We will talk today about ISPs and URLs and other new language of the Internet age, but fundamentally we are continuing a 200-year-old conversation about how we assure the right of the American people to be secure in their persons, houses, papers and effects, against unreasonable searches and seizures. This is both the promise and the mandate of our Constitution’s Fourth Amendment.

The means by which law enforcement authorities may gain access to a person’s private “effects” is no longer limited by physical proximity, as it was in the time of the Framers. New communications methods and surveillance devices have dramatically expanded the opportunities for surreptitious law enforcement access to private messages and records from remote locations. In short, new communications technologies pose both benefits and challenges to privacy and law enforcement. The Congress has worked successfully in the past to mediate this tension with a combination of stringent procedures for law enforcement access to our communications and legal protections to maintain their privacy and confidentiality, whether they occur in person or over the telephone, fax machine or computer. In 1968, the Congress passed comprehensive legislation authorizing government interception, under carefully defined circumstances, of voice communications over telephones or in person in Title III of the Omnibus Crime Control and Safe Streets Act.

We returned to this important area in 1986, when we passed the Electronic Communications Privacy Act (ECPA), which I was proud to sponsor, that outlined procedures for law enforcement access to electronic mail systems and remote data processing systems, and that provided important privacy safeguards for computer users. ECPA also set forth the procedures for use, application and issuance of orders for pen registers and trap and trace devices that were to be used to identify the numbers dialed from a particular telephone line or the originating number of an incoming telephone call, respectively. As the Committee’s report on ECPA makes clear, these pen register and trap and trace orders were not to be used “to identify or record the contents of the communication.” [Senate Comm. On the Judiciary, “Electronic Communications Privacy Act of 1986", S. Rep. No. 99-541, 99th Cong., 2d Sess. at p. 46 (1986).]

This hearing will explore where the FBI’s use of the new surveillance tool called “Carnivore” fits into that mix.

As I understand this surveillance tool, Carnivore is a software program developed by the FBI and installed by the FBI at the physical premise of an Internet Service Provider to intercept Internet communications, in accordance with a court order. This court order may authorize capture of an entire communication, or it can be limited only to addressing information, akin to a pen register order for a telephone line. Carnivore is sufficiently versatile that the FBI can use the same program to accommodate variations in court order authorizations. I want to hear more about how the Carnivore program works, the precise kind of information the program produces to the FBI, and what controls the FBI has in place when Carnivore is used to insure the program is operated only as authorized by the applicable court order.

Certainly, some of the concern over the FBI’s use of Carnivore stems from the fact that the Carnivore program is not “freeware” available for download and public scrutiny. I commend the Attorney General for her efforts to address this concern and for moving forward to hire an independent contractor to conduct a technical review of the surveillance program. This is constructive step to move beyond hypothetical discussions of Carnivore’s theoretical capabilities to focus on the facts. At the outset, let us be clear where there is no dispute. There is no dispute that the stringent legal requirements governing wiretaps apply to Carnivore when it is used to capture the content of e-mails or other computer transmissions. There is also no dispute that both the text and the subject line of an e-mail message are “content” which law enforcement may intercept only under a wiretap order. But fundamental questions remain about when the FBI chooses to use Carnivore, how the program works, and whether the legal standards that apply to its use are adequate.

First, telephone companies regularly comply with wiretap and other legitimate surveillance orders, as do Internet Service Providers. But if the trail of a criminal investigation leads to evidence in the custody of an Internet Service Provider that lacks the capability or willingness to conduct the interception as required in a court order, most of us agree that law enforcement authorities should not be stymied but should have the authority to pursue the trail.

Indeed, it has been a long-standing tenet codified in the wiretap and pen register laws that providers of telephone services must furnish law enforcement officials with “all information, facilities and technical assistance necessary to accomplish” the interception or installation of the pen register device unobtrusively and with a minimum of interference with the service being provided to the person whose communications are to be intercepted.” [18 U.S.C. § 2518(4) and 3124(a).] Carnivore was apparently created for use in just this circumstance – where the ISP is unable to assist directly in execution of the court-ordered surveillance.

We want to hear today about whether use of Carnivore is limited to only that circumstance and what effect, if any, this use has on the integrity and function of the ISP.

As the principal Senate sponsor of the Communications Assistance for Law Enforcement Act (CALEA), I should note that we passed this law in 1994 to require telephone companies to be able to execute court orders for surveillance. That law was passed with the concurrence of the telecommunications industry, which wanted all participants to share the responsibilities and expenses of complying with such court orders. This law exempts “information services”, however, including most ISPs. Consequently, the FBI has developed its own program to fill the gap if a particular ISP is unable or unwilling to assist in execution of a court order for surveillance. This is preferable, in my view, to legislation requiring ISPs to ramp up to execute court orders. Second, Carnivore apparently works by sifting through the Internet traffic of a particular ISP to capture the particular information or communication authorized by a court order. Privacy advocates are rightly concerned about whether Carnivore accesses too much – not only too much information about Internet users whose communications are not the subject of the court order, but also too much information about the communications that are the subject of the court order.

The Internet works by breaking communications down into separate packets that are reassembled at the destination point. The FBI says that, as a technical matter, Carnivore is able to find the different packets that make up a suspected criminal’s Internet message only by sifting through all the traffic. This is cold comfort to all the other Internet users, who are not the subject of any court ordered surveillance but nonetheless are having their Internet messages automatically screened by the FBI’s Carnivore program.

The FBI says that Carnivore can be used as the functional equivalent for the Internet of a pen register or trap and trace devices that provide information about the source or destination of a telephone call. Yet the addressing, or header, information on an Internet message may provide far more detail about the interests of the person sending the message than a dialed telephone number does. This prompts the question whether the same legal standard and procedure should apply to capturing Internet addressing information that applies to capturing telephone numbers.

Finally, Carnivore is a like a car. It can be useful, or it can be abused. What counts are the rules of the road and the license we give the driver. I am interested in hearing from the witnesses today whether the surveillance rules we developed for the analogue telephone environment and for the pre-Internet computer environment are adequate to protect our current expectations of privacy when we go online.

I, for one, do not believe our current laws are adequate. That is why over a year ago I introduced the E-RIGHTS Act, S. 854, to update our laws and provide additional privacy protections for our online communications and records, including law enforcement access procedures and standards that are more in keeping with our current privacy expectations.

For example, a critical privacy issue confronting us today is the procedure by which law enforcement authorities obtain pen register and trap and trace orders. The controversy over Carnivore puts the shortcomings of that procedure in stark relief. Under current law, federal judges are no more than rubber stamps who are required to issue pen register or trap and trace orders whenever a prosecutor asks for them. Federal judges have no authority to ask “why” and to make sure that requested surveillance is necessary and justified. The E-RIGHTS Act proposes a procedure that would permit judges to ask for and get reasons for the surveillance. The Administration has recently transmitted proposed legislation that would modify this procedure in a fashion similar to the one I originally proposed.

I am a strong proponent of the Internet and a defender of our constitutional rights to speak freely and to keep private our confidential affairs from either private sector snoops or unreasonable government searches. These principles can and must be respected when law enforcement agencies use surveillance tools to uncover and hold accountable criminal wrongdoers. I look forward to hearing from the witnesses today about whether Carnivore oversteps these bounds.