraud to abuse of a minor are being applied to or have been adopted to include online behavior.

It is always appropriate to consider whether our laws have been outdated by changes in technology, and several proposals have been under consideration to amend the computer crime statute and the electronic surveillance laws to enhance law enforcement authorities. The Subcommittee, after careful analysis, may find that some modest changes are appropriate. But we urge caution, especially in terms of any changes that would enhance surveillance powers or government access to information. For example, the Justice Department had proposed changes to the computer fraud statutes that would lower the $5000 loss threshold before criminal penalties apply. However, there is reason to believe that prosecutors are unwilling to bring even cases that meet the threshold because of stiff mandatory minimums that apply. Removing the damage threshold would only exacerbate the situation and also could make de minimus activity or online pranks serious federal crimes.

Some in government have argued that the Internet requires greater investigatory powers. In particular, they complain about anonymity or lack of traceability on the Internet. This is a red herring. The digital age of web logs, ISP records, credit card transactions, electronic banking, cookies, and clickstreams is creating a wealth of investigatory capability where none existed before. While there is not perfect traceability online, there is probably more traceability online than in the real world. An anonymous vandal can throw a brick through a bank window and run away down any number of streets. An anonymous pickpocket can steal your wallet with credit cards and melt into the crowd. Yet we do not require people to carry identification cards, nor do we install checkpoints on our streets. We do not have perfect traceability in the real world, for good reasons. We do not need perfect identity and traceability online either.

Nonetheless, the Justice Department has sought further expansions in its surveillance authorities. But surely, before enacting any enhancements to government power, we should ensure that current laws adequately protect privacy. For example, the government has proposed extending the pen register statute - designed for capturing digits dialed on a phone - to the Internet. Yet, the current standard for pen registers imposes little effective judicial control, reducing judges to mere rubber-stamps. Pen registers as applied to Internet communications are far more revealing than phone numbers, and there is a great deal of ambiguity about how they might be applied online. In this and other cases, we must tighten the standards for government surveillance and access to information, thus restoring a balance between government surveillance and personal privacy and building user trust and confidence in these economically vital new media.

These are complex issues. CDT is prepared to work with the Committee and the Justice Department to evaluate cybercrime proposals, to flesh out needed privacy enhancements, and to convene our DPSWG working group as a forum for building consensus.

There is a real risk that cybercrime concerns will become an excuse to implement sweeping new authorities that jeopardize personal privacy.

Americans are already deeply concerned about their privacy, especially online. Changes in technology are making ever more information available to government investigators, often with minimal process falling far short of Fourth Amendment standards. There is a real risk that concerns over the very real problems of cybercrime will serve as justification for legislation or other government mandates that will be harmful to civil liberties and the positive aspects of the Internet. Such a course is especially unjustified when there is so much to be done to improve security without changing the architecture or protocols of the Internet or further eroding privacy.

Examples abound already here in the U.S. For much of the last decade, the government has sought to force Internet users to adopt "key recovery" backdoors for their encryption products in the name of fighting crime online - despite the security risks and privacy concerns raised by creating backdoors in security tools. In the name of protecting critical infrastructure, some have promoted "Caller ID for the Internet" - a system of mandatory identification for Internet traffic of dubious practicality that would eliminate much privacy online. While these proposals have been largely rejected "Carnivore" - the FBI's aptly-named Internet surveillance tool - has been deployed despite concerns that it is ripe for abuse and accesses too much information without appropriate legal standards in place. The CALEA statute, passed to preserve government phone tapping capabilities from the specter of digital age communications, has since been expanded to include a wide variety of new services including turning mobile phones into location tracking devices for law enforcement - with little judicial oversight.

It is understandable that many are concerned about new surveillance proposals put forward to fight cybercrime. We have avoided some of the worst of these proposals here in the U.S. Unfortunately, there is evidence that many of the most damaging surveillance proposals are taking root outside of the U.S.

Recent efforts in Europe on cybercrime, and particularly the experience of the recent Council of Europe's proposed Convention on CyberCrime, underscore this point. Early versions of that Convention - developed in part in consultation with U.S. law enforcement officials - contained data retention and other requirements that would have forced ISPs and web services to keep and produce vast quantities of private data at substantial expense and with few privacy protections. Only in response to outcry from industry and public interest advocates were the worst of these provisions modified in recent drafts. But the Convention still contains few privacy protections and lacks an appropriate balance between provisions for law enforcement and preservation of individual rights. We note that the Convention would not require any changes in U.S. law, and we will carefully monitor any efforts to use it as an excuse for changes in the U.S.

A major concern about the COE Convention is how it will be implemented by individual nations. With few clear privacy guidelines built in, it is feared that many will use the Convention as a justification for imposing new design mandates on Internet providers that will threaten many of the Internet's most important characteristics. In recent weeks, a serious proposal has been floated in Europe to require that all Internet traffic be retained for seven years. Besides being impractical and prohibitively expensive, if not virtually impossible, such an effort would be an unprecedented invasion of personal privacy and a severe rollback of initiatives in Europe and elsewhere to limit the retention of personal data.

