Statement Of Sen. Patrick Leahy,
Ranking Member, Senate Judiciary Committee
Hearing On The ‘Carnivore’ Controversy:
Electronic Surveillance And Privacy In The Digital Age”
Wednesday, September 6, 2000
We will talk today about ISPs and URLs and other new language of the Internet
age, but fundamentally we are continuing a 200-year-old conversation about how
we assure the right of the American people to be secure in their persons,
houses, papers and effects, against unreasonable searches and seizures. This is
both the promise and the mandate of our Constitution’s Fourth Amendment.
The means by which law enforcement authorities may gain access to a
person’s private “effects” is no longer limited by physical proximity, as
it was in the time of the Framers. New communications methods and surveillance
devices have dramatically expanded the opportunities for surreptitious law
enforcement access to private messages and records from remote locations. In
short, new communications technologies pose both benefits and challenges to
privacy and law enforcement. The Congress has worked successfully in the past to
mediate this tension with a combination of stringent procedures for law
enforcement access to our communications and legal protections to maintain their
privacy and confidentiality, whether they occur in person or over the telephone,
fax machine or computer. In 1968, the Congress passed comprehensive legislation
authorizing government interception, under carefully defined circumstances, of
voice communications over telephones or in person in Title III of the Omnibus
Crime Control and Safe Streets Act.
We returned to this important area in 1986, when we passed the Electronic
Communications Privacy Act (ECPA), which I was proud to sponsor, that outlined
procedures for law enforcement access to electronic mail systems and remote data
processing systems, and that provided important privacy safeguards for computer
users. ECPA also set forth the procedures for use, application and issuance of
orders for pen registers and trap and trace devices that were to be used to
identify the numbers dialed from a particular telephone line or the originating
number of an incoming telephone call, respectively. As the Committee’s report
on ECPA makes clear, these pen register and trap and trace orders were not to be
used “to identify or record the contents of the communication.” [Senate
Comm. On the Judiciary, “Electronic Communications Privacy Act of 1986",
S. Rep. No. 99-541, 99th Cong., 2d Sess. at p. 46 (1986).]
This hearing will explore where the FBI’s use of the new surveillance tool
called “Carnivore” fits into that mix.
As I understand this surveillance tool, Carnivore is a software program
developed by the FBI and installed by the FBI at the physical premise of an
Internet Service Provider to intercept Internet communications, in accordance
with a court order. This court order may authorize capture of an entire
communication, or it can be limited only to addressing information, akin to a
pen register order for a telephone line. Carnivore is sufficiently versatile
that the FBI can use the same program to accommodate variations in court order
authorizations. I want to hear more about how the Carnivore program works, the
precise kind of information the program produces to the FBI, and what controls
the FBI has in place when Carnivore is used to insure the program is operated
only as authorized by the applicable court order.
Certainly, some of the concern over the FBI’s use of Carnivore stems from
the fact that the Carnivore program is not “freeware” available for download
and public scrutiny. I commend the Attorney General for her efforts to address
this concern and for moving forward to hire an independent contractor to conduct
a technical review of the surveillance program. This is constructive step to
move beyond hypothetical discussions of Carnivore’s theoretical capabilities
to focus on the facts. At the outset, let us be clear where there is no dispute.
There is no dispute that the stringent legal requirements governing wiretaps
apply to Carnivore when it is used to capture the content of e-mails or other
computer transmissions. There is also no dispute that both the text and the
subject line of an e-mail message are “content” which law enforcement may
intercept only under a wiretap order. But fundamental questions remain about
when the FBI chooses to use Carnivore, how the program works, and whether the
legal standards that apply to its use are adequate.
First, telephone companies regularly comply with wiretap and other legitimate
surveillance orders, as do Internet Service Providers. But if the trail of a
criminal investigation leads to evidence in the custody of an Internet Service
Provider that lacks the capability or willingness to conduct the interception as
required in a court order, most of us agree that law enforcement authorities
should not be stymied but should have the authority to pursue the trail.
