Privacy and the Obligation to Provide Public Safety

Our obligation to the public to enforce the laws is not limited to activities in the physical world; our responsibilities to the citizens to preserve their safety continues where illegal conduct is committed on-line or facilitated by the Internet.  The public rightfully expects, for example, that law enforcement will investigate and prosecute child molesters who prey on children using electronic mail or other Internet communications tools.

Similarly, of course, the duty of law enforcement to preserve privacy does not end where the Internet begins.  The Fourth Amendment protects the rights of our citizens as we go on-line to work, learn and explore the Internet, just as the Fourth Amendment protects rights in the physical world.  The goal of the Department is long-honored and noble: we must preserve the privacy of our citizens while protecting their safety.  History has taught us, and our founding fathers recognized, that our citizens’ liberty cannot thrive unless we can investigate, apprehend and prosecute those who engage in criminal conduct.  At the same time, however, our founding fathers abhorred the disregard and abuse of privacy by the government in England.  Privacy and public safety can be at odds in certain circumstances.  The founders of this nation adopted the Fourth Amendment to address those situations.  Under the Fourth Amendment, the government must demonstrate probable cause to a neutral magistrate before obtaining a warrant for a search, arrest, or other significant intrusion on privacy.

Congress and the courts have also recognized that less intrusive investigative steps should be permitted under a less exacting threshold.  The Electronic Communications Privacy Act establishes a three-tier system by which the government can obtain stored information from electronic communication service providers.  In general, the government needs a search warrant to obtain the content of unretrieved communications (like e-mail), a court order to obtain transactional records, and a subpoena to obtain information identifying the subscriber.  See 18 U.S.C. §§ 2701-11.

In addition,  to obtain information identifying who is sending or receiving communications to or from a particular suspect, the government must obtain a "trap and trace" or "pen register" court order authorizing the recording of such information.  See 18 U.S.C. 3121 et. seq.

Because of the privacy values it protects, the wiretap statute, 18 U.S.C. §§ 2510-22, commonly known as Title III, places a higher burden on the real-time interception of oral, wire and electronic communications than even the Fourth Amendment requires.  To listen to or record communications as they are happening, law enforcement must obtain a court order unless one of the specified statutory exceptions applies.  To obtain such an order, the government must show that normal investigative techniques for obtaining the information have or are likely to fail or are too dangerous, and that any interception will be conducted so as to ensure that the intrusion is minimized.  The Fourth Amendment and statutory restrictions on government access to information do not prevent effective law enforcement.  Rather, they provide boundaries for law enforcement, clarifying what is acceptable evidence gathering and what is not.

Often, our obligations to enforce the law and our goal to preserve privacy are in complete harmony, such as when we apprehend and prosecute a criminal who has hacked into a computer containing the confidential records of others.  In those instances where there is tension, we must find a proper balance.  Law enforcement has a critical role to play in preserving privacy against intrusions by others.  Although the primary mission of the Department of Justice is law enforcement, Attorney General Reno and the entire Department understand and share the legitimate concerns of all Americans with regard to personal privacy.  If the Internet is to thrive and citizens’ confidence in the Internet is to remain high, we can abandon neither the goal of on-line privacy nor the goal of public safety.

The Department has been and will remain committed to protecting the privacy rights of individuals.  We look forward to working with Congress and other concerned individuals to address these important matters in the months ahead.

Keeping the Peace in Cyberspace:

Although the Fourth Amendment is over two centuries old, the Internet as we know it is still in its infancy.  The huge advances in communications technology over the past decade have forever altered the landscape of society worldwide.  The Internet provides a new forum in which citizens can communicate, transfer information, engage in commerce, play and expand their educational opportunities.  These are but a few of the wonderful benefits of this rapidly evolving  technology.  As has happened to every major technological advance, however, we are seeing individuals and groups use the Internet to commit crimes.  As the Department has noted in the past, this nation’s  vulnerability to computer crime is astonishingly high and threatens not only economic prosperity, but the privacy of our citizens and our country’s critical infrastructure.

Many of the crimes that we confront everyday in the physical world are migrating to the on-line world.  Crimes like death threats, extortion, fraud and child pornography have migrated with startling speed to the Internet.  The Fourth Amendment and laws addressing privacy and public safety serve as the framework for law enforcement to respond to this new forum for criminal activity.  If law enforcement fails properly to respect individual privacy in its investigative techniques, the public’s confidence in government will be eroded, evidence will be suppressed, and criminals will elude successful prosecution.  If law enforcement is too timid in responding to cybercrime, however, we will, in effect, render cyberspace a safe haven for criminals and terrorists to communicate and carry out crime, without fear of authorized government surveillance.  If we fail to make the Internet safe, people’s confidence in using the Internet and e-commerce will decline, endangering the very benefits brought by the Information Age.  Proper balance is the key.

To meet our responsibilities to the public to enforce the laws and preserve the safety, we use the same sorts of investigative techniques and methods on-line as we do in the physical world, with the same careful attention to the strict constitutional, statutory,  internal and court-ordered boundaries.