In addition to affecting the human rights of Internet users worldwide, proposals such as these have an impact on U.S. users as well. They risk subjecting consumers and businesses engaging in global Internet communications and commerce to potential surveillance, industrial espionage, or invasions of privacy. And they risk squelching the promise of the Internet as a medium that promotes the free flow of information and the exchange of democratic ideas.

The U.S. has been a force for democratic values, individual liberty, and human rights worldwide. There is a real risk now that cybercrime efforts here and abroad will threaten these very values. It is important that we continue to be an example and resist the temptation to implement cybercrime proposals that would jeopardize the promise of the Internet to promote liberty.

The Need for Enhanced Privacy Protections

Considering the broad sweep of the digital revolution, it is apparent that the major problem now is not that technology is outpacing government's ability to investigate crime, but, to the contrary, that changes in communications and computer technology have outpaced the privacy protections in our laws. Technology is making ever-increasing amounts of information available to government under minimal standards falling far short of Fourth Amendment protections. Gabs in our surveillance laws leave information unprotected, or create ambiguities, ultimately harming public faith in law enforcement and undermining public trust in the online activities that have become such an important part of the digital age.

While improvements to security, technology, or corporate policies to promote privacy can come from the private sector, only legislation can update the legal framework governing electronic surveillance and privacy. Companies can adopt great privacy practices about the disclosure of information, but they have little choice but to produce sensitive data they hold when presented with a lawful order. Consumers and businesses increasingly recognize that only legislation can provide adequate privacy protections for such information and these protections themselves can be a key enabler of trust and security online.

Congress should adopt a comprehensive legislative approach to cybercrime that recognizes the urgent need for additional privacy protections. The Congress could start by taking up the helpful changes to surveillance law developed and passed by the House Judiciary Committee in the last Congress, under H.R. 5018, including:

· Provide heightened protections for access to wireless location information, requiring a judge to find probable cause to believe that a crime has been or is being committed. Today tens of millions of Americans are carrying (or driving) mobile devices that could be used to create a detailed dossier of their movements over time - with little clarity over how that information could be accessed and without an appropriate legal standard for doing so.

· Increase the standard for use of pen registers and trap and trace devices, requiring a judge to at least find that specific and articulable facts reasonably indicate criminal activity and that the information to be collected is relevant to the investigation of such conduct.

· Add electronic communications to the Title III exclusionary rule in 18 USC ß2515 and add a similar rule to the section 2703 authority. This would prohibit the use in any court or administrative proceeding of email or other Internet communications intercepted or seized in violation of the privacy standards in the law.

Require a judicial warrant for government seizure of read or unread email stored with a service provider for up to one year. (Currently, the warrant requirement applies for only 180 days, and the government has maintained that it could obtain email with a mere subpoena as soon as it is opened, no matter how recent it is.)

· Require statistical reports for ß2703 disclosures, similar to those required by Title III.

Require high level Justice Department approval for applications to intercept electronic communications, as is currently required for interceptions of wire and oral communications.

In addition, other issues - some of broader scope - need to be addressed:

· Define and limit what personal information is disclosed to the government under a pen register or trap and trace order served on Internet service providers. Transactional or addressing data for electronic communications like email and Web browsing can be much more revealing than telephone numbers dialed.

· Define clearly what transactional information can be collected on Internet communications and under what standard, making it clear that Internet queries are content, which cannot be disclosed without consent or a probable cause order.

· Improve the notice requirement under ECPA to ensure that consumers receive notice whenever the government obtains information about their Internet transactions.

· Provide enhanced protection for personal information on networks: probable cause for seizure without prior notice, and a meaningful opportunity to object for subpoena access.

· Require notice and an opportunity to object when civil subpoenas seek personal information about Internet usage.

The bills put before this Committee last year were efforts towards a modest improvement in privacy protections without in any way denying the government any investigative tools. They should serve as a starting point, and we hope that Members will consider reintroducing them in the near future and begin to address the privacy concerns of many Americans and the imbalance that exists in today's electronic surveillance laws.

4. Conclusion

The issue of cybercrime appropriately demands public attention and real, but limited, involvement by government. More broadly, it speaks to the need for modernization of our surveillance laws and greater privacy protections to counteract new threats to privacy online.

Protecting national security and public safety in this digital age is a major challenge and priority for our country. On balance, however, we believe that new sources of data and new tools available will prove to be of great benefit to government surveillance and law enforcement. These new technologies are likely to make law enforcementís job harder in some ways. There is no doubt that resources will be needed to deal with change as the Internet alters traditional methods of crime fighting and information gathering.

The real cybercrime risk is that concerns about public safety will become a justification for sweeping new surveillance proposals or design mandates that destroy the best features of innovation and freedom on the global, open Internet. It is essential that we offer a measured response to these concerns, and urgently take up the need to reform privacy protections in the electronic surveillance laws.

House Rule XI, Clause 2(g)(4) Disclosure: Neither Alan Davidson nor CDT has received any federal grant, contract, or subcontract in the current or preceding two fiscal years.