Indeed, it has been a long-standing tenet codified in the wiretap and pen
register laws that providers of telephone services must furnish law enforcement
officials with “all information, facilities and technical assistance necessary
to accomplish” the interception or installation of the pen register device
unobtrusively and with a minimum of interference with the service being provided
to the person whose communications are to be intercepted.” [18 U.S.C. §
2518(4) and 3124(a).] Carnivore was apparently created for use in just this
circumstance – where the ISP is unable to assist directly in execution of the
court-ordered surveillance.
We want to hear today about whether use of Carnivore is limited to only that
circumstance and what effect, if any, this use has on the integrity and function
of the ISP.
As the principal Senate sponsor of the Communications Assistance for Law
Enforcement Act (CALEA), I should note that we passed this law in 1994 to
require telephone companies to be able to execute court orders for surveillance.
That law was passed with the concurrence of the telecommunications industry,
which wanted all participants to share the responsibilities and expenses of
complying with such court orders. This law exempts “information services”,
however, including most ISPs. Consequently, the FBI has developed its own
program to fill the gap if a particular ISP is unable or unwilling to assist in
execution of a court order for surveillance. This is preferable, in my view, to
legislation requiring ISPs to ramp up to execute court orders. Second, Carnivore
apparently works by sifting through the Internet traffic of a particular ISP to
capture the particular information or communication authorized by a court order.
Privacy advocates are rightly concerned about whether Carnivore accesses too
much – not only too much information about Internet users whose communications
are not the subject of the court order, but also too much information about the
communications that are the subject of the court order.
The Internet works by breaking communications down into separate packets that
are reassembled at the destination point. The FBI says that, as a technical
matter, Carnivore is able to find the different packets that make up a suspected
criminal’s Internet message only by sifting through all the traffic. This is
cold comfort to all the other Internet users, who are not the subject of any
court ordered surveillance but nonetheless are having their Internet messages
automatically screened by the FBI’s Carnivore program.
The FBI says that Carnivore can be used as the functional equivalent for the
Internet of a pen register or trap and trace devices that provide information
about the source or destination of a telephone call. Yet the addressing, or
header, information on an Internet message may provide far more detail about the
interests of the person sending the message than a dialed telephone number does.
This prompts the question whether the same legal standard and procedure should
apply to capturing Internet addressing information that applies to capturing
telephone numbers.
Finally, Carnivore is a like a car. It can be useful, or it can be abused.
What counts are the rules of the road and the license we give the driver. I am
interested in hearing from the witnesses today whether the surveillance rules we
developed for the analogue telephone environment and for the pre-Internet
computer environment are adequate to protect our current expectations of privacy
when we go online.
I, for one, do not believe our current laws are adequate. That is why over a
year ago I introduced the E-RIGHTS Act, S. 854, to update our laws and provide
additional privacy protections for our online communications and records,
including law enforcement access procedures and standards that are more in
keeping with our current privacy expectations.
For example, a critical privacy issue confronting us today is the procedure
by which law enforcement authorities obtain pen register and trap and trace
orders. The controversy over Carnivore puts the shortcomings of that procedure
in stark relief. Under current law, federal judges are no more than rubber
stamps who are required to issue pen register or trap and trace orders whenever
a prosecutor asks for them. Federal judges have no authority to ask “why”
and to make sure that requested surveillance is necessary and justified. The
E-RIGHTS Act proposes a procedure that would permit judges to ask for and get
reasons for the surveillance. The Administration has recently transmitted
proposed legislation that would modify this procedure in a fashion similar to
the one I originally proposed.
I am a strong proponent of the Internet and a defender of our constitutional
rights to speak freely and to keep private our confidential affairs from either
private sector snoops or unreasonable government searches. These principles can
and must be respected when law enforcement agencies use surveillance tools to
uncover and hold accountable criminal wrongdoers. I look forward to hearing from
the witnesses today about whether Carnivore oversteps these bounds. # #
# # #
|