For example, if a man is suspected of luring children for sex, law enforcement must determine with whom the suspect is communicating.  In the recent past, such communications would have been carried out exclusively by telephone.  To find out who the suspect is communicating with, law enforcement would obtain an order from a court authorizing the installation of a "trap and trace" and a "pen register" device, and either the telephone company or law enforcement would have installed these devices to comply with the court’s order.  Thereafter, the source and destination of calls would have been recorded.  This is information that the Supreme Court has held is not subject to any reasonable expectation of privacy.  Given the personal nature of this information, however, the law requires government to obtain an order under these circumstances.  In this way, privacy is protected and law enforcement is able to investigate to protect the public.

Now, that same suspect is more likely to operate through e-mail or other kinds of online communications.  In attempting to investigate the criminal activity, law enforcement can apply to a court for an order to obtain in real time the e-mail addresses of those persons with whom the suspect is communicating through or by e-mail.  Law enforcement needs to be able to quickly identify the source and destination of such e-mails to fulfill its obligations to the victims in particular and the public generally.  In the event that the investigation requires viewing the content of the e-mail – even just the subject line – then law enforcement must comply with strict internal FBI and Department guidelines, and the provisions of Title III of the Omnibus Crime Control and Safe Streets Act of 1968, 18 U.S.C. §§2510-2521.

At times, Internet service providers may be unable to use their own technology to comply with court orders directing them to supply source and destination information or the content of communications.  Law enforcement cannot abdicate its responsibility to protect public safety simply because technology has changed.  Rather, the public rightfully expects that law enforcement will continue to be effective as criminal activity migrates to the Internet.

It is for such narrow set of circumstances that the FBI designed "Carnivore." When a criminal uses e-mail to send a kidnaping demand, to buy and sell illegal drugs or to distribute child pornography, law enforcement needs to know to whom he is sending messages and from whom he receives them.  To get this information, we obtain a court order, which we serve on the appropriate service provider.  Because of the nature of Internet communications, the addressing information (as opposed to the content of the communication itself) is often mixed in with other non-content data that we have no desire to gather.  If the service provider can comply with the order and provide us with only the addressing information required by court order, it will do so and we will not employ any investigative tool.

Where the service provider cannot or will not comply with a court order to reveal addressing information or content of electronic communications, law enforcement must have some mechanism to obtain the information.  It must have a tool that can obtain the information authorized by court order, and only that information.  The tool should be configurable such that, for example, it can be set to gather only the e-mail addresses of those persons with whom the kidnapper is communicating, without allowing any human being, either from law enforcement or the service provider, to view private information outside of the scope of the court’s order.  Such a tool automatically reduces the data collected to only that permitted by the court, thus allowing law enforcement strictly to comply with the order, and safeguarding the privacy of information outside the order.  The FBI created Carnivore to be such a tool.

We have numerous mechanisms in place to prevent possible misuse of electronic surveillance tools.  The Fourth Amendment, of course, restricts what law enforcement can do with the software, as do the statutory requirements of Title III and the Electronic Communications Privacy Act, and the implementing orders of the courts.

For federal Title III applications, the Department of Justice imposes its own guidelines on top of the privacy protections provided by the Constitution, statutes and the courts.  For example, before Carnivore may be used to intercept the content of communications, the requesting investigative agency must obtain approval from the Department of Justice asking a court for a Title III order.  The Office of Enforcement Operations in the Criminal Division of the Department reviews each proposed Title III application to ensure that the interception satisfies the protections of the Fourth Amendment and complies with applicable statutes and regulations.  Even if the proposal clears the OEO, the application cannot go to a court without approval by a Deputy Assistant Attorney General or higher-level official in the Department.  Although this requirement of high-level review is required by Title III only with regard to proposed intercepts of wire and oral communications, the Department voluntarily imposes the same level of review for proposed interceptions of electronic communications (except digital-display pagers).  Typically, investigative agencies such as the Federal Bureau of Investigation have similar internal requirements, separate and apart from Constitutional, statutory or Department of Justice requirements.

If the investigative agency and the Department of Justice approve a federal Title III request, it still must, of course, be submitted to and approved by a court of proper jurisdiction.  The court will evaluate the application under the Fourth Amendment and using the familiar standards of Title III.  By statute, for example, the application to the court must show, through sworn affidavit, why the intercept is necessary as opposed to other less-intrusive investigative techniques.  The application must also provide additional detail, including whether there have been previous interceptions of communications of the target, the identity of the target (if known), the nature and location of the communications facilities, and a description of the type of communications sought and the offenses to which the communications relate.  By statute and internal Department regulation, the interception may last no longer than 30 days without an extension by the court.

Courts also often impose their own requirements.  For example, many federal courts require that the investigators provide periodic reports setting forth information such as the number of communications intercepted, steps taken to minimize irrelevant traffic, and whether the interceptions have been fruitful.  The court may, of course terminate the interception at any time.

The remedies for violating Title III or ECPA by improperly intercepting electronic communications can include criminal sanctions, civil suit, and for law enforcement agents, adverse employment action.  For violations of the Fourth Amendment, of course, the remedy of suppression is also available.

The Justice Department and law enforcement across this nation are committed to continuing to work together and with their counterparts in other countries to develop and implement investigative strategies to successfully track, apprehend, and prosecute individuals who conduct criminal activity on the Internet.  In so doing, the same privacy standards that apply in the physical world remain effective online.

As the Committee is aware,  the Administration recently transmitted to Congress a legislative proposal addressing various issues relating to cyber-security.  Two portions of the bill relate directly to today's discussion.  First, the Administration supports raising the statutory standards for intercepting the content of electronic communications so they are the same as those for intercepting telephone calls:  high-level approval, use only in cases involving certain predicate offenses that are specified by statute, and statutory suppression of evidence derived from improper intercepts.  Second, the Administration bill requires federal judges to confirm that the appropriate statutory predicates have been satisfied before issuing a pen register or trap-and-trace order.  Those changes would apply to the use of Carnivore, and in important respects would simply confirm by statute the policies and procedures already followed by the Department of Justice.  The Administration supports a balanced updating of laws to enhance protection of both privacy and public safety, and the bill contains important provisions that would be most helpful in the ongoing fight against cyber-crime.

We recognize that, notwithstanding the limited use of the software and the many protections in place, concerns remain about the computer program.  To address those concerns, the Attorney General has asked for an independent technical review of Carnivore to evaluate whether it performs the functions it was designed to perform, and does so without any greater threat to privacy or to the smooth operation of private service providers then would be posed by any other system that allows compliance with the law relating to court-ordered interceptions.  The technical reviewers will have whatever access they need to discharge their responsibilities, and their report will be made public to the maximum extent that is consistent with otherwise applicable law or contractual obligations and with preserving the continued effectiveness of the software as a law-enforcement tool.  The report will also be reviewed by a high-level Departmental panel, chaired by the Assistant Attorney General for the Justice Management Division and including the Attorney General's Chief Science & Technology Advisor, the Department's Chief Privacy Officer, the Assistant Director of the FBI in charge of the Bureau's Laboratory Division, and me.  That panel will consider the positions of interested parties, such as industry and privacy groups, concerning the technical review, and will report to the Attorney General.

Mr. Chairman, the Department of Justice takes privacy concerns seriously and takes a proactive leadership role in making cyberspace safer for all Americans. The cornerstone of our cybercrime prosecutor program is the Criminal Division’s Computer Crime and Intellectual Property Section, known as CCIPS.  Founded in 1991 as the Computer Crime Unit, CCIPS became a Section in 1996.  CCIPS has grown from five attorneys in 1996 to nineteen today, and we need more to keep pace with the demand for their expertise.  The attorneys in CCIPS work closely on computer crime cases with Assistant United States Attorneys known as "Computer and Telecommunications Coordinators," or CTC’s, in U.S. Attorney’s Offices around the nation.  Each CTC receives special training and equipment and serves as the district’s expert on computer crime cases.  CCIPS and the CTC’s work together in prosecuting cases, spearheading training for local, state and federal law enforcement, working with international counterparts to address difficult international challenges, and providing legal and technical instruction to assist in the protection of this nation’s critical infrastructures.  CCIPS also provides its expertise to the public through its Internet website, www.cybercrime.gov.  We are very proud of the work these people do and we will continue to work diligently to help stop criminals from victimizing people online.

I also note that public education is an important component of the Attorney General’s strategy on combating computer crime.  As she often notes, the same children who recognize that it is wrong to steal a neighbor’s mail or shoplift do not seem to understand that it is equally wrong to steal a neighbor’s e-mail or copy a proprietary software or music file without paying for it.  To remedy this problem, the Department of Justice, together with the Information Technology Association of America (ITAA), has embarked upon a national campaign to educate and raise awareness of computer responsibility and to provide resources to empower concerned citizens.    The "Cybercitizen Awareness Program" seeks to engage children, young adults, and others on the basics of critical information protection and security and on the limits of acceptable online behavior.  The objectives of the program are to give children an understanding of cyberspace benefits and responsibilities, an awareness of consequences resulting from the misuse of the medium and an understanding of the personal dangers that exist on the Internet and techniques to avoid being harmed.

Conclusion:

Mr. Chairman, thank you again for allowing me this opportunity to address our efforts to fight crime on the Internet and preserve the privacy rights conferred by the Fourth Amendment and statute.  The need to protect the privacy of our citizens from criminals as well as the government,  is a paramount consideration in all our activities.  The public is undoubtedly concerned about their on-line privacy, and the potential for criminals, private industry, and the government to infringe upon it.  The public is also deeply concerned about their safety and security when exploring and using the ever-expanding reaches of the Internet.  By deterring and punishing those criminals who violate individual privacy, ensuring the ability of law enforcement to fight cyber-crime both promotes the safety and security of Internet users and enhances user privacy.  The Department of Justice stands ready to work with the Members of this Committee and others to achieve these important goals.

Mr. Chairman, that concludes my prepared statement.  I would be pleased to answer your questions.